From 290a499f31413bd71eece4ad9f196eb5993747a9 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Thu, 24 Oct 2024 19:44:15 +0100 Subject: [PATCH 1/3] fix: enable node-fips compatible body checksums for S3 (#31883) Internal reference: D166315367 In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. However by default the S3 client is using an MD5 checksum for content integrity checking. This causes any S3 upload operation to fail with a cryptography error. We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior of the AWS SDKv3 and is a safe choice for all users. For non-FIPS users, we have verified functionality via cli-integ-tests. For FIPS users, we have manually verified `cdk deploy` is now working in a FIPS enabled environment. We have also verified the configuration with the affected customer. - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/integ-runner/package.json | 3 +- packages/aws-cdk/lib/api/aws-auth/sdk.ts | 13 ++++++- packages/aws-cdk/package.json | 2 +- yarn.lock | 38 +++++---------------- 4 files changed, 23 insertions(+), 33 deletions(-) diff --git a/packages/@aws-cdk/integ-runner/package.json b/packages/@aws-cdk/integ-runner/package.json index fef13773ed7aa..5ab742258adbd 100644 --- a/packages/@aws-cdk/integ-runner/package.json +++ b/packages/@aws-cdk/integ-runner/package.json @@ -74,9 +74,8 @@ "@aws-cdk/cloud-assembly-schema": "^38.0.0", "@aws-cdk/cloudformation-diff": "0.0.0", "@aws-cdk/cx-api": "0.0.0", - "cdk-assets": "^2.154.0", + "cdk-assets": "^2.155.17", "@aws-cdk/aws-service-spec": "^0.1.29", - "@aws-cdk/cdk-cli-wrapper": "0.0.0", "aws-cdk": "0.0.0", "chalk": "^4", diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index 6a78965620c01..fab6d1d3ce4b0 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -174,7 +174,18 @@ export class SDK implements ISDK { } public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3(this.config)); + return this.wrapServiceErrorHandling(new AWS.S3({ + // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. + // However by default the S3 client is using an MD5 checksum for content integrity checking. + // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), + // in practice it is just easier to use an allowed checksum mechanism. + // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. + // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior + // of the AWS SDKv3 and is a safe choice for all users. + s3DisableBodySigning: false, + computeChecksums: false, + ...this.config, + })); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/package.json b/packages/aws-cdk/package.json index 506da385ff312..202ac715eb2bb 100644 --- a/packages/aws-cdk/package.json +++ b/packages/aws-cdk/package.json @@ -104,7 +104,7 @@ "archiver": "^5.3.2", "aws-sdk": "^2.1691.0", "camelcase": "^6.3.0", - "cdk-assets": "^2.155.0", + "cdk-assets": "^2.155.17", "cdk-from-cfn": "^0.162.0", "chalk": "^4", "chokidar": "^3.6.0", diff --git a/yarn.lock b/yarn.lock index a14ce1ed93150..f5c2805c1038d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -67,17 +67,10 @@ jsonschema "^1.4.1" semver "^7.6.3" -"@aws-cdk/cx-api@^2.158.0": - version "2.159.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094" - integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w== - dependencies: - semver "^7.6.3" - -"@aws-cdk/cx-api@^2.160.0": - version "2.160.0" - resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59" - integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw== +"@aws-cdk/cx-api@^2.163.1": + version "2.163.1" + resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e" + integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w== dependencies: semver "^7.6.3" @@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3: resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9" integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ== -cdk-assets@^2.154.0: - version "2.154.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead" - integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw== - dependencies: - "@aws-cdk/cloud-assembly-schema" "^38.0.0" - "@aws-cdk/cx-api" "^2.158.0" - archiver "^5.3.2" - aws-sdk "^2.1691.0" - glob "^7.2.3" - mime "^2.6.0" - yargs "^16.2.0" - -cdk-assets@^2.155.0: - version "2.155.0" - resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf" - integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA== +cdk-assets@^2.155.17: + version "2.155.17" + resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5" + integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA== dependencies: "@aws-cdk/cloud-assembly-schema" "^38.0.1" - "@aws-cdk/cx-api" "^2.160.0" + "@aws-cdk/cx-api" "^2.163.1" archiver "^5.3.2" aws-sdk "^2.1691.0" glob "^7.2.3" From 476fd9642a58f8b807b2b640d3c77c5be603a638 Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Fri, 25 Oct 2024 10:06:48 +0100 Subject: [PATCH 2/3] chore(release): 2.164.1 --- CHANGELOG.v2.alpha.md | 2 ++ CHANGELOG.v2.md | 7 +++++++ version.v2.json | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md index 4801dda8486bd..9038ec97d4f2d 100644 --- a/CHANGELOG.v2.alpha.md +++ b/CHANGELOG.v2.alpha.md @@ -2,6 +2,8 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.164.0-alpha.0...v2.164.1-alpha.0) (2024-10-25) + ## [2.164.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.163.1-alpha.0...v2.164.0-alpha.0) (2024-10-24) diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md index 7c9b0e7c01450..1013b47650314 100644 --- a/CHANGELOG.v2.md +++ b/CHANGELOG.v2.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## [2.164.1](https://github.com/aws/aws-cdk/compare/v2.164.0...v2.164.1) (2024-10-25) + + +### Bug Fixes + +* enable node-fips compatible body checksums for S3 ([#31883](https://github.com/aws/aws-cdk/issues/31883)) ([290a499](https://github.com/aws/aws-cdk/commit/290a499f31413bd71eece4ad9f196eb5993747a9)) + ## [2.164.0](https://github.com/aws/aws-cdk/compare/v2.163.1...v2.164.0) (2024-10-24) diff --git a/version.v2.json b/version.v2.json index c70824e010f3c..75a35f3583261 100644 --- a/version.v2.json +++ b/version.v2.json @@ -1,4 +1,4 @@ { - "version": "2.164.0", - "alphaVersion": "2.164.0-alpha.0" + "version": "2.164.1", + "alphaVersion": "2.164.1-alpha.0" } \ No newline at end of file From bb9275ca23c5b93fa7d7b6d1340027d42e6e47af Mon Sep 17 00:00:00 2001 From: Momo Kornher Date: Fri, 25 Oct 2024 14:19:47 +0100 Subject: [PATCH 3/3] fix(cli): disable FIPS support for garbage collection Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum. GC is using them, so we will temporarily disable the feature in FIPS environments. --- packages/aws-cdk/lib/api/aws-auth/sdk.ts | 31 ++++++++++++++----- .../garbage-collection/garbage-collector.ts | 15 ++++++++- 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk.ts b/packages/aws-cdk/lib/api/aws-auth/sdk.ts index fab6d1d3ce4b0..f37cb02159ae1 100644 --- a/packages/aws-cdk/lib/api/aws-auth/sdk.ts +++ b/packages/aws-cdk/lib/api/aws-auth/sdk.ts @@ -21,6 +21,16 @@ if (!regionUtil.getEndpointSuffix) { throw new Error('This version of AWS SDK for JS does not have the \'getEndpointSuffix\' function!'); } +export interface S3ClientOptions { + /** + * If APIs are used that require MD5 checksums. + * + * Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum. + * These APIs are not going to be supported in a FIPS environment. + */ + needsMd5Checksums?: boolean; +} + export interface ISDK { /** * The region this SDK has been instantiated for @@ -56,7 +66,7 @@ export interface ISDK { ec2(): AWS.EC2; iam(): AWS.IAM; ssm(): AWS.SSM; - s3(): AWS.S3; + s3(options?: S3ClientOptions): AWS.S3; route53(): AWS.Route53; ecr(): AWS.ECR; ecs(): AWS.ECS; @@ -173,19 +183,24 @@ export class SDK implements ISDK { return this.wrapServiceErrorHandling(new AWS.SSM(this.config)); } - public s3(): AWS.S3 { - return this.wrapServiceErrorHandling(new AWS.S3({ + public s3({ + needsMd5Checksums: apiRequiresMd5Checksum = false, + }: S3ClientOptions = {}): AWS.S3 { + const config = { ...this.config }; + + if (!apiRequiresMd5Checksum) { // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module. // However by default the S3 client is using an MD5 checksum for content integrity checking. // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use), // in practice it is just easier to use an allowed checksum mechanism. // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing. // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior - // of the AWS SDKv3 and is a safe choice for all users. - s3DisableBodySigning: false, - computeChecksums: false, - ...this.config, - })); + // of the AWS SDKv3 and is a safe choice for all users, except in the above APIs. + config.s3DisableBodySigning = false; + config.computeChecksums = false; + } + + return this.wrapServiceErrorHandling(new AWS.S3(config)); } public route53(): AWS.Route53 { diff --git a/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts b/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts index 7fe512805e0fc..c51c55411f78b 100644 --- a/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts +++ b/packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts @@ -1,3 +1,4 @@ +import * as crypto from 'node:crypto'; import * as cxapi from '@aws-cdk/cx-api'; import { S3 } from 'aws-sdk'; import * as chalk from 'chalk'; @@ -162,7 +163,19 @@ export class GarbageCollector { // SDKs const sdk = (await this.props.sdkProvider.forEnvironment(this.props.resolvedEnvironment, Mode.ForWriting)).sdk; const cfn = sdk.cloudFormation(); - const s3 = sdk.s3(); + + // Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum. + // These APIs are not going to be supported in a FIPS environment. + // We fail with a nice error message. + // Once we switch this code to SDKv3, this can be made work again by adding + // `ChecksumAlgorithm: 'SHA256'` to the affected APIs. + // Currently known to affect only DeleteObjects (note the plural) + if (crypto.getFips() === 1) { + throw new Error('Garbage Collection is currently not supported in FIPS environments'); + } + const s3 = sdk.s3({ + needsMd5Checksums: true, + }); const qualifier = await this.bootstrapQualifier(sdk, this.bootstrapStackName); const activeAssets = new ActiveAssetCache();