Skip to content

Enable FIPS 140-3 Compliance for RDS API#91

Closed
kraigeisenman wants to merge 1 commit into
masterfrom
feature/fips-140-3-compliance
Closed

Enable FIPS 140-3 Compliance for RDS API#91
kraigeisenman wants to merge 1 commit into
masterfrom
feature/fips-140-3-compliance

Conversation

@kraigeisenman

Copy link
Copy Markdown

Summary

This PR enables FIPS 140-3 compliance for the RDS API, ensuring that Dedicated MySQL and PostgreSQL offerings in Spinup Plus meet federal cryptographic standards.

Changes

  • Go 1.24: Upgraded from Go 1.23 to Go 1.24 for native FIPS 140-3 support
  • GOFIPS140 Build Flag: Added GOFIPS140=v1.0.0 environment variable to enable FIPS-compliant cryptography during build
  • AWS FIPS Endpoints: Configured AWS SDK to use FIPS endpoints via UseFIPSEndpoint: aws.FIPSEndpointStateEnabled

Technical Details

Go 1.24 FIPS 140-3 Support:

  • Go 1.24 introduces native FIPS 140-3 support through the crypto/fips140 module
  • Uses AWS-LC cryptographic library (NIST Certificate #4631)
  • The GOFIPS140=v1.0.0 build flag activates FIPS-approved algorithms only

AWS FIPS Endpoints:

  • Directs all AWS API calls to FIPS endpoints (e.g., rds-fips.us-east-1.amazonaws.com)
  • Ensures TLS connections use FIPS-validated cryptography
  • Applied in pkg/session/session.go for all AWS sessions

Files Changed

File Change
go.mod Go 1.23 → Go 1.24
docker/Dockerfile golang:1.24-alpine + GOFIPS140 flag
docker/Dockerfile.local golang:1.24-alpine + GOFIPS140 flag
pkg/session/session.go Added UseFIPSEndpoint configuration

Dependencies

  • Go 1.24: Requires Go 1.24 to be released (scheduled for February 2025). This PR can be merged once Go 1.24 is GA and the Docker image golang:1.24-alpine is available.

Related

Test Plan

  • Verify Go 1.24 Docker image is available
  • Build the API with the new configuration
  • Verify FIPS mode is enabled by checking crypto/fips140.Enabled() returns true
  • Test RDS instance creation to confirm FIPS endpoints are being used
  • Validate API functionality with existing test suite

- Upgrade Go version from 1.23 to 1.24 for native FIPS 140-3 support
- Add GOFIPS140=v1.0.0 build flag to enable FIPS-compliant cryptography
- Configure AWS SDK to use FIPS endpoints via UseFIPSEndpoint setting

Go 1.24 includes native FIPS 140-3 support through the crypto/fips140
module, which uses AWS-LC (NIST Certificate #4631). This ensures all
cryptographic operations use FIPS 140-3 validated algorithms.

The UseFIPSEndpoint configuration directs all AWS API calls to FIPS
endpoints (e.g., rds-fips.us-east-1.amazonaws.com), ensuring end-to-end
FIPS compliance for Dedicated MySQL and PostgreSQL offerings.

Relates to: CLOUD-615
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant