aws: Add an option to enforce FIPS endpoints #8075
Conversation
Add the "aws_enforce_fips" to force that all current services using AWS (Kinesis, Firehose, EC2, STS), must use FIPS endpoints, or fail to.
46ffb6a to
97df6c6
Compare
| @@ -134,6 +139,13 @@ static const std::set<std::string> kAwsRegions = { | |||
| "us-east-2", "us-gov-east-1", "us-gov-west-1", "us-west-1", | |||
| "us-west-2"}; | |||
|
|
|||
| static const std::set<std::string> kAwsFipsRegions = {"us-east-1", | |||
There was a problem hiding this comment.
Is there a way we can do this without needing to hardcode the list of FIPS regions? (Because I'm sure they'll change over time)
There was a problem hiding this comment.
Not that I know of. For context, in theory the AWS SDK should provide this functionality, if anything the conversion to the correct endpoint, but this is not actually working.
| config.endpointOverride = | ||
| service + "-fips." + config.region + ".amazonaws.com"; | ||
| } |
There was a problem hiding this comment.
This is based on https://aws.amazon.com/compliance/fips/
Can we do this without the region checks? Or is that going to be a recipe for trouble?
There was a problem hiding this comment.
What do you mean without the region checks?
If you mean not checking that it's a valid region to enable FIPS in, I don't think it's ideal to have osquery attempt to connect to some bogus url, even if the domain is from Amazon, it would raise red flags.
There was a problem hiding this comment.
Feels like a lot of not great options.
Either we guess URLs and then attempt to use them. Or we hardcode regions.
I think that of those two choices, hardcoding feels better. I doubt those regions will change quickly.
|
@directionless thanks for the review, I've done a small update to link where the regions were taken from and to do a minor fix on the match of |
Add the "aws_enforce_fips" to force that all current services using AWS (Kinesis, Firehose, EC2, STS),
must use FIPS endpoints, or fail to.