How to swap out AWS ELB Policies for CVE-2014-3566 using AWS CLI Tools

gistfile1.txt

https://aws.amazon.com/security/security-bulletins/CVE-2014-3566-advisory/ 
says to go into the web interface and change SSL negotiation settings. 

What if you have hundreds of ELBs to change? NO BUENO.

Here's how to do it using the CLI tools:

# List Existing Policies
aws elb describe-load-balancer-policies --load-balancer-name $ELBNAME --output text | grep POLICYDESCRIPTIONS

# Create a New Policy That Have SSLv3 Disabled
aws elb create-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $NEWPOLICYNAME --policy-type-name SSLNegotiationPolicyType --policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-2014-10

# Configure Your SSL Listener to Use It
aws elb set-load-balancer-policies-of-listener --load-balancer-name $ELBNAME --load-balancer-port 443 --policy-names $NEWPOLICYNAME

# Delete The Old Policy
aws elb delete-load-balancer-policy --load-balancer-name $ELBNAME --policy-name $OLDPOLICYNAME

# Verify SSLv3 Doesn't Work Anymore
openssl s_client -ssl3 -connect $ELBHOSTNAME:443


# Finally, audit your entire AWS account!

#!/bin/bash
for REGION in $( aws ec2 describe-regions --output text | awk '{ print $NF }' ); do
  for ELB in $( aws elb describe-load-balancers --region $REGION --output text | grep LOADBALANCERDESCRIPTIONS | awk '{ print $2 }' ); do
    echo -n "$REGION $ELB ";
    echo "01 logout" | openssl s_client -ssl3 -connect $ELB:443 2>&1 | grep DONE &> /dev/null
    if [[ "$?" -ne "1" ]]; then
      echo FAIL
    else
      echo PASS
    fi
  done
done

# Example output:
us-east-1 fooelb-12345.us-east-1.elb.amazonaws.com FAIL
us-east-1 barelb-67890.us-east-1.elb.amazonaws.com PASS

Should make outputting text explicit.
aws ec2 describe-regions --output text

Ah, right! Thanks.