Last active
April 7, 2017 08:51
-
-
Save thomaswitt/8197822 to your computer and use it in GitHub Desktop.
Sets a secure Cipher Suite Policy on Amazon Web Services (AWS) Elastic Load Balancer (ELB). Requires the Elastic Load Balancing Command Line Interface Tools from AWS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # bin/elb-describe-lbs | awk '{print $2}' | xargs -n1 elb-set-secure-policy.sh | |
| ELB=$1 | |
| echo "Setting Policy on Load Balancer $1" | |
| bin/elb-create-lb-policy $ELB \ | |
| --policy-type SSLNegotiationPolicyType \ | |
| --policy-name elb-secure-ssl \ | |
| --attribute "name=AES128-GCM-SHA256,value=true" \ | |
| --attribute "name=AES256-GCM-SHA384,value=true" \ | |
| --attribute "name=AES128-SHA,value=true" \ | |
| --attribute "name=AES128-SHA256,value=true" \ | |
| --attribute "name=AES256-SHA,value=true" \ | |
| --attribute "name=AES256-SHA256,value=true" \ | |
| --attribute "name=CAMELLIA128-SHA,value=true" \ | |
| --attribute "name=CAMELLIA256-SHA,value=true" \ | |
| --attribute "name=DHE-DSS-AES128-GCM-SHA256,value=true" \ | |
| --attribute "name=DHE-DSS-AES256-GCM-SHA384,value=true" \ | |
| --attribute "name=DHE-DSS-AES128-SHA,value=true" \ | |
| --attribute "name=DHE-DSS-AES128-SHA256,value=true" \ | |
| --attribute "name=DHE-DSS-AES256-SHA,value=true" \ | |
| --attribute "name=DHE-DSS-AES256-SHA256,value=true" \ | |
| --attribute "name=DHE-RSA-AES128-GCM-SHA256,value=true" \ | |
| --attribute "name=DHE-RSA-AES256-GCM-SHA384,value=true" \ | |
| --attribute "name=DHE-RSA-AES128-SHA,value=true" \ | |
| --attribute "name=DHE-RSA-AES128-SHA256,value=true" \ | |
| --attribute "name=DHE-RSA-AES256-SHA,value=true" \ | |
| --attribute "name=DHE-RSA-AES256-SHA256,value=true" \ | |
| --attribute "name=Protocol-SSLv3,value=true" \ | |
| --attribute "name=Protocol-TLSv1,value=true" \ | |
| --attribute "name=Protocol-TLSv1.1,value=true" \ | |
| --attribute "name=Protocol-TLSv1.2,value=true" \ | |
| --attribute "name=RC4-SHA,value=true" \ | |
| --attribute "name=ADH-AES128-GCM-SHA256,value=false" \ | |
| --attribute "name=ADH-AES256-GCM-SHA384,value=false" \ | |
| --attribute "name=ADH-AES128-SHA,value=false" \ | |
| --attribute "name=ADH-AES128-SHA256,value=false" \ | |
| --attribute "name=ADH-AES256-SHA,value=false" \ | |
| --attribute "name=ADH-AES256-SHA256,value=false" \ | |
| --attribute "name=ADH-CAMELLIA128-SHA,value=false" \ | |
| --attribute "name=ADH-CAMELLIA256-SHA,value=false" \ | |
| --attribute "name=ADH-DES-CBC3-SHA,value=false" \ | |
| --attribute "name=ADH-DES-CBC-SHA,value=false" \ | |
| --attribute "name=ADH-RC4-MD5,value=false" \ | |
| --attribute "name=ADH-SEED-SHA,value=false" \ | |
| --attribute "name=DES-CBC3-MD5,value=false" \ | |
| --attribute "name=DES-CBC3-SHA,value=false" \ | |
| --attribute "name=DES-CBC-MD5,value=false" \ | |
| --attribute "name=DES-CBC-SHA,value=false" \ | |
| --attribute "name=DHE-DSS-CAMELLIA128-SHA,value=false" \ | |
| --attribute "name=DHE-DSS-CAMELLIA256-SHA,value=false" \ | |
| --attribute "name=DHE-DSS-SEED-SHA,value=false" \ | |
| --attribute "name=DHE-RSA-CAMELLIA128-SHA,value=false" \ | |
| --attribute "name=DHE-RSA-CAMELLIA256-SHA,value=false" \ | |
| --attribute "name=DHE-RSA-SEED-SHA,value=false" \ | |
| --attribute "name=EDH-DSS-DES-CBC3-SHA,value=false" \ | |
| --attribute "name=EDH-DSS-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EDH-RSA-DES-CBC3-SHA,value=false" \ | |
| --attribute "name=EDH-RSA-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-ADH-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-ADH-RC4-MD5,value=false" \ | |
| --attribute "name=EXP-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-EDH-DSS-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-EDH-RSA-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-KRB5-DES-CBC-MD5,value=false" \ | |
| --attribute "name=EXP-KRB5-DES-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-KRB5-RC2-CBC-MD5,value=false" \ | |
| --attribute "name=EXP-KRB5-RC2-CBC-SHA,value=false" \ | |
| --attribute "name=EXP-KRB5-RC4-MD5,value=false" \ | |
| --attribute "name=EXP-KRB5-RC4-SHA,value=false" \ | |
| --attribute "name=EXP-RC2-CBC-MD5,value=false" \ | |
| --attribute "name=EXP-RC4-MD5,value=false" \ | |
| --attribute "name=IDEA-CBC-SHA,value=false" \ | |
| --attribute "name=KRB5-DES-CBC3-MD5,value=false" \ | |
| --attribute "name=KRB5-DES-CBC3-SHA,value=false" \ | |
| --attribute "name=KRB5-DES-CBC-MD5,value=false" \ | |
| --attribute "name=KRB5-DES-CBC-SHA,value=false" \ | |
| --attribute "name=KRB5-RC4-MD5,value=false" \ | |
| --attribute "name=KRB5-RC4-SHA,value=false" \ | |
| --attribute "name=Protocol-SSLv2,value=false" \ | |
| --attribute "name=PSK-3DES-EDE-CBC-SHA,value=false" \ | |
| --attribute "name=PSK-AES128-CBC-SHA,value=false" \ | |
| --attribute "name=PSK-AES256-CBC-SHA,value=false" \ | |
| --attribute "name=PSK-RC4-SHA,value=false" \ | |
| --attribute "name=RC2-CBC-MD5,value=false" \ | |
| --attribute "name=RC4-MD5,value=false" \ | |
| --attribute "name=SEED-SHA,value=false" | |
| echo "Waiting for activation" | |
| sleep 30 | |
| echo "Activating Policy on Load Balancer $1" | |
| bin/elb-set-lb-policies-of-listener $ELB \ | |
| --policy-names elb-secure-ssl \ | |
| --lb-port 443 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment