I create an ec2 instance using
provider "aws" {
region = "us-west-2"
use_fips_endpoint = true
endpoints {
ec2 = "https://ec2-fips.us-west-2.amazonaws.com"
}
}
Once the instance is created I can set fips-mode in the kernel but what does the above 'endpoint' setting provide?
AWS FIPS endpoints are not for accessing AWS service APIs from within your AWS VPC (e.g, to keep traffic within the AWS private cloud network), as one commenter stated. Your requests to FIPS endpoints will still travel over the public internet. You can test this pretty easily by just running a curl to an AWS FIPS endpoint from your local machine:
➜ ~ curl -I https://ec2-fips.us-west-2.amazonaws.com
HTTP/1.1 400 Bad Request
x-amzn-RequestId: e2d860b8-9962-4c39-954b-b80b89fef829
Cache-Control: no-cache, no-store
Strict-Transport-Security: max-age=31536000; includeSubDomains
vary: accept-encoding
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 08 Jun 2023 16:02:11 GMT
Connection: close
Server: AmazonEC2
If you want to keep your AWS API requests inside of your VPC and the AWS private network, that functionality is provided by AWS VPC endpoints (aka PrivateLink)!
Instead, AWS FIPS endpoints are AWS service API endpoints that comply with FIPS (Federal Information Processing Standard) 140-2. FIPS endpoints are limited to using more secure cryptographic modules and TLS versions than you would find available on the standard AWS service endpoints. The reason one might want or need to use FIPS endpoints is when deploying solutions for US government organizations which adhere to compliance frameworks like FedRAMP. FedRAMP requires that all requests to AWS be made via a FIPS 140-2 compliant service endpoint.
AWS General Reference doc on service endpoints: https://docs.aws.amazon.com/general/latest/gr/rande.html#FIPS-endpoints
AWS FIPS Endpoints by Service: https://aws.amazon.com/compliance/fips/#FIPS_Endpoints_by_Service