Feature Request: Let users enable FIPS mode instead of default AWS endpoints for API calls #583
Comments
mlabieniec
added
feature-request
|
Hi @defionscode, we already have service endpoints with FIPS deployed to all regions. Exactly as you mentioned, you can try: cognito-identity-fips.us-east-1.amazonaws.com cognito-idp-fips.us-east-1.amazonaws.com <your_user_pool_domain>.auth-fips.us-east-1.amazoncognito.com |
|
well yes, but how do you ensure that aws-amplify leverages those endpoints |
|
@mlabieniec, does aws-amplify Auth leverage these endpoints? |
|
To clarify my request, while my desire is for Auth, this enhancement should ideally be implemented for the other things like Storage, etc. Any amplify thing that also has FIPS endpoints available under the hood. @yuntuowang it is not currently implemented since amplify just uses the implicit default endpoint for aws APIs. For example, take a look here: Notice how it calls the const userPoolData: ICognitoUserPoolData = {
UserPoolId: userPoolId,
ClientId: userPoolWebClientId,
};
if (cookieStorage) {
userPoolData.Storage = new CookieStorage(cookieStorage);
}Now take a look at the actual definition of that constructor here https://github.com/aws/aws-amplify/blob/297c0b5c286d095d895a9a14191cfe7b2fee44c8/packages/amazon-cognito-identity-js/es/CognitoUserPool.js#L38-L58 Notice how I hope this helps. Like I said, I'm happy to contribute this feature. The two design paths can be to make simple boolean flag in config which would automatically setup fips endpoints OR a bit more complex would be to allow for fully customizable endpoints for all underlying api calls might make for some ugly mapping for users that wish to leverage it. I suppose both things could be implemented independent of each other too. |
|
oh and to be clear, no aws does not implicitly use endpoints with fips validated encryption |
|
@defionscode I think what you are proposing makes sense, i.e. make a simple boolean flag in config which would automatically setup fips endpoints. I think it would be good to add this to the url generation within the section you outlined there that generates the URL. It looks like we can similarly use the region generated and the prefixes. Feel free to submit the pr for review and thank you. |
|
Just to clarify, we're going the fips boolean flag route as opposed to
completely customizable endpoint selection, right?
…On Tue, Apr 3, 2018 at 6:02 PM Michael Labieniec ***@***.***> wrote:
@defionscode <https://github.com/defionscode> I think what you are
proposing makes sense. I think it would be good to add this to the url
generation within the section you outlined there that generates the URL. It
looks like we can similarly use the region generated and the prefixes. Feel
free to submit the pr for review and thank you.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#583 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEcrYhWODgJlggu8XZOmQdwCK2g1wBkTks5tk_FGgaJpZM4TFkCv>
.
|
|
I think that's the simplest way to start here and support the feature without needing to do to much refactoring on the existing functionality. Only thing I'd note is that the config values are generally camelCased so instead of |
|
I agree. I'll get started on this soon. Thanks for the feedback.
…On Tue, Apr 3, 2018 at 6:27 PM Michael Labieniec ***@***.***> wrote:
I think that's the simplest way to start here and support the feature
without needing to do to much refactoring on the existing functionality.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#583 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEcrYj1WulOdN4zMixWDTmjkrW38aA5Mks5tk_dogaJpZM4TFkCv>
.
|
|
Just an update. This is still on our roadmap to tackle but it's taken a backseat for the time being. I still plan to have this contributed. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@defionscode I am going to close this FR since the last update from yourself was April of 2018. We are still open to a PR! Please feel free to reopen once a PR is created for this or you are still looking for this use case. Thanks ahead of time |
|
I'm still looking for this use case. :) |
|
Updating here for the changes I would like to contribute, following the suggested approach above, to have a fips flag set so that the cognito-idp-fips endpoint is called. Use case is that through a security check, the man-in-the-middle attack could possibly downgrade the call to cognito-idp endpoint as cognito still allows version TLS 1.0 protocol. Suggested changes would be as follows:
I have tested the above changes locally and was able to see that by setting the fipsEnabled to true via the config options in a project, that the FIPS endpoint was called.
|
|
@sammartinez Is there any update planned to properly integrate GovCloud support across the platform? |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Do you want to request a feature or report a bug?
Feature
What is the current behavior?
Skimming through the code and looking through the docs, there doesn't seem to be a way to overwrite the endpoint used by amplify for a given thing. For example, I need to use endpoints with FIPS validated TLS which can be found here https://aws.amazon.com/compliance/fips/. But there is no clean way for me to leverage this.
What is the expected behavior?
My desire would be for the Config settings to allow custom endpoint options or a toggle to use fips. For example, with cognito it would be
A possible interface could be something like
i'm happy to help contribute this, but would want to get a green-light on design. I think the path of least resistance would be to implement a fips toggle rather than to allow any custom endpoint.
The text was updated successfully, but these errors were encountered: