Securing AWS ELBs Against CVE-2014-3566 (Poodle)
https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/ says to go into the web interface and change SSL negotiation settings.
What if you have hundreds of ELBs to change? That’ll take FOREVER.
Here’s how to do it using the CLI tools. You’ll want to write a script around these commands.
List Existing Policies:
aws elb describe-load-balancer-policies --load-balancer-name $ELBNAME | grep POLICYDESCRIPTIONS
Create a New Policy That Has SSLv3 Disabled:
aws elb create-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $NEWPOLICYNAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10
Configure Your SSL Listener to Use It:
aws elb set-load-balancer-policies-of-listener --load-balancer-name $ELBNAME --load-balancer-port 443 --policy-names $NEWPOLICYNAME
Delete The Old Policy:
aws elb delete-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $OLDPOLICYNAME
Verify SSLv3 Doesn’t Work Anymore:
openssl s_client -ssl3 -connect $ELBHOSTNAME:443
Finally, audit your entire AWS account!
#!/bin/bash
for REGION in $( aws ec2 describe-regions | awk '{ print $NF }' ); do
for ELB in $( aws elb describe-load-balancers --region $REGION | grep LOADBALANCERDESCRIPTIONS | awk '{ print $2 }' ); do
echo -n "$REGION $ELB ";
echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null
if [[ "$?" -ne "1" ]]; then
echo FAIL
else
echo PASS
fi
done
done
Example output:
us-east-1 fooelb-12345.us-east-1.elb.amazonaws.com FAIL
us-east-1 barelb-67890.us-east-1.elb.amazonaws.com PASS