How do I determine the active SSL security policy associated with my ELB listener by using the AWS CLI?

When you configure a load balancer listener by following the steps in Add an HTTPS Listener Using the Console, the SSL security policy for the listener is displayed in the AWS EC2 console, in the Select a Cipher dialog box described in step 6 of To update SSL negotiation configuration for an HTTPS/SSL load balancer. Using the AWS CLI, you can display the load balancer listener SSL security policy names and any predefined SSL Security Policies for Elastic Load Balancing by running the following describe-load-balancer-policies command. Be sure to substitute your load balancer name for TESTELB:

aws elb describe-load-balancer-policies --load-balancer-name TESTELB --query "PolicyDescriptions[?PolicyTypeName==`SSLNegotiationPolicyType`].{PolicyName:PolicyName,ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table

Note

The CLI examples use the syntax of the AWS CLI using a Windows Command Prompt window. If you run these commands on Linux or Windows PowerShell, enclose the --query parameter in single quotes instead of double quotes. For more information, see Specifying Parameter Values for the AWS Command Line Interface for information about differences in syntax when running AWS CLI commands on different platforms.

This command should generate output similar to the following:

cli-output

Note
A ReferenceSecurityPolicy value of false indicates that the policy was not created using one of the predefined security policies described at SSL Security Policies for Elastic Load Balancing.

This AWS CLI command returns the SSL security policies associated with a load balancer listener but does not indicate which load balancer listener SSL security policy is currently active. To determine the currently active policy, complete the steps described in the Resolution section.

Run these AWS CLI commands to return the active load balancer listener SSL security policy and any associated predefined SSL security policy:

1. To return information about the active listener SSL security policy, run describe-load-balancers, substituting your load balancer name for TESTELB :

aws elb describe-load-balancers --load-balancer-name TESTELB --query "LoadBalancerDescriptions[*].{ActivePolicy:ListenerDescriptions}" --output table

This command should return output similar to the following:

cli-output-1

2. To return any predefined SSL security policy associated with the active listener SSL security policy, run describe-load-balancer-policies, substituting your load balancer name for TESTELB and your active listener SSL security policy name for AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672:

aws elb describe-load-balancer-policies --load-balancer-name TESTELB --policy-name AWSConsole-SSLNegotiationPolicy-TESTELB-1447102065672 –-query "PolicyDescriptions[0].{ReferenceSecurityPolicy:PolicyAttributeDescriptions[0].AttributeValue}" --output table

This command should return output similar to the following:

cli-output-2

Note
If the predefined SSL security policy value returned is false, then the active load balancer listener SSL security policy was not created using one of the predefined security policies described at SSL Security Policies for Elastic Load Balancing.

Elastic Load Balancing, ELB, ReferenceSecurityPolicy, describe-load-balancers, describe-load-balancer-policies, cipher, HTTPS, SSL, listener, load balancer, AWS CLI, cipher listener policy


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2015-12-08