- Newest
- Most votes
- Most comments
"So for the CloudFormation templates, I would not put the FIPS endpoint name in the template itself, but rely on the env variable to ensure the FIPS endpoint is used, correct?" - That is correct
"Such as for my CloudFormation template example above I would leave it as it is, I wouldn't need to change it to fsx-fips.us-gov-west-1.amazonaws.com. Would changing the CF template to the FIPS endpoints even work?" - You'd leave as it is. setting the string value for the kms:viaService condition key to fsx***-fips***.us-gov-west-1.amazonaws.com, won't match the expected service name fsx.us-gov-west-1.amazonaws.com, and hence wouldn't have the expected outcome for this condition key usage i.e. Allowing or Denying KMS operations for a role/user, via the FSx service.
Hi, as listed in table 'Services that support the kms:ViaService condition key' documentation, you've referenced, the value in the condition key is the service name e.g. s3.AWS_region.amazonaws.com or elasticfilesystem.AWS_region.amazonaws.com. Think of it as the service principal name but with the region included. Therefore, for the AWS GovCloud (US) West region, the value would be s3.us-gov-west-1.amazonaws.com, elasticfilesystem.us-gov-west-1.amazonaws.com.
Once the KMS policy is setup with the kms:viaService condition key, the use of FIPS endpoints in the US Standard Commercial Regions US East/West and the GovCloud regions, can be achieved using the AWS CLI and AWS SDKs. In the case of the AWS CLI, you can either use the environment variable AWS_USE_FIPS_ENDPOINT
set to True, or the value use_fips_endpoint
= True
in your ~/.aws/config file. Alternatively, you can also use the endpoint_url parameter to specify the endpoint. The AWS SDKs, also support the usage of the AWS_USE_FIPS_ENDPOINT
flag and endpoint_url
as a parameter programatically.
For instance, copying a file onto an S3 bucket using the AWS CLI in GovCloud West region, specifying the KMS Key with the key policy set with the kms:viaService key, with the FIPS endpoint specified , would look like this:
aws s3 cp <local file name> s3://<bucket-name>/<key-name> --sse aws:kms --sse-kms-key-id arn:aws-us-gov:kms:us-gov-west-1:<AWS Account ID>:key/<uuid> --endpoint-url https://s3-fips.us-gov-west-1.amazonaws.com
The condition key would be set as follows (more conditions can be added):
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.us-gov-west-1.amazonaws.com"
}
}
- The kms:viaService condition key doesn't determine endpoint usage. The AWS CLI and SDKs are used as part of a workload, for operations on AWS services, and can be configured to use the FIPS endpoints.
- The condition key value represents more the aws service principal name with the domain name. It indicates to KMS, which service is trying to perform a KMS operation on behalf of an aws principal e.g. role, user e.g. * OpsRoleARN*
- You'd use the AWS KMS ViaService name listed in the docs. It appears to have the same format as the general service endpoint.
CloudFormation will setup the infrastructure. The IAM role with the condition key would still take effect for Fsx operations.
Hope this helps.
Thanks again!
So for the CloudFormation templates, I would not put the FIPS endpoint name in the template itself, but rely on the env variable to ensure the FIPS endpoint is used, correct?
Such as for my CloudFormation template example above I would leave it as it is, I wouldn't need to change it to fsx-fips.us-gov-west-1.amazonaws.com. Would changing the CF template to the FIPS endpoints even work?
Relevant content
- asked 3 years ago
- asked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
Thanks for the reply and explanation!
Am I reading this right, 1) FIPS endpoints would only work for kms:ViaService with the AWS CLI or SDK, 2) Using the FIPS endpoint value in the condition key would not work 3) I would still always use the 'regular' endpoint name in the condition key (because of the env variable setup)
My concern is with 3rd party tools that would use an IAM role that grants them the kms permission used for creating Fsx via a CloudFormation template, but I suppose the env variable would cover this? See below for an example from an actual template -