Last active
August 29, 2015 14:07
-
-
Save evandhoffman/6ebaf9a8296b074443c9 to your computer and use it in GitHub Desktop.
Update all ELBs to address POODLE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/bin/bash | |
# To audit, I tried the bash script here https://gist.github.com/aastaneh/46ceb03150e5284b8a3a but it didn't work, | |
# so here's my version. It doesn't attempt to check internal ELBs (prefixed with 'internal'). | |
for ELB in $( aws elb describe-load-balancers | grep DNSName | awk '{ print $2 }' | perl -ne 'chomp; $_ =~ /\"([\w-\.]+)\",/; my $elb = $1; print "$elb " unless $elb =~ /^internal/'); do | |
echo "$ELB "; | |
echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null | |
if [[ "$?" -ne "1" ]]; then | |
echo FAIL | |
else | |
echo PASS | |
fi | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The below commands attempt to update every ELB's listener on port 443. | |
# If it doesn't have a listener on 443, it emits an error and continues running. | |
# Make sure this is a recent version of awscli | |
$ aws --version | |
aws-cli/1.4.3 Python/2.7.5 Darwin/13.4.0 | |
# Create a policy for each ELB based on ELBSecurityPolicy-2014-10 | |
$ for i in `aws elb describe-load-balancers | grep LoadBalancerName | awk '{print $2}' | perl -ne 'chomp; $_ =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb create-load-balancer-policy --load-balancer-name $i --policy-name Poodle-20141015 --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10 ; done | |
# Apply the new policy to each ELB | |
$ for i in `aws elb describe-load-balancers | grep LoadBalancerName | awk '{print $2}' | perl -ne 'chomp; $_ =~ /\"([\w-]+)\",/; print "$1 ";'` ; do aws elb set-load-balancer-policies-of-listener --load-balancer-name $i --load-balancer-port 443 --policy-names Poodle-20141015 ; done | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment