aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.06k stars 324 forks source link

SSM-Agent not using FIPS endpoints, on FIPS enabled EKS Worker Node #558

Open MikeL-sfdc opened 9 months ago

MikeL-sfdc commented 9 months ago

What happened: When FIPS is enabled on an EKS worker node, the SSM-Agent installed from the amazon-eks-ami is not using FIPS endpoints when making requests between the ec2messages and ssmmessages API endpoints.

What you expected to happen: When sysctl -n crypto.fips_enabled evaluates to 1 on the EKS worker node, requests between the SSM-Agent and the ec2messages + ssmmessages API endpoints would use the FIPS service endpoints.

How to reproduce it (as minimally and precisely as possible): Within /etc/amazon/ssm, editing the amazon-ssm-agent.json.template with the following values and not removing any default keys:

{ ..
  "Mds": { ..
       "Region": "us-gov-east-1",
       "Endpoint": "ec2messages-fips.us-gov-east-1.amazonaws.com"
   },
   "Mgs": { ..
      "Region": "us-gov-east-1",
      "Endpoint": "ssmmessages-fips.us-gov-east-1.amazonaws.com"
   }
}

On a FIPS enabled machine, monitor traffic between the SSM-Agent and the ec2messages + ssmmessages API endpoints. The current default behavior is to not use FIPS service endpoints.

Observing log output from journalctl -u amazon-ssm-agent shows the agent is able to be restarted and is running. The host is still showing as Healthy and is able to be pinged, reporting from the AWS SSM Fleet Manager view.