fix(ia): enable FIPS endpoints for AWS session config#35
Conversation
FedRAMP SC-13 and IA-7 require cryptographic modules to use FIPS 140-3 validated endpoints. Add config.WithUseFIPSEndpoint(aws. FIPSEndpointStateEnabled) to NewConfig so that every AWS service client created from this config (CloudFormation, EC2, IAM, Lambda, STS) automatically routes through FIPS endpoints. Jira: ROSAENG-365
|
Skipping CI for Draft Pull Request. |
Summary by CodeRabbit
WalkthroughThe Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: theautoroboto The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
internal/aws/session.go (1)
22-24: Comment wording should match unconditional behavior.The note says FIPS is required when operating in GovCloud/FedRAMP environments, but Line 25 enforces it for all environments. Consider rewording to avoid implying conditional activation.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@internal/aws/session.go` around lines 22 - 24, The existing comment above the FIPS enforcement block is worded as if FIPS endpoints are only required in GovCloud/FedRAMP, but the code unconditionally enforces FIPS endpoints; update the comment text to state the unconditional behavior (e.g., "Require FIPS 140-3 validated endpoints for all AWS API calls.") so it matches the enforcement logic in this file (the comment immediately preceding the FIPS endpoint enforcement code in session.go).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@internal/aws/session.go`:
- Around line 22-24: The existing comment above the FIPS enforcement block is
worded as if FIPS endpoints are only required in GovCloud/FedRAMP, but the code
unconditionally enforces FIPS endpoints; update the comment text to state the
unconditional behavior (e.g., "Require FIPS 140-3 validated endpoints for all
AWS API calls.") so it matches the enforcement logic in this file (the comment
immediately preceding the FIPS endpoint enforcement code in session.go).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 069d68f9-30dd-4ae7-b973-7b3f29474246
📒 Files selected for processing (1)
internal/aws/session.go
FedRAMP Remediation — IA-07 / SC-13: FIPS Cryptographic Module Authentication
Jira: ROSAENG-365, ROSAENG-366
Epic: ROSAENG-287
Finding
AWS session config in
internal/aws/session.godoes not enforce FIPS endpoints. All downstream AWS clients (CloudFormation, EC2, IAM, Lambda, STS) use standard regional endpoints, failing IA-07 and SC-13.Change
Added
config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled)toNewConfig(). All downstream clients inherit FIPS endpoint routing automatically.References
🤖 Generated by fedramp-compliance agent on 2026-04-22