Policies that I specified under Cloudformation ELB Policies attribute is not enabled after deployment. I had to enable it manually util then the old default Policy was in effect. How to automatically enable the ELB Cipher policy specified in the Cloudformation ?
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-policy.html
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01
On the AWS Console it was still showing the predefined policy as ELBSecurityPolicy-2016-08
which is the default policy
Then I had to manually enable it using the cli below then it showed predefined policy as ELBSecurityPolicy-TLS-1-2-2017-01
aws elb set-load-balancer-policies-of-listener --load-balancer-name auhuman-ELB-qwertyuiop --load-balancer-port 443 --policy-names Auhuman-ELBSecurityPolicy-TLS-1-2-2017-01 --region us-east-1
This style of policy definition is associated with the classic EC2 load balancer. If at all possible, you should use a V2 application load balancer instead. Really the only use case for a classic ELB is if you have classic EC2 instances not in a VPC...and you should be thinking about migration strategy for those.
Assuming you can use a V2 ALB, you can use the SslPolicy
property on the listener to declare your policy, for example:
LoadBalancerSecureListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn: !Ref LoadBalancer
Protocol: HTTPS
Port: 443
Certificates:
- CertificateArn: !Ref ACSCertificate
SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
DefaultActions:
- Type: forward
TargetGroupArn: !Ref DefaultTargetGroup
Of course you'll need to substitute appropriate references for your situation.
If you absolutely have to use a classic ELB, then you need to associate the policy name with the listener by adding the PolicyNames
property to the listener config, as in:
Loadbal:
Type: 'AWS::ElasticLoadBalancing::LoadBalancer'
Properties:
Subnets:
- !Ref subnet1
- !Ref subnet2
Listeners:
- InstancePort: 80
LoadBalancerPort: 443
Protocol: HTTPS
SSLCertificateId: >-
!Ref ACSCertificate
PolicyNames:
- My-SSLNegotiation-Policy
Policies:
- PolicyName: My-SSLNegotiation-Policy
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Reference-Security-Policy
Value: ELBSecurityPolicy-TLS-1-2-2017-01