How do I determine the active SSL security policy associated with my ELB listener using the AWS CLI?

Last updated: 2022-02-28

I want to use the AWS Command Line Interface (AWS CLI) to determine the active security policy on my HTTPS or SSL listener on Elastic Load Balancing (ELB). How can I do this?

Short description

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

You can add an HTTPS listener to your load balancer for Amazon Elastic Compute Cloud (Amazon EC2). The SSL security policy for the listener is displayed in the Amazon EC2 console. For instructions, see update SSL negotiation configuration for an HTTPS/SSL load balancer.

You can display the load balancer listener SSL security policy names and predefined SSL security policies with the AWS CLI command describe-load-balancer-policies similar to the following:

aws elb describe-load-balancer-policies --load-balancer-name EXAMPLEELB --query "PolicyDescriptions[?PolicyTypeName==`SSLNegotiationPolicyType`].{PolicyName:PolicyName,ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table

Example output:

-------------------------------------------------------------------------------------
|                             DescribeLoadBalancerPolicies                          |
+-------------------------------------------------------+---------------------------+
|                     PolicyName                        |  ReferenceSecurityPolicy  |
+-------------------------------------------------------+---------------------------+
| ELBSecurityPolicy-2015-05                             | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446825761570 | ELBSecurityPolicy-2015-03 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446774067525 | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1446774575245 | ELBSecurityPolicy-2015-05 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447023243695 | ELBSecurityPolicy-2014-10 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447039877149 | false                     |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447039147749 | ELBSecurityPolicy-2011-08 |
| AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 | ELBSecurityPolicy-2014-10 |
+-------------------------------------------------------+---------------------------+

Note: A ReferenceSecurityPolicy value of false indicates that the policy was not created using one of the predefined security policies.

The output returns the SSL security policies associated with a load balancer listener, but doesn't indicate which policy is active.

Resolution

To determine the active load balancer listener SSL security policy and any associated predefined SSL security policies:

1.    Run the AWS command describe-load-balancers similar to the following:

aws elb describe-load-balancers --load-balancer-name EXAMPLEELB --query "LoadBalancerDescriptions[*].{ActivePolicy:ListenerDescriptions}" --output table

Example output:

---------------------------------------------------------------------------------
|                             DescribeLoadBalancers                             |
||                                ActivePolicy                                 ||
|||                                 Listener                                  |||
||+-------------------+-------------------------------------------------------+||
|||  InstancePort     |  443                                                  |||
|||  InstanceProtocol |  SSL                                                  |||
|||  LoadBalancerPort |  443                                                  |||
|||  Protocol         |  SSL                                                  |||
|||  SSLCertificateId |  arn:aws:iam::803981987763:server-certificate/ELBSSL  |||
||+-------------------+-------------------------------------------------------+||
|||                                PolicyNames                                |||
||+---------------------------------------------------------------------------+||
|||  AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672                    |||
||+---------------------------------------------------------------------------+||
||                                ActivePolicy                                 ||
|||                                 Listener                                  |||
||+-----------------------------------------------------+---------------------+||
|||  InstancePort                                       |  80                 |||
|||  InstanceProtocol                                   |  HTTP               |||
|||  LoadBalancerPort                                   |  80                 |||
|||  Protocol                                           |  HTTP               |||
||+-----------------------------------------------------+---------------------+||

The output returns the policy names associated with the load balancer.

2.    To get more information about a policy, run the AWS CLI command describe-load-balancer-policies similar to the following:

aws elb describe-load-balancer-policies --load-balancer-name EXAMPLEELB --policy-name AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 --query "PolicyDescriptions[0].{ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table

Example output:

----------------------------------------------------------
|              DescribeLoadBalancerPolicies              |
+--------------------------+-----------------------------+
|  ReferenceSecurityPolicy |  ELBSecurityPolicy-2014-10  |
+--------------------------+-----------------------------+

Did this article help?


Do you need billing or technical support?