Skip to content

fix(ia): enable FIPS endpoints for AWS session config#35

Open
theautoroboto wants to merge 1 commit into
mainfrom
fedramp/IA-07-fips-endpoints-2026-04-22
Open

fix(ia): enable FIPS endpoints for AWS session config#35
theautoroboto wants to merge 1 commit into
mainfrom
fedramp/IA-07-fips-endpoints-2026-04-22

Conversation

@theautoroboto

@theautoroboto theautoroboto commented Apr 22, 2026

Copy link
Copy Markdown

FedRAMP Remediation — IA-07 / SC-13: FIPS Cryptographic Module Authentication

Jira: ROSAENG-365, ROSAENG-366
Epic: ROSAENG-287

Finding

AWS session config in internal/aws/session.go does not enforce FIPS endpoints. All downstream AWS clients (CloudFormation, EC2, IAM, Lambda, STS) use standard regional endpoints, failing IA-07 and SC-13.

Change

Added config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled) to NewConfig(). All downstream clients inherit FIPS endpoint routing automatically.

References

🤖 Generated by fedramp-compliance agent on 2026-04-22

FedRAMP SC-13 and IA-7 require cryptographic modules to use FIPS
140-3 validated endpoints. Add config.WithUseFIPSEndpoint(aws.
FIPSEndpointStateEnabled) to NewConfig so that every AWS service
client created from this config (CloudFormation, EC2, IAM, Lambda,
STS) automatically routes through FIPS endpoints.

Jira: ROSAENG-365
@theautoroboto theautoroboto added fedramp FedRAMP compliance remediation compliance Compliance-related change automated Generated by automation labels Apr 22, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2026
@openshift-ci

openshift-ci Bot commented Apr 22, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Apr 22, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • New Features
    • Enabled FIPS 140-3 validated endpoints for AWS API communications.

Walkthrough

The NewConfig function in the AWS session module is updated to explicitly enable FIPS endpoints by adding config.WithUseFIPSEndpoint(aws.FIPSEndpointStateEnabled) to the configuration options, routing AWS API calls through FIPS 140-3 validated endpoints.

Changes

Cohort / File(s) Summary
AWS Session Configuration
internal/aws/session.go
Added FIPS endpoint configuration to NewConfig function, enabling routing of AWS API calls through FIPS 140-3 validated endpoints.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and concisely describes the main change: enabling FIPS endpoints in AWS session configuration.
Description check ✅ Passed The description provides context on FedRAMP compliance requirements, the specific finding, the change made, and relevant references—all directly related to the changeset.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fedramp/IA-07-fips-endpoints-2026-04-22

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci

openshift-ci Bot commented Apr 22, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: theautoroboto

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@theautoroboto theautoroboto marked this pull request as ready for review April 22, 2026 21:29
@theautoroboto theautoroboto added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 22, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 22, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
internal/aws/session.go (1)

22-24: Comment wording should match unconditional behavior.

The note says FIPS is required when operating in GovCloud/FedRAMP environments, but Line 25 enforces it for all environments. Consider rewording to avoid implying conditional activation.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@internal/aws/session.go` around lines 22 - 24, The existing comment above the
FIPS enforcement block is worded as if FIPS endpoints are only required in
GovCloud/FedRAMP, but the code unconditionally enforces FIPS endpoints; update
the comment text to state the unconditional behavior (e.g., "Require FIPS 140-3
validated endpoints for all AWS API calls.") so it matches the enforcement logic
in this file (the comment immediately preceding the FIPS endpoint enforcement
code in session.go).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/aws/session.go`:
- Around line 22-24: The existing comment above the FIPS enforcement block is
worded as if FIPS endpoints are only required in GovCloud/FedRAMP, but the code
unconditionally enforces FIPS endpoints; update the comment text to state the
unconditional behavior (e.g., "Require FIPS 140-3 validated endpoints for all
AWS API calls.") so it matches the enforcement logic in this file (the comment
immediately preceding the FIPS endpoint enforcement code in session.go).

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 069d68f9-30dd-4ae7-b973-7b3f29474246

📥 Commits

Reviewing files that changed from the base of the PR and between f886df9 and 7cbee92.

📒 Files selected for processing (1)
  • internal/aws/session.go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Generated by automation compliance Compliance-related change fedramp FedRAMP compliance remediation needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant