Skip to content

[v12] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#35165

Closed
reedloden wants to merge 2 commits intobranch/v12from
reed/backport-34170/v12
Closed

[v12] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints#35165
reedloden wants to merge 2 commits intobranch/v12from
reed/backport-34170/v12

Conversation

@reedloden
Copy link
Copy Markdown
Contributor

@reedloden reedloden commented Nov 29, 2023
edited
Loading

Backport of #34170.
Backport of #34876.

changelog: When accessing AWS, disable IMDSv1 fallback and enforce use of FIPS endpoints.

@reedloden reedloden self-assigned this Nov 29, 2023
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 29, 2023

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@github-actions github-actions Bot requested a review from GavinFrazar November 29, 2023 22:09
@github-actions github-actions Bot added application-access audit-log Issues related to Teleports Audit Log labels Nov 29, 2023
@github-actions github-actions Bot requested a review from jentfoo November 29, 2023 22:09
@github-actions github-actions Bot requested a review from nklaassen November 29, 2023 22:09
@reedloden reedloden force-pushed the reed/backport-34170/v12 branch from c79acb2 to 6dd924a Compare November 29, 2023 22:35
@reedloden
[v12] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints
87e613b 
Backport of #34170.

Two changes to AWS SDK usage:

Teleport should never use AWS IMDSv1 for requests, so disable the
ability to fallback to it, as it could be a malicious attempt to
downgrade security.

Teleport generally prefers FIPS endpoints when in FIPS mode, but
there were a few places that were not selecting the FIPS endpoints.
Ensure that the FIPS endpoints if BoringCrypto is being used.
@reedloden
[v12] Don't force the use of FIPS endpoints for DynamoDB Streams and …
2cbfc08 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
@reedloden reedloden force-pushed the reed/backport-34170/v12 branch from 6dd924a to 2cbfc08 Compare November 29, 2023 22:50
r0mant
r0mant requested changes Nov 29, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#35164 (review)

@reedloden reedloden closed this Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant requested changes

@GavinFrazar GavinFrazar Awaiting requested review from GavinFrazar

@jentfoo jentfoo Awaiting requested review from jentfoo

@nklaassen nklaassen Awaiting requested review from nklaassen

Assignees

@reedloden reedloden

Labels

application-access audit-log Issues related to Teleports Audit Log backport size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reedloden @r0mant