From e9295897785fe3701e0c5fee5248d808c9444e96 Mon Sep 17 00:00:00 2001
From: Trivikram Kamat <16024985+trivikr@users.noreply.github.com>
Date: Tue, 16 Nov 2021 10:20:14 -0800
Subject: [PATCH] chore(s3util): add allowFipsEndpoint option in
 validateArnRegion (#3962)

---
 .../next-release/feature-s3util-4a5bd10b.json |  5 +++++
 lib/services/s3util.js                        | 19 ++++++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 .changes/next-release/feature-s3util-4a5bd10b.json

diff --git a/.changes/next-release/feature-s3util-4a5bd10b.json b/.changes/next-release/feature-s3util-4a5bd10b.json
new file mode 100644
index 0000000000..1a0649c9de
--- /dev/null
+++ b/.changes/next-release/feature-s3util-4a5bd10b.json
@@ -0,0 +1,5 @@
+{
+  "type": "feature",
+  "category": "s3util",
+  "description": "Add allowFipsEndpoint option in validateArnRegion"
+}
\ No newline at end of file
diff --git a/lib/services/s3util.js b/lib/services/s3util.js
index 1ec008cd8a..c2d0880f1d 100644
--- a/lib/services/s3util.js
+++ b/lib/services/s3util.js
@@ -132,11 +132,16 @@ var s3util = {
   /**
    * Validate region field in ARN supplied in Bucket parameter is a valid region
    */
-  validateArnRegion: function validateArnRegion(req) {
+  validateArnRegion: function validateArnRegion(req, options) {
+    if (options === undefined) {
+      options = {};
+    }
+
     var useArnRegion = s3util.loadUseArnRegionConfig(req);
     var regionFromArn = req._parsedArn.region;
     var clientRegion = req.service.config.region;
     var useFipsEndpoint = req.service.config.useFipsEndpoint;
+    var allowFipsEndpoint = options.allowFipsEndpoint || false;
 
     if (!regionFromArn) {
       throw AWS.util.error(new Error(), {
@@ -145,16 +150,20 @@ var s3util = {
       });
     }
 
-    if (
-      useFipsEndpoint ||
-      regionFromArn.indexOf('fips') >= 0
-    ) {
+    if (useFipsEndpoint && !allowFipsEndpoint) {
       throw AWS.util.error(new Error(), {
         code: 'InvalidConfiguration',
         message: 'ARN endpoint is not compatible with FIPS region'
       });
     }
 
+    if (regionFromArn.indexOf('fips') >= 0) {
+      throw AWS.util.error(new Error(), {
+        code: 'InvalidConfiguration',
+        message: 'FIPS region not allowed in ARN'
+      });
+    }
+
     if (!useArnRegion && regionFromArn !== clientRegion) {
       throw AWS.util.error(new Error(), {
         code: 'InvalidConfiguration',