1

Policies that I specified under Cloudformation ELB Policies attribute is not enabled after deployment. I had to enable it manually util then the old default Policy was in effect. How to automatically enable the ELB Cipher policy specified in the Cloudformation ?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-policy.html

Policies:
    - PolicyName: My-SSLNegotiation-Policy
      PolicyType: SSLNegotiationPolicyType
      Attributes:
      - Name: Reference-Security-Policy
        Value: ELBSecurityPolicy-TLS-1-2-2017-01

On the AWS Console it was still showing the predefined policy as ELBSecurityPolicy-2016-08 which is the default policy

Then I had to manually enable it using the cli below then it showed predefined policy as ELBSecurityPolicy-TLS-1-2-2017-01

aws elb set-load-balancer-policies-of-listener --load-balancer-name auhuman-ELB-qwertyuiop --load-balancer-port 443 --policy-names Auhuman-ELBSecurityPolicy-TLS-1-2-2017-01 --region us-east-1
auhuman
  • 962
  • 2
  • 13
  • 34
  • 1
    As stated in the documentation: _To associate policies with a listener, use the PolicyNames property for the listener._ Did you associate the policy with the listener in your CF template? – jscott Sep 08 '21 at 22:16
  • Specifying the PolicyNames (My-SSLNegotiation-Policy) in my listener worked. Thanks. – auhuman Sep 10 '21 at 00:26

1 Answers1

1

This style of policy definition is associated with the classic EC2 load balancer. If at all possible, you should use a V2 application load balancer instead. Really the only use case for a classic ELB is if you have classic EC2 instances not in a VPC...and you should be thinking about migration strategy for those.

Assuming you can use a V2 ALB, you can use the SslPolicy property on the listener to declare your policy, for example:

LoadBalancerSecureListener:
  Type: AWS::ElasticLoadBalancingV2::Listener
  Properties:
    LoadBalancerArn: !Ref LoadBalancer
    Protocol: HTTPS
    Port: 443
    Certificates:
      - CertificateArn: !Ref ACSCertificate
    SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
    DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref DefaultTargetGroup

Of course you'll need to substitute appropriate references for your situation.

If you absolutely have to use a classic ELB, then you need to associate the policy name with the listener by adding the PolicyNames property to the listener config, as in:

 Loadbal:
    Type: 'AWS::ElasticLoadBalancing::LoadBalancer'
    Properties:
      Subnets:
        - !Ref subnet1
        - !Ref subnet2
      Listeners:
        - InstancePort: 80
          LoadBalancerPort: 443
          Protocol: HTTPS
          SSLCertificateId: >-
            !Ref ACSCertificate
          PolicyNames:
            - My-SSLNegotiation-Policy
      Policies:
        - PolicyName: My-SSLNegotiation-Policy
          PolicyType: SSLNegotiationPolicyType
          Attributes:
            - Name: Reference-Security-Policy
              Value: ELBSecurityPolicy-TLS-1-2-2017-01
jscott
  • 1,011
  • 8
  • 21