So I'm not sure why this is on HN. There is nothing new on here and not even much information. It is documentation of fips-compliant AWS API endpoints.
As someone who works with AWS every day in the Government space and needs to have strict compliance with FIPS and many other government standards, I wanted to clarify this document so people don't get confused.
Not all of these services listed here are fully FIPS compliant. This list is for FIPS-compliant endpoints to interact with service APIs.
For those that don't know, FIPS is a standard for federal information processing. It has a few parts to it, but for the context of cloud providers, FIPS-compliance generally means using encryption standards and cryptographic protocols that have been approved for transmission of federal information. To stay compliant with this standard your computers can not transmit information that is insecure, and it must secure that information with specific cryptographic strategies, using approved cryptographic modules. This means that a standard SSL connection might not always be FIPS-compliant depending on the handshake negotiation between the sender and the receiver. But a FIPS endpoint will ensure that the server only accepts FIPS compliant encryption methods. Furthermore the server will only use approved cryptographic modules for things like key generation.
So in this case, AWS has exposed normal endpoints used for communicating with the services. In addition, most of the services (not all) have FIPS-compliant endpoints. These are communicating with servers that are compliant with FIPS and will ensure only FIPS compliant methods are used in the transmission of data when calling these services.
But... here's the kicker. Some of these services may do stuff that is not FIPS compliant. So just because a FIPS endpoint exists, it only means that you can communicate with the API in a FIPS compliant manner. The service itself might not FIPS compliant and/or may do things that break FIPS compliance. Therefore do not be satisfied with flipping this switch in AWS and assuming you are good to go. You are far from it.
Also of note, if you want or need FIPS endpoints you can do two things to get the AWS CLI and SDKs to use these endpoints automatically.
1. Set the environment variable AWS_USE_FIPS_ENDPOINT=true in your shell
2. Set the value `use_fips_endpoint = True` in your `~/.aws/config` file
Now the CLI and SDK tools will automatically use these endpoints and if you communicate with a service that doesn't have a FIPS endpoint you will just get a nice fatal crash.
