Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 config changes to use S3 FIPS endpoints on FIPS hosts #4202

Merged
merged 2 commits into from
Jun 13, 2024
Merged

S3 config changes to use S3 FIPS endpoints on FIPS hosts #4202

merged 2 commits into from
Jun 13, 2024

Conversation

harishxr
Copy link
Contributor

@harishxr harishxr commented Jun 5, 2024
edited
Loading

Summary

This pull request enables ECS Agent on linux to make S3 calls using S3 FIPS Endpoints when FIPS mode is enabled on the host machine.

Implementation details

  • Updated the NewS3ManagerClient and NewS3Client functions to use cfg.UseFIPSEndpoint to call FIPS S3 endpoints when FIPS mode is detected on the host.
  • Modified the getRegionFromBucket function to use s3manager.GetBucketRegionWithClient with options to ensure virtual-hosted-style URLs are used when FIPS mode is enabled on the host.
  • Added logging statements to indicate when FIPS compliant S3 endpoints and virtual-hosted-style URLs are being used.

Testing

  • Built test agent using the changes made in the PR and ran agent on FIPS Enabled host.
  • Agent was able to identify it running in a FIPS enabled env based on the following log
/var/log/ecs/ecs-agent.log.2024-06-10-18:level=info time=2024-06-10T18:33:19Z msg="FIPS mode detected on the host"
  • Created an S3 bucket and placed a test1.env file in the S3 bucket with the following content
TEST1=ABC
TEST2=XYZ
  • Ran a task with the following task definition
{
    "taskDefinitionArn": "arn:aws:ecs:us-west-2:redacted:task-definition/fips-test:2",
    "containerDefinitions": [
        {
            "name": "sleepy300",
            "image": "busybox",
            "cpu": 100,
            "memory": 10,
            "portMappings": [],
            "essential": true,
            "command": [
                "sleep",
                "10000000"
            ],
            "environment": [],
            "environmentFiles": [
                {
                    "value": "arn:aws:s3:::redacted/test1.env",
                    "type": "s3"
                }
            ],
            "mountPoints": [],
            "volumesFrom": [],
            "systemControls": []
        }
    ],
    "family": "fips-test",
    "taskRoleArn": "arn:aws:iam::redacted:role/TaskIAMRoleArn",
    "executionRoleArn": "arn:aws:iam::redacted:role/TaskExecutionRoleARN",
    "networkMode": "host",
    "revision": 2,
    "volumes": [],
    "status": "ACTIVE",
    "requiresAttributes": [
        {
            "name": "com.amazonaws.ecs.capability.task-iam-role-network-host"
        },
        {
            "name": "ecs.capability.env-files.s3"
        },
        {
            "name": "com.amazonaws.ecs.capability.task-iam-role"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
        }
    ],
    "placementConstraints": [],
    "compatibilities": [
        "EXTERNAL",
        "EC2"
    ],
    "cpu": "256",
    "memory": "512",
    "registeredAt": "2024-05-28T22:54:48.812Z",
    "registeredBy": "arn:aws:sts::redacted:assumed-role/Admin/test",
    "tags": []
}
  • Verified in the ECS console for the running task under Environment Variables and Files that the env file was attached to the container.
  • Logged onto the running container using docker exec -it <container_id> sh and executed the following commands to access the values defined in the env files
/ # echo $TEST1
ABC
/ # echo $TEST2
XYZ
  • Verified using the logs that FIPS S3 Endpoints are being used
/var/log/ecs/ecs-agent.log.2024-06-10-18:level=debug time=2024-06-10T18:35:24Z msg="FIPS mode detected, using FIPS-compliant S3 endpoint"
/var/log/ecs/ecs-agent.log.2024-06-10-18:level=debug time=2024-06-10T18:35:24Z msg="FIPS mode detected, using virtual-host–style URLs for bucket location"

New tests cover the changes:
Yes

Description for the changelog

S3 config changes to use S3 FIPS endpoints on FIPS hosts
Does this PR include breaking model changes? If so, Have you added transformation functions?

No

References

Licensing

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@harishxr harishxr marked this pull request as ready for review June 10, 2024 18:55
@harishxr harishxr requested a review from a team as a code owner June 10, 2024 18:55
@harishxr harishxr changed the title [WIP] S3 config changes to use S3 FIPS endpoints on FIPS hosts S3 config changes to use S3 FIPS endpoints on FIPS hosts Jun 10, 2024
mye956
mye956 previously approved these changes Jun 11, 2024
View reviewed changes
sparrc
sparrc reviewed Jun 12, 2024
View reviewed changes
agent/s3/factory/factory.go Outdated Show resolved Hide resolved
sparrc
sparrc reviewed Jun 12, 2024
View reviewed changes
agent/s3/factory/factory.go Outdated Show resolved Hide resolved
@harishxr harishxr requested review from sparrc and mye956 June 12, 2024 22:12
@harishxr harishxr merged commit d458d6b into aws:dev Jun 13, 2024
40 checks passed
@prateekchaudhry prateekchaudhry mentioned this pull request Jun 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mye956 mye956 mye956 approved these changes

@sparrc sparrc sparrc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@harishxr @sparrc @mye956 @amazon-ecs-bot