Last active
March 4, 2019 19:13
-
-
Save richadams/abb83f51b8f959f4b4bc to your computer and use it in GitHub Desktop.
A quick and dirty script to update every ELB in an AWS account to the latest ELBSecurityPolicy-2014-10 to mitigate CVE-2014-3566. Barely tested, use at own risk, etc. Requires awscli to be installed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Requires: awscli (http://aws.amazon.com/cli/) | |
| # Your AWS credentials | |
| export AWS_ACCESS_KEY_ID='***' | |
| export AWS_SECRET_ACCESS_KEY='***' | |
| # This is the base policy that will be used. | |
| POLICY="ELBSecurityPolicy-2014-10" | |
| # Warn the user that shit is about to go down. | |
| echo "This will update ALL load balancers in EVERY REGION to the SSL negotiation policy of '$POLICY'" | |
| echo "If you want a different policy, update the line at the top of this script before running." | |
| echo "BE VERY SURE YOU WANT TO DO THIS!!" | |
| # Make sure they actually read it :p | |
| while [ 1 ]; do | |
| echo -n " Ready to start (y/n)? " | |
| read COMMAND | |
| case "$COMMAND" in | |
| N|n) echo " - Fine, be that way." | |
| exit 1; | |
| ;; | |
| Y|y) echo " - Let's get this party started..." | |
| break | |
| ;; | |
| *) echo " - What? Type 'y' or 'n'.. dumbass." | |
| ;; | |
| esac | |
| done | |
| # Want to do this for all regions... | |
| REGIONS=(`aws ec2 describe-regions --region us-west-1 --output text | grep "-" | awk '{print $2}'`) | |
| for REGION in ${REGIONS[*]}; do | |
| echo "$REGION =>" | |
| # ..and all ELBs in the region | |
| ELBS=(`aws elb describe-load-balancers --region $REGION | grep LoadBalancerName | awk '{print $2}' | cut -d ',' -f 1 | cut -d '"' -f 2`) | |
| for ELB in ${ELBS[*]}; do | |
| echo " $ELB =>" | |
| # Create the new policy for the ELB | |
| aws elb create-load-balancer-policy \ | |
| --region $REGION \ | |
| --load-balancer-name $ELB \ | |
| --policy-name pol-$POLICY \ | |
| --policy-type-name SSLNegotiationPolicyType \ | |
| --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=$POLICY | |
| # ..and activate for all HTTPS based ports on the ELB. | |
| PORTS=(`aws elb describe-load-balancers --region $REGION --load-balancer-name $ELB | grep -B 5 "Protocol\": \"HTTPS\"" | grep "InstancePort" | awk '{print $2}' | cut -d "," -f 1`) | |
| for PORT in ${PORTS[*]}; do | |
| echo " $PORT => " | |
| # Activates the new policy | |
| aws elb set-load-balancer-policies-of-listener \ | |
| --region $REGION \ | |
| --load-balancer-name $ELB \ | |
| --load-balancer-port $PORT \ | |
| --policy-names pol-$POLICY | |
| echo " [+] $REGION/$ELB/$PORT => pol-$POLICY" | |
| done | |
| done | |
| done | |
| # Remove credentials from env. | |
| export AWS_ACCESS_KEY_ID='' | |
| export AWS_SECRET_ACCESS_KEY='' | |
| echo "All done!" | |
| echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment