You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
When FIPS is enabled on an EKS node, the SSM-Agent installed from the amazon-eks-ami is not using FIPS endpoints when making requests between the ec2messages and ssmmessages API endpoints.
What you expected to happen:
When sysctl -n crypto.fips_enabled evaluates to 1, requests between the SSM-Agent and the ec2messages + ssmmessages API endpoints would use the FIPS service endpoints.
How to reproduce it (as minimally and precisely as possible):
On a FIPS enabled machine, monitor traffic between the SSM-Agent and the ec2messages + ssmmessages API endpoints. The current default behavior is to not use FIPS service endpoints.
Looks like we could use the AWS_USE_FIPS_ENDPOINT environment variable to force the SSM agent to call the fips endpoint, but we'd have to handle all the special cases ourselves:
What happened:
When FIPS is enabled on an EKS node, the SSM-Agent installed from the
amazon-eks-ami
is not using FIPS endpoints when making requests between theec2messages
andssmmessages
API endpoints.What you expected to happen:
When
sysctl -n crypto.fips_enabled
evaluates to1
, requests between the SSM-Agent and theec2messages
+ssmmessages
API endpoints would use the FIPS service endpoints.How to reproduce it (as minimally and precisely as possible):
On a FIPS enabled machine, monitor traffic between the SSM-Agent and the
ec2messages
+ssmmessages
API endpoints. The current default behavior is to not use FIPS service endpoints.Anything else we need to know?:
SSM-agent installation here
There is existing logic within the
amazon-eks-ami
to dynamically use FIPS endpoint - example hereEnvironment:
aws-gov-east-1
m5.12xlarge
,c5d.9xlarge
aws eks describe-cluster --name <name> --query cluster.platformVersion
):"eks.16"
aws eks describe-cluster --name <name> --query cluster.version
):"1.24"
fips-eks-node-1.24.17-Feb-04-v0-1707065100
uname -a
):5.10.205-195.807.amzn2.x86_64 #1 SMP Tue Jan 16 18:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/eks/release
on a node): Not able to be provided at the momentThe text was updated successfully, but these errors were encountered: