ec2 use_fips_endpoint via terraform - 这对我有什么作用？

发布于 2025-01-12 14:03:39 字数 251 浏览 0 评论 0原文

我使用创建一个 ec2 实例创建

provider "aws" {
  region = "us-west-2"
  use_fips_endpoint = true

  endpoints {
    ec2              = "https://ec2-fips.us-west-2.amazonaws.com"
  }
}

实例后，我可以在内核中设置 fips-mode，但是上面的“端点”设置提供了什么？

原文

I create an ec2 instance using

provider "aws" {
  region = "us-west-2"
  use_fips_endpoint = true

  endpoints {
    ec2              = "https://ec2-fips.us-west-2.amazonaws.com"
  }
}

Once the instance is created I can set fips-mode in the kernel but what does the above 'endpoint' setting provide?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

山色无中 2025-01-19 14:03:39

正如一位评论者所说，AWS FIPS 端点不用于从 AWS VPC 内访问 AWS 服务 API（例如，将流量保留在 AWS 私有云网络内）。您对 FIPS 端点的请求仍将通过公共互联网传输。您只需从本地计算机对 AWS FIPS 终端节点运行 curl 即可轻松测试此功能：

➜  ~ curl -I https://ec2-fips.us-west-2.amazonaws.com
HTTP/1.1 400 Bad Request
x-amzn-RequestId: e2d860b8-9962-4c39-954b-b80b89fef829
Cache-Control: no-cache, no-store
Strict-Transport-Security: max-age=31536000; includeSubDomains
vary: accept-encoding
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 08 Jun 2023 16:02:11 GMT
Connection: close
Server: AmazonEC2

如果您希望将 AWS API 请求保留在 VPC 和 AWS 专用网络内，则该功能是由 AWS VPC 终端节点（又名私人链接）！

相反，AWS FIPS 终端节点是符合 FIPS（联邦信息处理标准）140-2 的 AWS 服务 API 终端节点。 FIPS 终端节点只能使用比标准 AWS 服务终端节点更安全的加密模块和 TLS 版本。
人们可能想要或需要使用 FIPS 端点的原因是在为遵守 FedRAMP 等合规性框架的美国政府组织部署解决方案时。 FedRAMP 要求所有向 AWS 发出的请求均通过符合 FIPS 140-2 的服务端点发出。

有关服务端点的 AWS 一般参考文档：https:// docs.aws.amazon.com/general/latest/gr/rande.html#FIPS-endpoints

AWS FIPS 终端节点（按服务）：https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

AWS FIPS endpoints are not for accessing AWS service APIs from within your AWS VPC (e.g, to keep traffic within the AWS private cloud network), as one commenter stated. Your requests to FIPS endpoints will still travel over the public internet. You can test this pretty easily by just running a curl to an AWS FIPS endpoint from your local machine:

➜  ~ curl -I https://ec2-fips.us-west-2.amazonaws.com
HTTP/1.1 400 Bad Request
x-amzn-RequestId: e2d860b8-9962-4c39-954b-b80b89fef829
Cache-Control: no-cache, no-store
Strict-Transport-Security: max-age=31536000; includeSubDomains
vary: accept-encoding
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 08 Jun 2023 16:02:11 GMT
Connection: close
Server: AmazonEC2

If you want to keep your AWS API requests inside of your VPC and the AWS private network, that functionality is provided by AWS VPC endpoints (aka PrivateLink)!

Instead, AWS FIPS endpoints are AWS service API endpoints that comply with FIPS (Federal Information Processing Standard) 140-2. FIPS endpoints are limited to using more secure cryptographic modules and TLS versions than you would find available on the standard AWS service endpoints.
The reason one might want or need to use FIPS endpoints is when deploying solutions for US government organizations which adhere to compliance frameworks like FedRAMP. FedRAMP requires that all requests to AWS be made via a FIPS 140-2 compliant service endpoint.

AWS General Reference doc on service endpoints: https://docs.aws.amazon.com/general/latest/gr/rande.html#FIPS-endpoints

AWS FIPS Endpoints by Service: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service

回复收藏 0 原文

~没有更多了~