Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v13] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #35164

Closed
wants to merge 2 commits into from
Closed

[v13] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints #35164

wants to merge 2 commits into from

Conversation

reedloden
Copy link
Contributor

@reedloden reedloden commented Nov 29, 2023
edited

Backport of #34170.
Backport of #34876.

changelog: When accessing AWS, disable IMDSv1 fallback and enforce use of FIPS endpoints.

@reedloden
[v13] Disable AWS IMDSv1 fallback and enforce use of FIPS endpoints
fbe8c1b 
Backport of #34170.

Two changes to AWS SDK usage:

Teleport should never use AWS IMDSv1 for requests, so disable the
ability to fallback to it, as it could be a malicious attempt to
downgrade security.

Teleport generally prefers FIPS endpoints when in FIPS mode, but
there were a few places that were not selecting the FIPS endpoints.
Ensure that the FIPS endpoints if BoringCrypto is being used.
@reedloden
[v13] Don't force the use of FIPS endpoints for DynamoDB Streams and …
d51ca72 
…Application Auto Scaling

Backport of #34876.

DynamoDB Streams and Application Auto Scaling do not currently have FIPS endpoints in
non-GovCloud, leading to invalid endpoints for FIPS users running in AWS Standard.

See also: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

Regression from #34170.

Fixes #34804.

Additionally, clean-up a few more AWS session initiations to be consistent and clear.
@reedloden reedloden self-assigned this Nov 29, 2023
@github-actions github-actions bot added application-access audit-log Issues related to Teleports Audit Log backport size/sm labels Nov 29, 2023
@github-actions GitHub Actions
Copy link

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

r0mant
r0mant requested changes Nov 29, 2023
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like a change that should be done in a major release only and announced in breaking changes, and not introduced in a patch version of a stable release. How do we know it won't break stuff for customers?

I think we should roll this back in v14 as well since it seems it's been already merged: #34433.

@r0mant r0mant mentioned this pull request Nov 29, 2023
Closed
@reedloden reedloden closed this Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant requested changes

@GavinFrazar GavinFrazar Awaiting requested review from GavinFrazar

@jentfoo jentfoo Awaiting requested review from jentfoo

@nklaassen nklaassen Awaiting requested review from nklaassen

Assignees

@reedloden reedloden

Labels
application-access audit-log Issues related to Teleports Audit Log backport size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@reedloden @r0mant