Automatically update Amazon ELB SSL Negotiation Policies

In: General

31 May 2015

A quick script to update Amazon ELB SSL Negotiation policies for all Amazon ELBs.
The security policies are managed from Amazon and will only update the predefined security policies, choosing the latest one.

More information available on AWS predefined negotiation policies.

#!/usr/bin/env bash
UPDATE_ELB_POLICY=${UPDATE_ELB_POLICY:-0};
TMPFILE=`mktemp -t example.XXXXXXXXXX` && {
printf "Region|Status|Current security policy|Expected security policy|ELB|Action\n" >> "${TMPFILE}";
aws ec2 describe-regions |awk -F'"' '/RegionName/ {print $4}' | while read region; do
LATEST_PREDEFINED_SECURITY_GROUP=$(aws --region=$region elb describe-load-balancer-policies | grep -i PolicyName | awk -F '"' '{print $4}' | head -n1 | sed 's/[ \r\n]//g');
aws --region=$region elb describe-load-balancers | awk -F '"' '/LoadBalancerName/ {print $4}' | while read lb; do
# aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);pp j["LoadBalancerDescriptions"][0]["Policies"]["OtherPolicies"].select { |i| i.include?("sec-ELBSecurityPolicy") }'
CURRENT_SECURITY_POLICY=$(aws elb describe-load-balancers --load-balancer "${lb}" | ruby -e 'require "json";require "pp"; j=JSON.parse(STDIN.read);puts j["LoadBalancerDescriptions"][0]["ListenerDescriptions"].select { |v| v["Listener"]["SSLCertificateId"] && v["PolicyNames"] }.map {|v| v["PolicyNames"].first }.first')
if [ "${CURRENT_SECURITY_POLICY}" != "" ]; then
EXPECTED_POLICY="sec-${LATEST_PREDEFINED_SECURITY_GROUP}"
if [ "${EXPECTED_POLICY}" != "${CURRENT_SECURITY_POLICY}" ]; then
printf "%s|%s|%s|%s|%s|" "${region}" "OUT_OF_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
[ "${UPDATE_ELB_POLICY}" -eq "1" ] && {
aws elb create-load-balancer-policy --load-balancer-name "${lb}" \
--policy-name "sec-${LATEST_PREDEFINED_SECURITY_GROUP}" --policy-type-name SSLNegotiationPolicyType \
--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue="${LATEST_PREDEFINED_SECURITY_GROUP}";
aws --region=$region elb set-load-balancer-policies-of-listener --load-balancer-name "${lb}" --load-balancer-port 443 --policy-names "sec-${LATEST_PREDEFINED_SECURITY_GROUP}";
printf "UPDATED|$?" >> "${TMPFILE}"
} || {
printf "NO_ACTION" >> "${TMPFILE}"
}
else
printf "%s|%s|%s|%s|%s|NO_ACTION" "${region}" "UP_TO_DATE" "${CURRENT_SECURITY_POLICY} " "${EXPECTED_POLICY} " "${lb}" >> "${TMPFILE}"
fi
printf "\n" >> "${TMPFILE}"
else
printf "%s|%s|%s|%s|%s|NO_ACTION\n" "${region}" "NOT_SET" "${CURRENT_SECURITY_POLICY} " "${LATEST_PREDEFINED_SECURITY_GROUP} " "${lb}" >> "${TMPFILE}"
fi
done
done
echo
cat "${TMPFILE}" | column -t -s"|" | awk 'NR<2{print $0;next}{print $0| "sort -t\\| -k +2n"}'
rm -f "${TMPFILE}"
}
view raw update-elb-policy.sh hosted with ❤ by GitHub

Sample output…

Comment Form

About this blog

I have been a developer for roughly 10 years and have worked with an extensive range of technologies. Whilst working for relatively small companies, I have worked with all aspects of the development life cycle, which has given me a broad and in-depth experience.

Categories

Archives

  • Ozzy: Thanks Andy. This was useful (: [...]
  • shahzaib: Nice post . I have a question regarding BGP. As you said, we'll need to advertise our route from mul [...]
  • Steve: Hi there… sorry that this is old, but I’m trying to use your script to check for my u [...]
  • John Cannon: Hey that was really needful. Thanks for sharing. I’ll surely be looking for more. [...]
  • andrew.johnstone: In the example above this was in fact using spl_autoload_register. I’ve never debugged this proper [...]

Copyright © 2007 - - is proudly powered by WordPress | Log in

Compositio Theme is created by: Design Disease brought to you by PremiumThemes.com