From 7e7f4245a4d254cb8d6f9c0de1854c7262f75eed Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Thu, 10 Aug 2023 18:05:40 -0400 Subject: [PATCH 1/3] Switch to using FIPS-enabled endpoints This changeset switches AWS service touchpoints to use their FIPS-enabled counterparts. Note that S3 has some specific configuration associated with it. This changeset also updates our allow ACLs to cover the FIPS-enabled endpoints. We should investigate removing the non-FIPS endpoints as a part of this. Signed-off-by: Carlo Costino --- app/s3_client/__init__.py | 18 +++++++++++++++++- .../egress_proxy/notify-admin-demo.allow.acl | 4 ++++ .../notify-admin-production.allow.acl | 2 ++ .../notify-admin-staging.allow.acl | 4 ++++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/app/s3_client/__init__.py b/app/s3_client/__init__.py index 4b64f0f5c..c7b707944 100644 --- a/app/s3_client/__init__.py +++ b/app/s3_client/__init__.py @@ -1,7 +1,18 @@ import botocore from boto3 import Session +from botocore.config import Config from flask import current_app +AWS_CLIENT_CONFIG = Config( + # This config is required to enable S3 to connect to FIPS-enabled + # endpoints. See https://aws.amazon.com/compliance/fips/ for more + # information. + s3={ + 'addressing_style': 'virtual', + }, + use_fips_endpoint=True +) + def get_s3_object( bucket_name, @@ -11,7 +22,12 @@ def get_s3_object( region, ): # To inspect contents: obj.get()['Body'].read().decode('utf-8') - session = Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region) + session = Session( + aws_access_key_id=access_key, + aws_secret_access_key=secret_key, + region_name=region, + config=AWS_CLIENT_CONFIG + ) s3 = session.resource('s3') obj = s3.Object(bucket_name, filename) return obj diff --git a/deploy-config/egress_proxy/notify-admin-demo.allow.acl b/deploy-config/egress_proxy/notify-admin-demo.allow.acl index 4718f99e7..9e85d0426 100644 --- a/deploy-config/egress_proxy/notify-admin-demo.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-demo.allow.acl @@ -1,2 +1,6 @@ +s3-fips.us-east-1.amazonaws.com +s3-fips.us-east-2.amazonaws.com +s3-fips.us-west-1.amazonaws.com +s3-fips.us-west-2.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-demo.apps.internal diff --git a/deploy-config/egress_proxy/notify-admin-production.allow.acl b/deploy-config/egress_proxy/notify-admin-production.allow.acl index 2173a6b4b..0e791d984 100644 --- a/deploy-config/egress_proxy/notify-admin-production.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-production.allow.acl @@ -1,2 +1,4 @@ +s3-fips.us-gov-east-1.amazonaws.com +s3-fips.us-gov-west-1.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-production.apps.internal diff --git a/deploy-config/egress_proxy/notify-admin-staging.allow.acl b/deploy-config/egress_proxy/notify-admin-staging.allow.acl index d329f111d..47d49fe1a 100644 --- a/deploy-config/egress_proxy/notify-admin-staging.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-staging.allow.acl @@ -1,2 +1,6 @@ +s3-fips.us-east-1.amazonaws.com +s3-fips.us-east-2.amazonaws.com +s3-fips.us-west-1.amazonaws.com +s3-fips.us-west-2.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-staging.apps.internal From bb1c90ff3419bcb629fc0c48d3ec48e7d9734458 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Thu, 10 Aug 2023 18:27:35 -0400 Subject: [PATCH 2/3] Fix use of botocore Config object Signed-off-by: Carlo Costino --- app/s3_client/__init__.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/s3_client/__init__.py b/app/s3_client/__init__.py index c7b707944..540366200 100644 --- a/app/s3_client/__init__.py +++ b/app/s3_client/__init__.py @@ -25,10 +25,9 @@ def get_s3_object( session = Session( aws_access_key_id=access_key, aws_secret_access_key=secret_key, - region_name=region, - config=AWS_CLIENT_CONFIG + region_name=region ) - s3 = session.resource('s3') + s3 = session.resource('s3', config=AWS_CLIENT_CONFIG) obj = s3.Object(bucket_name, filename) return obj From 97dff0a92c81b6553b5cc0f0b604c7c17bdfa290 Mon Sep 17 00:00:00 2001 From: Carlo Costino Date: Mon, 14 Aug 2023 17:03:18 -0400 Subject: [PATCH 3/3] Remove unnecessary ACL config additions Signed-off-by: Carlo Costino --- deploy-config/egress_proxy/notify-admin-demo.allow.acl | 4 ---- deploy-config/egress_proxy/notify-admin-production.allow.acl | 2 -- deploy-config/egress_proxy/notify-admin-staging.allow.acl | 4 ---- 3 files changed, 10 deletions(-) diff --git a/deploy-config/egress_proxy/notify-admin-demo.allow.acl b/deploy-config/egress_proxy/notify-admin-demo.allow.acl index 9e85d0426..4718f99e7 100644 --- a/deploy-config/egress_proxy/notify-admin-demo.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-demo.allow.acl @@ -1,6 +1,2 @@ -s3-fips.us-east-1.amazonaws.com -s3-fips.us-east-2.amazonaws.com -s3-fips.us-west-1.amazonaws.com -s3-fips.us-west-2.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-demo.apps.internal diff --git a/deploy-config/egress_proxy/notify-admin-production.allow.acl b/deploy-config/egress_proxy/notify-admin-production.allow.acl index 0e791d984..2173a6b4b 100644 --- a/deploy-config/egress_proxy/notify-admin-production.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-production.allow.acl @@ -1,4 +1,2 @@ -s3-fips.us-gov-east-1.amazonaws.com -s3-fips.us-gov-west-1.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-production.apps.internal diff --git a/deploy-config/egress_proxy/notify-admin-staging.allow.acl b/deploy-config/egress_proxy/notify-admin-staging.allow.acl index 47d49fe1a..d329f111d 100644 --- a/deploy-config/egress_proxy/notify-admin-staging.allow.acl +++ b/deploy-config/egress_proxy/notify-admin-staging.allow.acl @@ -1,6 +1,2 @@ -s3-fips.us-east-1.amazonaws.com -s3-fips.us-east-2.amazonaws.com -s3-fips.us-west-1.amazonaws.com -s3-fips.us-west-2.amazonaws.com gov-collector.newrelic.com egress-proxy-notify-admin-staging.apps.internal