AWS Lambda FIPS #29316
Open
AWS Lambda FIPS #29316
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiarian-datadog
requested review from
eightbitzme,
stammetti,
hghotra and
sumedham
apiarian-datadog
force-pushed
the
aleksandr.pasechnik/svls-6807-lambda-fips
branch
from
9d4b409 to
bbd5f7c
Compare
apiarian-datadog
force-pushed
the
aleksandr.pasechnik/svls-6807-lambda-fips
branch
from
bbd5f7c to
a47a9ae
Compare
rtrieu
requested changes
May 14, 2025
apiarian-datadog
force-pushed
the
aleksandr.pasechnik/svls-6807-lambda-fips
branch
from
3a20f90 to
509d70f
Compare
rtrieu
approved these changes
May 14, 2025
apiarian-datadog
force-pushed
the
aleksandr.pasechnik/svls-6807-lambda-fips
branch
from
509d70f to
892c618
Compare
duncanista
reviewed
May 15, 2025
Comment on lines
589
to
596
| # Use this format for x86-based Lambda deployed in AWS GovCloud regions | ||
| arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
|
|
||
| # Use this format for arm64-based Lambda deployed in AWS GovCloud regions | ||
| arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
|
|
||
| # Use this format for x86-based Lambda deployed in AWS commercial regions | ||
| arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
|
|
||
| # Use this format for arm64-based Lambda deployed in AWS commercial regions | ||
| arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
| ``` |
There was a problem hiding this comment.
Use this format for XXXx-based Lambda deployed in AWS XXXX regions seems to verbose, they have to always have to be the same version, so, shouldn't we just add a AWS Commercial and AWS Govcloud instead of the whole explanation?
There was a problem hiding this comment.
sure, can do
duncanista
reviewed
May 15, 2025
| ``` | ||
|
|
||
| 2. For Lambda functions using Python, JavaScript, or Go, set the environment variable `DD_LAMBDA_FIPS_MODE` to `true`. This environment variable: | ||
| - Disables direct metric submission |
There was a problem hiding this comment.
Suggested change
| - Disables direct metric submission | |
| - Disables direct metric submission |
Sounds misleading and might make the customer think that direct metric submission is "metrics disabled"
Maybe we can change it to something more verbose.
There was a problem hiding this comment.
ok, i'll see about rephrasing this
duncanista
reviewed
May 15, 2025
| - Uses AWS FIPS endpoints for API key lookups | ||
| - Is enabled by default in GovCloud environments | ||
|
|
||
| 3. For Lambda functions using Ruby, .NET, or Java, no additional environment variable configuration is needed, as these runtimes do not make direct API calls. |
There was a problem hiding this comment.
Suggested change
| 3. For Lambda functions using Ruby, .NET, or Java, no additional environment variable configuration is needed, as these runtimes do not make direct API calls. | |
| 3. For Lambda functions using Ruby, .NET, or Java, no additional environment variable configuration is needed, as these runtimes do not make direct API calls. |
API calls to where?
There was a problem hiding this comment.
ah, will note that it's Datadog API calls. tho, maybe we don't need to go into those weeds and just say that the layer is basically FIPS-compliant
duncanista
reviewed
May 15, 2025
Comment on lines
+610
to
+607
| - Set the `DD_SITE` to `ddog-gov.com` (required for end-to-end FIPS compliance) | ||
| **Note**: While the FIPS-compliant Lambda components work with any Datadog site, only the US1-FED site has FIPS-compliant intake endpoints. |
There was a problem hiding this comment.
Curious, should we only allow a FIPS-compliant DD endpoint in FIPS-compliant builds?
There was a problem hiding this comment.
the agent does not, so i decided to follow their lead on that.
duncanista
reviewed
May 15, 2025
|
|
||
| 1. **FIPS-Compliant Lambda Extension**: | ||
| - The "compatibility" version of the extension is a Go binary built using the [BoringCrypto FIPS-certified module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4407). | ||
| - The "optimized" version of the extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816). |
There was a problem hiding this comment.
Suggested change
| - The "optimized" version of the extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816). | |
| - The Next Generation Lambda Extension is a Rust binary built with the [AWS-LC FIPS-certified cryptographic module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816). |
Or something similar
Adding quotes to optimized makes me think that its not really optimized 😭
There was a problem hiding this comment.
haha, ya, will fix
duncanista
reviewed
May 15, 2025
Comment on lines
41
to
49
| # For x86-based Lambda deployed in AWS GovCloud regions | ||
| arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
|
|
||
| # For arm64-based Lambda deployed in AWS GovCloud regions | ||
| arn:aws-us-gov:lambda:<AWS_REGION>:002406178527:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
| ``` |
There was a problem hiding this comment.
Same comment as above, you're already specifying that one is ARM and the other is not, and one has ARM in its name, maybe we can remove the verbose comment?
duncanista
reviewed
May 15, 2025
Comment on lines
54
to
59
| # For x86-based Lambda deployed in AWS commercial regions | ||
| arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
|
|
||
| # For arm64-based Lambda deployed in AWS commercial regions | ||
| arn:aws:lambda:<AWS_REGION>:464622532012:layer:Datadog-Extension-ARM-FIPS:{{< latest-lambda-layer-version layer="extension" >}} | ||
| ``` |
Co-authored-by: Rosa Trieu <107086888+rtrieu@users.noreply.github.com>
apiarian-datadog
force-pushed
the
aleksandr.pasechnik/svls-6807-lambda-fips
branch
from
892c618 to
4085021
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Adds documentation for proper FIPS usage in AWS Lambda
Merge instructions
Merge readiness:
For Datadog employees:
Merge queue is enabled in this repo. Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass in CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
To have your PR automatically merged after it receives the required reviews, add the following PR comment:
Additional notes