README.md

Updating TLS Settings for AWS Classic Load Balancers

This is a simple how-to on updating an AWS Classic Load Balancer with a specific TLS Negotiaion Policy. Just read the script to see how the update works.

To get a list of available predefined policies that are available execute

aws elb describe-load-balancer-policies --query 'PolicyDescriptions[?PolicyTypeName==`SSLNegotiationPolicyType`].{PolicyName:PolicyName}' --output table

There are two ways you can create a policy:

1. Create a policy using a predefined policy as a reference.
2. Create a policy from scratch

References

• Ensure AWS Load Balancer is using TLS 1.2
• AWS Configure TLS listeners
• How do I determine the active SSL security policy associated with my ELB listener using the AWS CLI?
• Predefined SSL security policies for Classic Load Balancers
• Update the SSL negotiation configuration of your Classic Load Balancer

aws_update_classic_elb_tls_policy.sh

#!/bin/bash

export AWS_PROFILE=my-aws-profile-name

# Create the policy using a reference
aws elb create-load-balancer-policy --load-balancer-name my-elb --policy-name my-ssl-negotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS-1-2-2017-01
# Create the policy
aws elb create-load-balancer-policy --load-balancer-name my-elb --policy-name my-ssl-negotiation-policy --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Protocol-TLSv1.2,AttributeValue=true AttributeName=ECDHE-ECDSA-AES128-GCM-SHA256,AttributeValue=true AttributeName=ECDHE-RSA-AES128-GCM-SHA256,AttributeValue=true AttributeName=ECDHE-ECDSA-AES128-SHA256,AttributeValue=true AttributeName=ECDHE-RSA-AES128-SHA256,AttributeValue=true AttributeName=ECDHE-ECDSA-AES256-GCM-SHA384,AttributeValue=true AttributeName=ECDHE-RSA-AES256-GCM-SHA384,AttributeValue=true AttributeName=ECDHE-ECDSA-AES256-SHA384,AttributeValue=true AttributeName=ECDHE-RSA-AES256-SHA384,AttributeValue=true AttributeName=AES128-GCM-SHA256,AttributeValue=true AttributeName=AES128-SHA256,AttributeValue=true AttributeName=AES256-GCM-SHA384,AttributeValue=true AttributeName=AES256-SHA256,AttributeValue=true AttributeName=Server-Defined-Cipher-Order,AttributeValue=true

# Set the policy for listener on a specific port. Change the port as needed
aws elb set-load-balancer-policies-of-listener --load-balancer-name my-elb --load-balancer-port 443 --policy-names my-ssl-negotiation-policy