How do I determine the active SSL security policy associated with my ELB listener using the AWS CLI?
I want to use the AWS Command Line Interface (AWS CLI) to determine the active security policy on my HTTPS or SSL listener on Elastic Load Balancing (ELB). How can I do this?
Short description
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.
You can add an HTTPS listener to your load balancer for Amazon Elastic Compute Cloud (Amazon EC2). The SSL security policy for the listener is displayed in the Amazon EC2 console. For instructions, see update SSL negotiation configuration for an HTTPS/SSL load balancer.
You can display the load balancer listener SSL security policy names and predefined SSL security policies with the AWS CLI command describe-load-balancer-policies similar to the following:
aws elb describe-load-balancer-policies --load-balancer-name EXAMPLEELB --query "PolicyDescriptions[?PolicyTypeName==`SSLNegotiationPolicyType`].{PolicyName:PolicyName,ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table
Example output:
------------------------------------------------------------------------------------- | DescribeLoadBalancerPolicies | +-------------------------------------------------------+---------------------------+ | PolicyName | ReferenceSecurityPolicy | +-------------------------------------------------------+---------------------------+ | ELBSecurityPolicy-2015-05 | ELBSecurityPolicy-2015-05 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1446825761570 | ELBSecurityPolicy-2015-03 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1446774067525 | ELBSecurityPolicy-2015-05 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1446774575245 | ELBSecurityPolicy-2015-05 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1447023243695 | ELBSecurityPolicy-2014-10 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1447039877149 | false | | AWSConsole-SSLNegotiationPolicy-TESTELB-1447039147749 | ELBSecurityPolicy-2011-08 | | AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 | ELBSecurityPolicy-2014-10 | +-------------------------------------------------------+---------------------------+
Note: A ReferenceSecurityPolicy value of false indicates that the policy was not created using one of the predefined security policies.
The output returns the SSL security policies associated with a load balancer listener, but doesn't indicate which policy is active.
Resolution
To determine the active load balancer listener SSL security policy and any associated predefined SSL security policies: 1. Run the AWS command describe-load-balancers similar to the following:
aws elb describe-load-balancers --load-balancer-name EXAMPLEELB --query "LoadBalancerDescriptions[*].{ActivePolicy:ListenerDescriptions}" --output table
Example output:
--------------------------------------------------------------------------------- | DescribeLoadBalancers | || ActivePolicy || ||| Listener ||| ||+-------------------+-------------------------------------------------------+|| ||| InstancePort | 443 ||| ||| InstanceProtocol | SSL ||| ||| LoadBalancerPort | 443 ||| ||| Protocol | SSL ||| ||| SSLCertificateId | arn:aws:iam::803981987763:server-certificate/ELBSSL ||| ||+-------------------+-------------------------------------------------------+|| ||| PolicyNames ||| ||+---------------------------------------------------------------------------+|| ||| AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 ||| ||+---------------------------------------------------------------------------+|| || ActivePolicy || ||| Listener ||| ||+-----------------------------------------------------+---------------------+|| ||| InstancePort | 80 ||| ||| InstanceProtocol | HTTP ||| ||| LoadBalancerPort | 80 ||| ||| Protocol | HTTP ||| ||+-----------------------------------------------------+---------------------+||
The output returns the policy names associated with the load balancer.
2. To get more information about a policy, run the AWS CLI command describe-load-balancer-policies similar to the following:
aws elb describe-load-balancer-policies --load-balancer-name EXAMPLEELB --policy-name AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 --query "PolicyDescriptions[0].{ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table
Example output:
---------------------------------------------------------- | DescribeLoadBalancerPolicies | +--------------------------+-----------------------------+ | ReferenceSecurityPolicy | ELBSecurityPolicy-2014-10 | +--------------------------+-----------------------------+
Related information
Relevant content
- Accepted Answerasked 5 months ago
- asked 2 months ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
