aastaneh/gist:46ceb03150e5284b8a3a

## gistfile1.txt
https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
says to go into the web interface and change SSL negotiation settings.

What if you have hundreds of ELBs to change? NO BUENO.

Here's how to do it using the CLI tools:

# List Existing Policies
aws elb describe-load-balancer-policies --load-balancer-name $ELBNAME --output text | grep POLICYDESCRIPTIONS

# Create a New Policy That Have SSLv3 Disabled
aws elb create-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $NEWPOLICYNAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10

# Configure Your SSL Listener to Use It
aws elb set-load-balancer-policies-of-listener --load-balancer-name $ELBNAME --load-balancer-port 443 --policy-names $NEWPOLICYNAME

# Delete The Old Policy
aws elb delete-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $OLDPOLICYNAME

# Verify SSLv3 Doesn't Work Anymore
openssl s_client -ssl3 -connect $ELBHOSTNAME:443


# Finally, audit your entire AWS account!

#!/bin/bash
for REGION in $( aws ec2 describe-regions --output text | awk '{ print $NF }' ); do
  for ELB in $( aws elb describe-load-balancers --region $REGION --output text | grep LOADBALANCERDESCRIPTIONS | awk '{ print $2 }' ); do
    echo -n "$REGION $ELB ";
    echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null
    if [[ "$?" -ne "1" ]]; then
      echo FAIL
    else
      echo PASS
    fi
  done
done

# Example output:
us-east-1 fooelb-12345.us-east-1.elb.amazonaws.com FAIL
us-east-1 barelb-67890.us-east-1.elb.amazonaws.com PASS
	https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/
	says to go into the web interface and change SSL negotiation settings.

	What if you have hundreds of ELBs to change? NO BUENO.

	Here's how to do it using the CLI tools:

	# List Existing Policies
	aws elb describe-load-balancer-policies --load-balancer-name $ELBNAME --output text \| grep POLICYDESCRIPTIONS

	# Create a New Policy That Have SSLv3 Disabled
	aws elb create-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $NEWPOLICYNAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10

	# Configure Your SSL Listener to Use It
	aws elb set-load-balancer-policies-of-listener --load-balancer-name $ELBNAME --load-balancer-port 443 --policy-names $NEWPOLICYNAME

	# Delete The Old Policy
	aws elb delete-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $OLDPOLICYNAME

	# Verify SSLv3 Doesn't Work Anymore
	openssl s_client -ssl3 -connect $ELBHOSTNAME:443


	# Finally, audit your entire AWS account!

	#!/bin/bash
	for REGION in $( aws ec2 describe-regions --output text \| awk '{ print $NF }' ); do
	for ELB in $( aws elb describe-load-balancers --region $REGION --output text \| grep LOADBALANCERDESCRIPTIONS \| awk '{ print $2 }' ); do
	echo -n "$REGION $ELB ";
	echo "01 logout" \| openssl s_client -ssl3 -connect $ELB:443 2>&1 \| grep DONE &> /dev/null
	if [[ "$?" -ne "1" ]]; then
	echo FAIL
	else
	echo PASS
	fi
	done
	done

	# Example output:
	us-east-1 fooelb-12345.us-east-1.elb.amazonaws.com FAIL
	us-east-1 barelb-67890.us-east-1.elb.amazonaws.com PASS