Skip to content

Commit

Permalink
fix: enable node-fips compatible body checksums for S3
Browse files Browse the repository at this point in the history
  • Loading branch information
mrgrain committed Oct 24, 2024
1 parent 8d06824 commit d822edb
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion packages/aws-cdk/lib/api/aws-auth/sdk.ts
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,18 @@ export class SDK implements ISDK {
}

public s3(): AWS.S3 {
return this.wrapServiceErrorHandling(new AWS.S3(this.config));
return this.wrapServiceErrorHandling(new AWS.S3({
// In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
// However by default the S3 client is using an MD5 checksum for content integrity checking.
// While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
// in practice it is just easier to use an allowed checksum mechanism.
// We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
// SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
// of the AWS SDKv3 and is a safe choice for all users.
s3DisableBodySigning: false,
computeChecksums: false,
...this.config,
}));
}

public route53(): AWS.Route53 {
Expand Down

0 comments on commit d822edb

Please sign in to comment.