From 290a499f31413bd71eece4ad9f196eb5993747a9 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Thu, 24 Oct 2024 19:44:15 +0100 Subject: [PATCH 1/2] fix: enable node-fips compatible body checksums for S3 (#31883) Internal reference: D166315367 In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. However by default the S3 client is using an MD5 checksum for content integrity checking. This causes any S3 upload operation to fail with a cryptography error. We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior of the AWS SDKv3 and is a safe choice for all users. For non-FIPS users, we have verified functionality via cli-integ-tests. For FIPS users, we have manually verified `cdk deploy` is now working in a FIPS enabled environment. We have also verified the configuration with the affected customer. - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/package.json | 3 +- packages/aws-cdk/lib/api/aws-auth/sdk.ts | 13 ++++++- packages/aws-cdk/package.json | 2 +- yarn.lock | 38 +++++---------------- 4 files changed, 23 insertions(+), 33 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index fef13773ed7aa..5ab742258adbd 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,9 +74,8 @@ "@aws-cdk/cloud-assembly-schema": "^38.0.0", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "cdk-assets": "^2.154.0", + "cdk-assets": "^2.155.17", "@aws-cdk/aws-service-spec": "^0.1.29", - "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", "chalk": "^4", diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 6a78965620c01..fab6d1d3ce4b0 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -174,7 +174,18 @@ export class SDK implements ISDK { } public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3(this.config)); + return this.wrapServiceErrorHandling(new AWS.S3({ + // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. + // However by default the S3 client is using an MD5 checksum for content integrity checking. + // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), + // in practice it is just easier to use an allowed checksum mechanism. + // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. + // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior + // of the AWS SDKv3 and is a safe choice for all users. + s3DisableBodySigning: false, + computeChecksums: false, + ...this.config, + })); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 506da385ff312..202ac715eb2bb 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -104,7 +104,7 @@ "archiver": "^5.3.2", "aws-sdk": "^2.1691.0", "camelcase": "^6.3.0", - "cdk-assets": "^2.155.0", + "cdk-assets": "^2.155.17", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/yarn.lock b/yarn.lock index a14ce1ed93150..f5c2805c1038d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -67,17 +67,10 @@ jsonschema "^1.4.1" semver "^7.6.3" -"@aws-cdk/cx-api@^2.158.0": - version "2.159.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094" - integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w== - dependencies: - semver "^7.6.3" - -"@aws-cdk/cx-api@^2.160.0": - version "2.160.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59" - integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw== +"@aws-cdk/cx-api@^2.163.1": + version "2.163.1" + resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e" + integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w== dependencies: semver "^7.6.3" @@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== -cdk-assets@^2.154.0: - version "2.154.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead" - integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw== - dependencies: - "@aws-cdk/cloud-assembly-schema" "^38.0.0" - "@aws-cdk/cx-api" "^2.158.0" - archiver "^5.3.2" - aws-sdk "^2.1691.0" - glob "^7.2.3" - mime "^2.6.0" - yargs "^16.2.0" - -cdk-assets@^2.155.0: - version "2.155.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf" - integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA== +cdk-assets@^2.155.17: + version "2.155.17" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5" + integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA== dependencies: "@aws-cdk/cloud-assembly-schema" "^38.0.1" - "@aws-cdk/cx-api" "^2.160.0" + "@aws-cdk/cx-api" "^2.163.1" archiver "^5.3.2" aws-sdk "^2.1691.0" glob "^7.2.3" From 476fd9642a58f8b807b2b640d3c77c5be603a638 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Fri, 25 Oct 2024 10:06:48 +0100 Subject: [PATCH 2/2] chore(release): 2.164.1 --- CHANGELOG.v2.alpha.md | 2 ++ CHANGELOG.v2.md | 7 +++++++ version.v2.json | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 4801dda8486bd..9038ec97d4f2d 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.164.0-alpha.0...v2.164.1-alpha.0) (2024-10-25) + ## [2.164.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.163.1-alpha.0...v2.164.0-alpha.0) (2024-10-24) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 7c9b0e7c01450..1013b47650314 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.1](https://github.com/aws/aws-cdk/compare/v2.164.0...v2.164.1) (2024-10-25) + + +### Bug Fixes + +* enable node-fips compatible body checksums for S3 ([#31883](https://github.com/aws/aws-cdk/issues/31883)) ([290a499](https://github.com/aws/aws-cdk/commit/290a499f31413bd71eece4ad9f196eb5993747a9)) + ## [2.164.0](https://github.com/aws/aws-cdk/compare/v2.163.1...v2.164.0) (2024-10-24) diff --git a/version.v2.json b/version.v2.json index c70824e010f3c..75a35f3583261 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.164.0", - "alphaVersion": "2.164.0-alpha.0" + "version": "2.164.1", + "alphaVersion": "2.164.1-alpha.0" } \ No newline at end of file