Support for FIPS endpoint kinesis-fips.us-east-1.amazonaws.com

[kevinsookocheff-wf]

Is there a way to call FIPS compliant Kinesis endpoints using this plugin?

We have requirements to use a FIPS compatible endpoint for AWS calls, I tried to enable calling the FIPS endpoints with this plugin using AWS_USE_FIPS_ENDPOINT:

In /etc/sysconfig/td-agent

export AWS_USE_FIPS_ENDPOINT=true

In /etc/systemd/system/td-agent.service.d/override.conf

[Service]
Environment="AWS_USE_FIPS_ENDPOINT=true"
PassEnvironment=AWS_USE_FIPS_ENDPOINT

And by setting the endpoint parameter in configuration to kinesis-fips.us-east-1.amazonaws.com.

No method is able to call the FIPS compliant endpoint.

[simukappu]

Hi, thank you for your feedback! This plugin uses AWS SDK for Ruby, so AWS_USE_FIPS_ENDPOINT should be valid to use FIPS compliant endpoint. https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html Can you try just setting AWS_USE_FIPS_ENDPOINT=true to your environment variable?

In addition, we can also specify use_fips_endpoint option when Aws::Kinesis::Client is initialized. I will add these client configurations to this plugin's parameters.

[kevinsookocheff-wf]

So far I have been unable to get the library to use FIPS endpoints when AWS_USE_FIPS_ENDPOINT=true is set as an environment variable. When setting this variable and attempting to verify DNS traffic I see requests continuing to be made to non-FIPS kinesis endpoints.