Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#34170
Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#34170
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
5975099 to
9182207
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
9182207 to
e222b6c
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
e222b6c to
98ebc6d
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
98ebc6d to
d6a530d
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
d6a530d to
d092811
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
d092811 to
3efa192
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
3efa192 to
97ed9a7
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
2 times, most recently
from
9f12f61 to
3b1df75
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
3b1df75 to
439ab0f
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
439ab0f to
f12f833
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
f12f833 to
b8f3afd
Compare
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
81b715f to
247f02f
Compare
public-teleport-github-review-bot
Bot
removed request for
jimbishopp,
xacrimon and
zmb3
|
@reedloden See the table below for backport results.
|
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling (#34876) DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
4 participants
Two changes to AWS SDK usage:
Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security.
Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
changelog: When accessing AWS, disable IMDSv1 fallback and enforce use of FIPS endpoints.