How to make a query in AWS Config to find TLS version for Loadbalancer

Question

Hi,

I writed this query in AWS config to find the minimumProtocolVersion for my Cloudfront distribution with https :

```
SELECT
  accountId,
  resourceId,
  configuration.distributionConfig.comment,
  configuration.distributionConfig.viewerCertificate.minimumProtocolVersion,
  relationships
WHERE
  resourceType = 'AWS::CloudFront::Distribution'
```

How can I do the same with my Loadbalancer ?

I have found nothing about minimumProtocolVersion for Loadbalancer in https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS::ElasticLoadBalancingV2::LoadBalancer.properties.json

What is the solution ?

Thx

Best regards

Benoit

Accepted Answer

Using Config you cannot get the Listener attributes you need to do this query.    There is an [Issue logged](https://github.com/awslabs/aws-config-resource-schema/issues/18) to ask for that, that has not had response for 2 years in the GitHub Repository.

Given that you can't use config to do it, here is another way to get the informaion.
Using the AWS CLI and PowerShell the following script will get you the list of listeners associated with a load balancer and the `SslPolicy` they used.

```
$loadbalancers = ((aws elbv2 describe-load-balancers) | ConvertFrom-Json).LoadBalancers
$SslList = @()
foreach ($loadbalancer in $loadbalancers) {
    $listeners = ((aws elbv2 describe-listeners --load-balancer-arn $loadbalancer.LoadBalancerArn) | ConvertFrom-Json).Listeners
    foreach ($listener in $listeners) {
        $SslList += $listener | Select-Object LoadBalancerArn, ListenerArn, SslPolicy
    }
}
$SslList | ConvertTo-Json
```

Answer

Thx for your answer.
I wrote the same kind of script with Python. 
It's a shame that AWS doesn't support listeners attributes.

Best regards

Benoit

How to make a query in AWS Config to find TLS version for Loadbalancer

Contenido relevante