New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to use FIPS in AWS non-GovCloud #34804
Comments
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling (#34876) DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Hi @reedloden, thanks for working on the PR! But I'm a bit confusing why it was reverted after merged? Does it mean this issue will not be fixed and Teleport will enforce DynamoDB stream using FIPS endpoint? |
No worries. Our release process can be a bit confusing. The original change and the follow-up fix are on Thanks again for reporting it! |
Awesome! Thanks a lot for your quick fix, @reedloden! I'm waiting for next release to test it on our clusters. |
Confirmed version 14.2.1 fixed the issue. |
Expected behavior:
Current behavior:
In each Teleport cluster, we have a S3 bucket and 2 DynamoDB tables (one for cluster state, the other for audit events) as Storage backend.
After the change implemented in [v14] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #34433, Teleport is enforced all FIPS endpoints if in FIPS-mode. That's causing the issue because Dynamo Stream is only have FIPS endpoints in AWS GovCloud (see https://aws.amazon.com/compliance/fips/) and Teleport is reporting this error message:
1.14.3
is working fine and doesn't have any error message like above.Bug details:
14.1.5
The text was updated successfully, but these errors were encountered: