Adding FIPS 140-2 Support to EKS AMI #898
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stanhu
force-pushed
the
sh-add-fips-builds
branch
from
cdb1629
to
95c6f83
Compare
This adds support for enabling FIPS 140-2 mode in the Kernel. FIPS 140-2 is required by customers looking to achieve FedRAMP and/or DoD CC SRG compliance. This brings awslabs#513 up to date with the latest master.
stanhu
force-pushed
the
sh-add-fips-builds
branch
from
95c6f83
to
2d11350
Compare
|
It seems https://github.com/aws-samples/amazon-eks-custom-amis/blob/10a7d51686982cb67f7695f72cac74e41eaa7eed/files/functions.sh#L459-L481 might already do this for RHEL. |
|
You'll need to update the pause container to be fulled from the |
I've been told that that repo is not maintained. So it might work but isn't permanent and won't get updated. Unless AWS can give maintainer permissions to people outside AWS. |
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 6, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips_mode` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips_mode` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 9, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 9, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 9, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 10, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `enable_fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 10, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `enable_fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
AlexSchultz-clumio
added a commit
to AlexSchultz-clumio/amazon-eks-ami
that referenced
this pull request
Oct 10, 2023
Addresses awslabs#1002. Description of Changes: Based on awslabs#1028 which was based on awslabs#898. This change adds a new variable called `enable_fips` which will install openssl and enable fips mode as a kernel paramter on boot. Additionally fips mode can be enabled while running make by setting `enable_fips=true` on the command line which will add `-fips` to the ami name and set `enable_fips` to `true` when building.
|
This is implemented in #1458. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
This adds support for enabling FIPS 140-2 mode in the Kernel. FIPS 140-2 is required by customers looking to achieve FedRAMP and/or DoD CC SRG compliance.
This brings up to date with the latest master.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.