Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding FIPS 140-2 Support to EKS AMI #513

Closed
wants to merge 3 commits into from
Closed

Adding FIPS 140-2 Support to EKS AMI #513

wants to merge 3 commits into from

Conversation

arhea
Copy link

@arhea arhea commented Jul 22, 2020
edited
Loading

Description of changes: This PR adds support for enabling FIPS 140-2 mode in the Kernel. FIPS 140-2 is required by customers looking to achieve FedRAMP and/or DoD CC SRG compliance. This PR adds steps to the upgrade_kernel.sh script to enable FIPS 140-2 mode on AL2. The use of this AMI will enable customers to build FIPS 140-2 compatible solutions on top of Amazon EKS worker nodes. This PR supports the publication of FIPS and Non-FIPS AMIs by adding an additional packer variable and additional make commands.

The suggested naming for FIPS enabled AMIs: amazon-eks-node-fips-*

This PR adds the following commands:

# install and enable fips modules
sudo yum install -y dracut-fips openssl
sudo dracut -f

# enable fips in the boot command
sudo sed -i 's/^\(GRUB_CMDLINE_LINUX_DEFAULT=.*\)"$/\1 fips=1"/' /etc/default/grub

# rebuild grub
sudo grub2-mkconfig -o /etc/grub2.cfg

Amazon Linux 2 is currently undergoing the FIPS 140-2 validation process with NIST. At the time of this PR, Amazon Linux 2 is still in the validation process. I recommend holding of on merging this PR until all validation has been completed.

Module Status Certification Date
Amazon Linux 2 Libreswan Cryptographic Module 3652 05/08/2020
Amazon Linux 2 NSS Cryptographic Module 3646 04/20/2020
Amazon Linux 2 GnuTLS Cryptographic Module 3643 04/20/2020
Amazon Linux 2 Libgcrypt Cryptographic Module 3618 02/19/2020
Amazon Linux 2 OpenSSH Client Cryptographic Module 3567 11/20/2019
Amazon Linux 2 OpenSSH Server Cryptographic Module 3562 11/14/2019
Amazon Linux 2 OpenSSL Cryptographic Module 3553 10/23/2019
Amazon Linux 2 Kernel Cryptographic API 3709 09/14/2020

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@arhea
Copy link
Author

arhea commented Sep 15, 2020

Updated: This PR is now ready to be merged as the final certification has been posted.

@duncaan
Copy link

duncaan commented Nov 12, 2020

@abeer91 @arhea - what can I help with to get this merged? We'd like to use this whenever possible.

@mattlorimor
Copy link

@abeer91, @arhea - Echoing @duncaan's sentiment. Is there something still holding this up?

@abeer91
Copy link
Contributor

abeer91 commented Dec 11, 2020

We're discussing this PR and trying to understand what's the best interface for enabling FIPS modules on the EKS optimized AMIs.

@tupacalypse187 tupacalypse187 mentioned this pull request Mar 10, 2021
Closed
@asproul asproul mentioned this pull request Jul 27, 2021
Closed
@jonathan-strzalka-saggs
Copy link

Hey, this is still very much needed for fedRAMP requirements. Is there any progress being made on this? As this would be much easier alternative to making our own AMI's with this feature.

@scinerio
Copy link

@abeer91 any updates on this PR? FIPS 140-2 is a must-have for FedRAMP services leveraging AWS. Currently FedRAMP services in AWS GovCloud have no way to use EKS without building their own AMI that enables FIPS manually.

@stanhu stanhu mentioned this pull request Apr 11, 2022
Closed
@stanhu
Copy link

stanhu commented Apr 12, 2022

#898 updates this pull request to work on master.

stanhu added a commit to stanhu/amazon-eks-ami that referenced this pull request Apr 13, 2022
@stanhu
Adding FIPS 140-2 Support to EKS AMI
2d11350 
This adds support for enabling FIPS 140-2 mode in the Kernel. FIPS
140-2 is required by customers looking to achieve FedRAMP and/or DoD
CC SRG compliance.

This brings awslabs#513 up to
date with the latest master.
@cartermckinnon
Copy link
Member

Closing as duplicate of #898 .

@cartermckinnon cartermckinnon added duplicate This issue or pull request already exists enhancement New feature or request labels Aug 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@arhea @duncaan @mattlorimor @abeer91 @jonathan-strzalka-saggs @scinerio @stanhu @cartermckinnon