# AWS Elastic Beanstalk security
Use this chapter to learn more about the security tasks Elastic Beanstalk is responsible for, along with the security configurations you should consider when using Elastic Beanstalk to meet your security and compliance objectives.
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as *Security of the Cloud* and *Security in the Cloud*.
**Security of the Cloud** – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud and providing you with services that you can use securely. Our security responsibility is the highest priority at AWS, and the effectiveness of our security is regularly tested and verified by third-party auditors as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). Review the [AWS Services in Scope of AWS assurance programs](https://aws.amazon.com/compliance/services-in-scope/) for information as it relates to Elastic Beanstalk.
**Security in the Cloud** – Your responsibility is determined by the AWS service you are using, and other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations. This documentation is intended to help you understand how to apply the Shared Responsibility Model when using Elastic Beanstalk.
**Topics**
+ [Data protection in Elastic Beanstalk](security-data-protection.md)
+ [Identity and access management for Elastic Beanstalk](security-iam.md)
+ [Logging and monitoring in Elastic Beanstalk](incident-response.md)
+ [Compliance validation for Elastic Beanstalk](compliance-validation.md)
+ [Resilience in Elastic Beanstalk](disaster-recovery-resiliency.md)
+ [Infrastructure security in Elastic Beanstalk](infrastructure-security.md)
+ [Configuration and vulnerability analysis in Elastic Beanstalk](vulnerability-analysis-and-management.md)
+ [Security best practices for Elastic Beanstalk](security-best-practices.md)
# Data protection in Elastic Beanstalk
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Elastic Beanstalk. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Elastic Beanstalk or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
**Topics**
+ [Protecting data using encryption](security-data-protection-encryption.md)
+ [Internetwork traffic privacy](security-data-protection-internetwork.md)
# Protecting data using encryption
You can use different forms of data encryption to protect your Elastic Beanstalk data. Data protection refers to protecting data while *in transit* (as it travels to and from Elastic Beanstalk) and *at rest* (while it is stored in AWS data centers).
## Encryption in transit
You can achieve data protection in transit in two ways: encrypt the connection using Secure Sockets Layer (SSL), or use client-side encryption (where the object is encrypted before it is sent). Both methods are valid for protecting your application data. To secure the connection, encrypt it using SSL whenever your application, its developers and administrators, and its end users send or receive any objects. For details about encrypting web traffic to and from your application, see [Configuring HTTPS for your Elastic Beanstalk environment](configuring-https.md).
Client-side encryption isn't a valid method for protecting your source code in application versions and source bundles that you upload. Elastic Beanstalk needs access to these objects, so they can't be encrypted. Therefore, be sure to secure the connection between your development or deployment environment and Elastic Beanstalk.
## Encryption at rest
To protect your application's data at rest, learn about data protection in the storage service that your application uses. For example, see [Data Protection in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/DataDurability.html) in the *Amazon RDS User Guide*, [Data Protection in Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DataDurability.html) in the *Amazon Simple Storage Service User Guide*, or [Encrypting Data and Metadata in EFS](https://docs.aws.amazon.com/efs/latest/ug/encryption.html) in the *Amazon Elastic File System User Guide*.
Elastic Beanstalk stores various objects in an encrypted Amazon Simple Storage Service (Amazon S3) bucket that it creates for each AWS Region in which you create environments. Because Elastic Beanstalk retains the default encryption provided by Amazon S3, it creates encrypted Amazon S3 buckets. For details, see [Using Elastic Beanstalk with Amazon S3](AWSHowTo.S3.md). You provide some of the stored objects and send them to Elastic Beanstalk, for example, application versions and source bundles. Elastic Beanstalk generates other objects, for example, log files. In addition to the data that Elastic Beanstalk stores, your application can transfer and/or store data as part of its operation.
To protect data stored on Amazon Elastic Block Store(Amazon EBS) volumes attached to your environment's instances, enable Amazon EBS encryption by default in your AWS account and Region. When enabled, all new Amazon EBS volumes and their snapshots are automatically encrypted using AWS Key Management Service keys. For more information, see [Encryption by default](https://docs.aws.amazon.com/ebs/latest/userguide/encryption-by-default.html) in the *Amazon EBS User Guide*.
For more information about data protection, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Internetwork traffic privacy
You can use Amazon Virtual Private Cloud (Amazon VPC) to create boundaries between resources in your Elastic Beanstalk application and control traffic between them, your on-premises network, and the internet. For details, see [Using Elastic Beanstalk with Amazon VPC](vpc.md).
For more information about Amazon VPC security, see [Security](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html) in the *Amazon VPC User Guide*.
For more information about data protection, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Identity and access management for Elastic Beanstalk
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use AWS Elastic Beanstalk resources. IAM is an AWS service that you can use with no additional charge.
For details on working with IAM, see [Using Elastic Beanstalk with AWS Identity and Access Management](AWSHowTo.iam.md).
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# AWS managed policies for AWS Elastic Beanstalk
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
## Elastic Beanstalk updates to AWS managed policies
View details about updates to AWS managed policies for Elastic Beanstalk since March 1, 2021.
To see the JSON source for a specific managed policy, see the [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html).
| Change | Description | Date |
| --- | --- | --- |
| **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | March 17, 2026 |
| **AWSElasticBeanstalkWebTier** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md). | March 11, 2026 |
| **AWSElasticBeanstalkWorkerTier** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md). | March 11, 2026 |
| **AWSElasticBeanstalkMulticontainerDocker** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to use Amazon Bedrock for [AI-powered environment analysis](health-ai-analysis.md). For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md). | March 11, 2026 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled for single instance. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | January 27, 2026 |
| **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to configure public access block settings and bucket ownership controls on S3 buckets. For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md). | November 12, 2025 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to perform managed updates when [Tag propagation to launch templates](applications-tagging-resources.launch-templates.md) is enabled. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | February 27, 2025 |
| **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy | This policy was updated to replace the *StringLike* operator with the *ArnLike* operator to evaluate the ARN-type keys in the condition block `iam:PolicyArn`. This provides more secure enforcement. For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md). | December 11, 2024 |
| The following polices were updated: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) | These policies were updated to allow Elastic Beanstalk to add or remove tags when it creates or updates an AWS CloudFormation stack or change set. For more information about `AWSElasticBeanstalkManagedUpdatesServiceRolePolicy`, see [Service-linked role permissions for Elastic Beanstalk](using-service-linked-roles-managedupdates.md#service-linked-role-permissions-managedupdates). For more information about `AWSElasticBeanstalkRoleCore`, see [Policies for integration with other services](AWSHowTo.iam.managed-policies.md#iam-userpolicies-managed-other-services). | April 30, 2024 |
| **AWSElasticBeanstalkService** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Elastic Load Balancing, Auto Scaling groups (ASG), and Amazon ECS. This policy has been previously superseded by `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`. Although this policy is no longer available for attachment to new IAM users, groups, or roles, it may still be attached to prior existing ones. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | May 10, 2023 |
| **AWSElasticBeanstalkMulticontainerDocker** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Managing Elastic Beanstalk instance profiles](iam-instanceprofile.md). | March 23, 2023 |
| **AWSElasticBeanstalkRoleECS** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Policies for integration with other services](AWSHowTo.iam.managed-policies.md#iam-userpolicies-managed-other-services). | March 23, 2023 |
| **AdministratorAccess-AWSElasticBeanstalk** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to tag resources upon creation for Amazon ECS. For more information, see [Managing Elastic Beanstalk user policies](AWSHowTo.iam.managed-policies.md). | March 23, 2023 |
| **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy ** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see [Service-linked role permissions for Elastic Beanstalk](using-service-linked-roles-managedupdates.md#service-linked-role-permissions-managedupdates). | March 23, 2023 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to add tags to Amazon ECS resources when it creates them. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | March 23, 2023 |
| **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to add tags to Auto Scaling groups when it creates them. For more information, see [The managed-updates service-linked role](using-service-linked-roles-managedupdates.md). | January 27, 2023 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to add tags on create of an Auto Scaling group (ASG). For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | January 23, 2023 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to add tags on create of an elastic load balancer (ELB). For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | December 21, 2022 |
| **AWSElasticBeanstalkManagedUpdatesServiceRolePolicy** –Updated existing policy | Permissions were added to this policy to allow Elastic Beanstalk to do the following during managed updates: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) For more information, see [The managed-updates service-linked role](using-service-linked-roles-managedupdates.md). | August 23, 2022 |
| **AWSElasticBeanstalkReadOnlyAccess** – DeprecatedGovCloud (US) AWS Region | This policy has been replaced by `AWSElasticBeanstalkReadOnly`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 17, 2021. For more information, see [User policies](AWSHowTo.iam.managed-policies.md). | June 17, 2021 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** –Updated existing policy | This policy was updated to allow Elastic Beanstalk to read attributes for EC2 Availability Zones. It enables Elastic Beanstalk to provide more effective validation of your instance type selection across Availability Zones. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | June 16, 2021 |
| **AWSElasticBeanstalkFullAccess** – DeprecatedGovCloud (US) AWS Region | This policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. This policy will be phased out in the GovCloud (US) AWS Region. When this policy is phased out, it will no longer be available for attachment to new IAM users, groups, or roles after June 10, 2021. For more information, see [User policies](AWSHowTo.iam.managed-policies.md). | June 10, 2021 |
| The following managed policies were deprecated in all of the China AWS Regions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) | The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all of the China AWS Regions. These policies will no longer be available for attachment to new IAM users, groups, or roles after June 3, 2021. For more information, see [User policies](AWSHowTo.iam.managed-policies.md). | June 3, 2021 |
| **AWSElasticBeanstalkService** – Deprecated | This policy has been superseded by `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`. This policy is phased out and is no longer available for attachment to new IAM users, groups, or roles. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | June 2021 - January 2022 |
| The following managed policies were deprecated in all AWS Regions, except for China and GovCloud (US): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) | The `AWSElasticBeanstalkFullAccess` policy has been replaced by `AdministratorAccess-AWSElasticBeanstalk`. The `AWSElasticBeanstalkReadOnlyAccess` policy has been replaced by `AWSElasticBeanstalkReadOnly`. These policies were phased out in all the AWS Regions, except for China and GovCloud (US). These policies will no longer be available for attachment to new IAM users, groups, or roles after April 16, 2021. For more information, see [User policies](AWSHowTo.iam.managed-policies.md). | April 16, 2021 |
| The following managed policies were updated: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/security-iam-awsmanpol.html) | Both of these policies now support PassRole permissions in China AWS Regions. For more information about `AdministratorAccess-AWSElasticBeanstalk`, see [User policies](AWSHowTo.iam.managed-policies.md). For more information about `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | March 9, 2021 |
| **AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy** – New policy | Elastic Beanstalk added a new policy to replace the `AWSElasticBeanstalkService` managed policy. This new managed policy improves security for your resources by applying a more restrictive set of permissions. For more information, see [Managed service role policies](iam-servicerole.md#iam-servicerole-policy). | March 3, 2021 |
| Elastic Beanstalk started tracking changes | Elastic Beanstalk started tracking changes for AWS managed policies. | March 1, 2021 |
# Logging and monitoring in Elastic Beanstalk
AWS provides several tools for monitoring your Elastic Beanstalk resources and responding to potential incidents. Monitoring is important for maintaining the reliability, availability, and performance of AWS Elastic Beanstalk and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multipoint failure if one occurs.
For more information about monitoring, see [Monitoring environments in Elastic BeanstalkMonitoring environments](environments-health.md).
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
## Enhanced health reporting
Enhanced health reporting is a feature that you can enable on your environment to allow Elastic Beanstalk to gather additional information about resources in your environment. Elastic Beanstalk analyzes the information to provide a better picture of overall environment health and help identify issues that can cause your application to become unavailable. For more information, see [Enhanced health reporting and monitoring in Elastic Beanstalk](health-enhanced.md).
## Amazon EC2 instance logs
The Amazon EC2 instances in your Elastic Beanstalk environment generate logs that you can view to troubleshoot issues with your application or configuration files. Logs created by the web server, application server, Elastic Beanstalk platform scripts, and CloudFormation are stored locally on individual instances. You can easily retrieve them by using the [environment management console](environments-console.md) or the EB CLI. You can also configure your environment to stream logs to Amazon CloudWatch Logs in real time. For more information, see [Viewing logs from Amazon EC2 instances in your Elastic Beanstalk environment](using-features.logging.md).
## Environment notifications
You can configure your Elastic Beanstalk environment to use Amazon Simple Notification Service (Amazon SNS) to notify you of important events that affect your application. Specify an email address during or after environment creation to receive emails from AWS when an error occurs, or when your environment's health changes. For more information, see [Elastic Beanstalk environment notifications with Amazon SNS](using-features.managing.sns.md).
## Amazon CloudWatch alarms
Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or AWS Auto Scaling policy. CloudWatch alarms don't invoke actions because they are in a particular state. Instead, alarms invoke actions when the state changed and was maintained for a specified number of periods. For more information, see [Using Elastic Beanstalk with Amazon CloudWatch](AWSHowTo.cloudwatch.md).
## AWS CloudTrail logs
CloudTrail provides a record of actions taken by a user, role, or an AWS service in Elastic Beanstalk. Using the information collected by CloudTrail, you can determine the request that was made to Elastic Beanstalk, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging Elastic Beanstalk API calls with AWS CloudTrail](AWSHowTo.cloudtrail.md).
## AWS X-Ray debugging
X-Ray is an AWS service that gathers data about the requests that your application serves, and uses it to construct a service map that you can use to identify issues with your application and opportunities for optimization. You can use the AWS Elastic Beanstalk console or a configuration file to run the X-Ray daemon on the instances in your environment. For more information, see [Configuring AWS X-Ray debugging](environment-configuration-debugging.md).
# Compliance validation for Elastic Beanstalk
The security and compliance of AWS Elastic Beanstalk is assessed by third-party auditors as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others. AWS provides a frequently updated list of AWS services in scope of specific compliance programs at [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
Third-party audit reports are available for you to download using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
For more information about AWS compliance programs, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
Your compliance responsibility when using Elastic Beanstalk is determined by the sensitivity of your data, your organization’s compliance objectives, and applicable laws and regulations. If your use of Elastic Beanstalk is subject to compliance with standards such as HIPAA, PCI, or FedRAMP, AWS provides resources to help:
+ [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – Deployment guides that discuss architectural considerations and provide steps for deploying security-focused and compliance-focused baseline environments on AWS.
+ [ Architecting for HIPAA Security and Compliance on Amazon Web Services](https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html) – A whitepaper that describes how companies can use AWS to create HIPAA-compliant applications.
+ [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – A collection of compliance workbooks and guides that might apply to your industry and location.
+ [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) – A service that assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – A comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Resilience in Elastic Beanstalk
AWS Elastic Beanstalk manages and automates the use of the AWS global infrastructure on your behalf. When using Elastic Beanstalk, you benefit from the availability and fault tolerance mechanisms that AWS offers.
The AWS global infrastructure is built around AWS Regions and Availability Zones.
AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking.
With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Infrastructure security in Elastic Beanstalk
As a managed service, AWS Elastic Beanstalk is protected by the AWS global network security procedures that are described in our [ Best Practices for Security, Identity, and Compliance](https://aws.amazon.com/architecture/security-identity-compliance) website.
You use AWS published API calls to access Elastic Beanstalk through the network. Clients must support Transport Layer Security (TLS) 1.2 or later. Clients must also support cipher suites with perfect forward secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern platforms support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Configuration and vulnerability analysis in Elastic Beanstalk
AWS and our customers share responsibility for achieving a high level of software component security and compliance. AWS Elastic Beanstalk helps you perform your side of the shared responsibility model by providing a *managed updates* feature. This feature automatically applies patch and minor updates for an Elastic Beanstalk supported platform version.
For more information, see [Shared responsibility model for Elastic Beanstalk platform maintenance](platforms-shared-responsibility.md).
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
# Security best practices for Elastic Beanstalk
AWS Elastic Beanstalk provides several security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations, not prescriptions.
For other Elastic Beanstalk security topics, see [AWS Elastic Beanstalk security](security.md).
## Preventive security best practices
Preventive security controls attempt to prevent incidents before they occur.
### Implement least privilege access
Elastic Beanstalk provides AWS Identity and Access Management (IAM) managed policies for [instance profiles](iam-instanceprofile.md), [service roles](iam-servicerole.md), and [IAM users](AWSHowTo.iam.managed-policies.md). These managed policies specify all permissions that might be necessary for the correct operation of your environment and application.
Your application might not require all the permissions in our managed policies. You can customize them and grant only the permissions that are required for your environment's instances, the Elastic Beanstalk service, and your users to perform their tasks. This is particularly relevant to user policies, where different user roles might have different permission needs. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
### Protect sensitive application data
When your application needs to access sensitive information like credentials, API keys, or configuration data, follow these practices to maintain security:
+ Retrieve sensitive data directly from AWS Secrets Manager or AWS Systems Manager Parameter Store using their respective SDKs or APIs in your application code. This provides the most secure and flexible way to access sensitive information.
+ If you pass sensitive data from AWS Secrets Manager or AWS Systems Manager Parameter Store as environment variables (see [Fetch secrets to environment variables](AWSHowTo.secrets.env-vars.md)), carefully restrict access to EC2 key pairs and configure appropriate IAM roles with least-privilege permissions for your instances.
+ Never print, log, or expose sensitive data in your application code, as these values could end up in log files or error messages that might be visible to unauthorized users.
### Update your platforms regularly
Elastic Beanstalk regularly releases new platform versions to update all of its platforms. New platform versions provide operating system, runtime, application server, and web server updates, and updates to Elastic Beanstalk components. Many of these platform updates include important security fixes. Ensure that your Elastic Beanstalk environments are running on a supported platform version (typically the latest version for your platform). For details, see [Updating your Elastic Beanstalk environment's platform version](using-features.platform.upgrade.md).
The easiest way to keep your environment's platform up to date is to configure the environment to use [managed platform updates](environment-platform-update-managed.md).
### Enforce IMDSv2 on environment instances
Amazon Elastic Compute Cloud (Amazon EC2) instances in your Elastic Beanstalk environments use the instance metadata service (IMDS), an on-instance component, to securely access instance metadata. IMDS supports two methods for accessing data: IMDSv1 and IMDSv2. IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS. For details about the advantages of IMDSv2, see [enhancements to add defense in depth to the EC2 Instance Metadata Service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/).
IMDSv2 is more secure, so it's a good idea to enforce the use of IMDSv2 on your instances. To enforce IMDSv2, ensure that all components of your application support IMDSv2, and then disable IMDSv1. For more information, see [Configuring the IMDS on your Elastic Beanstalk environment's instances](environments-cfg-ec2-imds.md).
## Detective security best practices
Detective security controls identify security violations after they have occurred. They can help you detect a potential security threat or incident.
### Implement monitoring
Monitoring is an important part of maintaining the reliability, security, availability, and performance of your Elastic Beanstalk solutions. AWS provides several tools and services to help you monitor your AWS services.
The following are some examples of items to monitor:
+ *Amazon CloudWatch metrics for Elastic Beanstalk* – Set alarms for key Elastic Beanstalk metrics and for your application's custom metrics. For details, see [Using Elastic Beanstalk with Amazon CloudWatch](AWSHowTo.cloudwatch.md).
+ *AWS CloudTrail entries* – Track actions that might impact availability, like `UpdateEnvironment` or `TerminateEnvironment`. For details, see [Logging Elastic Beanstalk API calls with AWS CloudTrail](AWSHowTo.cloudtrail.md).
### Enable AWS Config
AWS Config provides a detailed view of the configuration of AWS resources in your account. You can see how resources are related, get a history of configuration changes, and see how relationships and configurations change over time.
You can use AWS Config to define rules that evaluate resource configurations for data compliance. AWS Config rules represent the ideal configuration settings for your Elastic Beanstalk resources. If a resource violates a rule and is flagged as *noncompliant*, AWS Config can alert you using an Amazon Simple Notification Service (Amazon SNS) topic. For details, see [Finding and tracking Elastic Beanstalk resources with AWS Config](AWSHowTo.config.md).