How do I use the AWS CLI to determine the active SSL security policy applied to my Elastic Load Balancing HTTPS and SSL listeners?

Last updated: 2015-12-08

How do I determine the active SSL security policy associated with my ELB listener by using the AWS CLI?

Short description

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

When you configure a load balancer listener by following the steps in Add an HTTPS Listener Using the Console, the SSL security policy for the listener is displayed in the AWS EC2 console, in the Select a Cipher dialog box described in step 6 of To update SSL negotiation configuration for an HTTPS/SSL load balancer. Using the AWS CLI, you can display the load balancer listener SSL security policy names and any predefined SSL Security Policies for Elastic Load Balancing by running the following describe-load-balancer-policies command. Be sure to substitute your load balancer name for TESTELB:

aws elb describe-load-balancer-policies --load-balancer-name TESTELB --query "PolicyDescriptions[?PolicyTypeName==`SSLNegotiationPolicyType`].{PolicyName:PolicyName,ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table
Note: The CLI examples use the syntax of the AWS CLI using a Windows Command Prompt window. If you run these commands on Linux or Windows PowerShell, enclose the --query parameter in single quotes instead of double quotes. For more information, see Specifying Parameter Values for the AWS Command Line Interface for information about differences in syntax when running AWS CLI commands on different platforms.

This command should generate output similar to the following:

-------------------------------------------------------------------------------------
|                             DescribeLoadBalancerPolicies                          |
+-------------------------------------------------------+---------------------------+
|                     PolicyName                        |  ReferenceSecurityPolicy  |
+-------------------------------------------------------+---------------------------+
| ELBSecurityPolicy-2015-05                             | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446825761570 | ELBSecurityPolicy-2015-03 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446774067525 | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446774575245 | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447023243695 | ELBSecurityPolicy-2014-10 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447039877149 | false                     |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447039147749 | ELBSecurityPolicy-2011-08 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 | ELBSecurityPolicy-2014-10 |
+-------------------------------------------------------+---------------------------+

Note: A ReferenceSecurityPolicy value of false indicates that the policy was not created using one of the predefined security policies described at SSL Security Policies for Elastic Load Balancing.

This AWS CLI command returns the SSL security policies associated with a load balancer listener but does not indicate which load balancer listener SSL security policy is currently active. To determine the currently active policy, complete the steps described in the Resolution section.

Resolution

Run these AWS CLI commands to return the active load balancer listener SSL security policy and any associated predefined SSL security policy:

1.    To return information about the active listener SSL security policy, run describe-load-balancers, substituting your load balancer name for TESTELB:

aws elb describe-load-balancers --load-balancer-name TESTELB --query "LoadBalancerDescriptions[*].{ActivePolicy:ListenerDescriptions}" --output table
This command should return output similar to the following:

---------------------------------------------------------------------------------
|                             DescribeLoadBalancers                             |
||                                ActivePolicy                                 ||
|||                                 Listener                                  |||
||+-------------------+-------------------------------------------------------+||
|||  InstancePort     |  443                                                  |||
|||  InstanceProtocol |  SSL                                                  |||
|||  LoadBalancerPort |  443                                                  |||
|||  Protocol         |  SSL                                                  |||
|||  SSLCertificateId |  arn:aws:iam::803981987763:server-certificate/ELBSSL  |||
||+-------------------+-------------------------------------------------------+||
|||                                PolicyNames                                |||
||+---------------------------------------------------------------------------+||
|||  AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672                    |||
||+---------------------------------------------------------------------------+||
||                                ActivePolicy                                 ||
|||                                 Listener                                  |||
||+-----------------------------------------------------+---------------------+||
|||  InstancePort                                       |  80                 |||
|||  InstanceProtocol                                   |  HTTP               |||
|||  LoadBalancerPort                                   |  80                 |||
|||  Protocol                                           |  HTTP               |||
||+-----------------------------------------------------+---------------------+||

2.    To return any predefined SSL security policy associated with the active listener SSL security policy, run describe-load-balancer-policies, substituting your load balancer name for TESTELB and your active listener SSL security policy name for AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672:

aws elb describe-load-balancer-policies --load-balancer-name TESTELB --policy-name AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 --query "PolicyDescriptions[0].{ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table
This command should return output similar to the following:

----------------------------------------------------------
|              DescribeLoadBalancerPolicies              |
+--------------------------+-----------------------------+
|  ReferenceSecurityPolicy |  ELBSecurityPolicy-2014-10  |
+--------------------------+-----------------------------+

Note: If the predefined SSL security policy value returned is false, then the active load balancer listener SSL security policy was not created using one of the predefined security policies described at SSL Security Policies for Elastic Load Balancing.