Skip to content

Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#34170

Merged
reedloden merged 1 commit intomasterfrom
reed/aws-sdk-disable-imdsv1
Nov 9, 2023
Merged

Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#34170
reedloden merged 1 commit intomasterfrom
reed/aws-sdk-disable-imdsv1

Conversation

@reedloden
Copy link
Copy Markdown
Contributor

@reedloden reedloden commented Nov 2, 2023
edited
Loading

Two changes to AWS SDK usage:

Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security.

Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.

changelog: When accessing AWS, disable IMDSv1 fallback and enforce use of FIPS endpoints.

@reedloden reedloden requested a review from jentfoo November 2, 2023 19:47
@reedloden reedloden self-assigned this Nov 2, 2023
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 2, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions github-actions Bot requested review from jimbishopp and zmb3 November 2, 2023 19:48
@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 5975099 to 9182207 Compare November 7, 2023 00:27
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 9182207 to e222b6c Compare November 7, 2023 00:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from e222b6c to 98ebc6d Compare November 7, 2023 00:30
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 98ebc6d to d6a530d Compare November 7, 2023 00:36
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from d6a530d to d092811 Compare November 7, 2023 01:02
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from d092811 to 3efa192 Compare November 7, 2023 01:11
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 3efa192 to 97ed9a7 Compare November 7, 2023 01:25
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch 2 times, most recently from 9f12f61 to 3b1df75 Compare November 7, 2023 17:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 3b1df75 to 439ab0f Compare November 7, 2023 18:41
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 439ab0f to f12f833 Compare November 7, 2023 19:25
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 7, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from f12f833 to b8f3afd Compare November 9, 2023 00:24
@reedloden reedloden force-pushed the reed/aws-sdk-disable-imdsv1 branch from 81b715f to 247f02f Compare November 9, 2023 07:28
@reedloden reedloden added this pull request to the merge queue Nov 9, 2023
Merged via the queue into master with commit b72d4e1 Nov 9, 2023
@reedloden reedloden deleted the reed/aws-sdk-disable-imdsv1 branch November 9, 2023 22:16
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Nov 9, 2023

@reedloden See the table below for backport results.

Branch Result
branch/v12 Failed
branch/v13 Failed
branch/v14 Create PR

@reedloden reedloden mentioned this pull request Nov 9, 2023
Merged
reedloden added a commit that referenced this pull request Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
4a1017b 
…ation Auto Scaling

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
@reedloden reedloden mentioned this pull request Nov 29, 2023
Merged
github-merge-queue Bot pushed a commit that referenced this pull request Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
6cd68f0 
…ation Auto Scaling (#34876)

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
github-actions Bot pushed a commit that referenced this pull request Nov 29, 2023
@reedloden
Don't force the use of FIPS endpoints for DynamoDB Streams and Applic…
1e7d338 
…ation Auto Scaling

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
reedloden added a commit that referenced this pull request Nov 29, 2023
@reedloden
[v13] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints
fbe8c1b 
Backport of #34170.

Two changes to AWS SDK usage:

Teleport should never use AWS IMDSv1 for requests, so disable the
ability to fallback to it, as it could be a malicious attempt to
downgrade security.

Teleport generally prefers FIPS endpoints when in FIPS mode, but
there were a few places that were not selecting the FIPS endpoints.
Ensure that the FIPS endpoints if BoringCrypto is being used.
reedloden added a commit that referenced this pull request Nov 29, 2023
@reedloden
[v13] Don't force the use of FIPS endpoints for DynamoDB Streams and …
d51ca72 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
@reedloden reedloden mentioned this pull request Nov 29, 2023
Closed
@reedloden reedloden mentioned this pull request Nov 29, 2023
Closed
reedloden added a commit that referenced this pull request Nov 29, 2023
@reedloden
[v12] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints
87e613b 
Backport of #34170.

Two changes to AWS SDK usage:

Teleport should never use AWS IMDSv1 for requests, so disable the
ability to fallback to it, as it could be a malicious attempt to
downgrade security.

Teleport generally prefers FIPS endpoints when in FIPS mode, but
there were a few places that were not selecting the FIPS endpoints.
Ensure that the FIPS endpoints if BoringCrypto is being used.
reedloden added a commit that referenced this pull request Nov 29, 2023
@reedloden
[v12] Don't force the use of FIPS endpoints for DynamoDB Streams and …
2cbfc08 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
@reedloden reedloden mentioned this pull request Mar 14, 2024
Merged
@hugoShaka hugoShaka mentioned this pull request Jun 28, 2024
Open
@codingllama codingllama mentioned this pull request Feb 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nklaassen nklaassen nklaassen approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

+1 more reviewer

@jentfoo jentfoo jentfoo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@reedloden reedloden

Labels

size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@reedloden @GavinFrazar @jentfoo @nklaassen