Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #34170
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
5975099
to
9182207
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
9182207
to
e222b6c
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
e222b6c
to
98ebc6d
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
98ebc6d
to
d6a530d
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
d6a530d
to
d092811
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
d092811
to
3efa192
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
3efa192
to
97ed9a7
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
2 times, most recently
from
9f12f61
to
3b1df75
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
3b1df75
to
439ab0f
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
439ab0f
to
f12f833
Compare
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
f12f833
to
b8f3afd
Compare
Ah, my grep was looking for the |
Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
reedloden
force-pushed
the
reed/aws-sdk-disable-imdsv1
branch
from
81b715f
to
247f02f
Compare
public-teleport-github-review-bot
bot
removed request for
jimbishopp,
zmb3 and
xacrimon
|
@reedloden See the table below for backport results.
|
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling (#34876) DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
…ation Auto Scaling DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Backport of #34170. Two changes to AWS SDK usage: Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security. Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
…Application Auto Scaling Backport of #34876. DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard. See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service Regression from #34170. Fixes #34804. Additionally, clean-up a few more AWS session initiations to be consistent and clear.
Two changes to AWS SDK usage:
Teleport should never use AWS IMDSv1 for requests, so disable the ability to fallback to it, as it could be a malicious attempt to downgrade security.
Teleport generally prefers FIPS endpoints when in FIPS mode, but there were a few places that were not selecting the FIPS endpoints. Ensure that the FIPS endpoints if BoringCrypto is being used.
changelog: When accessing AWS, disable IMDSv1 fallback and enforce use of FIPS endpoints.