Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

FIPS 140 on OpenSearch Domain Endpoint

1

Hello. I'm trying to figure out what the FIPS compliant endpoint for the Domain Endpoint is. This is the Domain Endpoint, not the AWS API Endpoint. The documentation says that the FIPS endpoint should be es-fips.us-east-2.amazonaws.com. The problem is that the Domain Endpoint's name isn't in DNS for the FIPS endpoint. Let's say the AWS API lists my Domain endpoint as example-abcdefghijklmnop1234567890.us-east-2.es.amazonaws.com. I'd think I could point my app to https://example-abcdefghijklmnop1234567890.es-fips.us-east-2.amazonaws.com to use the FIPS Domain Endpoint, but that name does not exist in DNS. I also tried example-abcdefghijklmnop1234567890.us-east-2.es-fips.amazonaws.com, but that too does not exist in DNS. So, I can use a FIPS endpoint to talk to the AWS API for the OpenSearch service no problem, but I need to have the Domain Endpoint use FIPS 140 encryption as well. How do I do that?

Topics
AWS ComplianceAnalytics
Tags
EncryptionAWS ComplianceAmazon OpenSearch Service
Language
English

asked 2 years ago477 views

2 Answers
0

Greeting

Hi Joshua,

Thank you for reaching out with such a detailed question! It’s fantastic that you’re prioritizing FIPS 140-2 compliance for your OpenSearch domain, as this is critical for ensuring data security and meeting compliance requirements. I completely understand the challenge you’re facing with DNS resolution for the FIPS-compliant endpoint, and I’m here to guide you through a solution step-by-step.

Clarifying the Issue

From your description, it seems you’ve attempted to use the FIPS-compliant endpoint format (es-fips.us-east-2.amazonaws.com) but found that DNS resolution fails for your domain-specific FIPS endpoint. You’ve also tried variations like adding your domain’s prefix, but these didn’t resolve either. Your goal is to configure and use a FIPS-compliant endpoint while ensuring proper encryption compliance for your OpenSearch domain. Let’s address this thoroughly and tackle potential challenges along the way.

Key Terms

  • FIPS 140-2 Compliance: A U.S. government standard that sets requirements for cryptographic modules used to secure sensitive data.
  • OpenSearch Domain Endpoint: The unique, domain-specific URL that allows you to interact with your OpenSearch service.
  • AWS FIPS Endpoints: Specialized endpoints ensuring connections use FIPS-compliant encryption algorithms.
  • DNS Resolution: The process of translating domain names into IP addresses, enabling devices to connect.

The Solution (Our Recipe)

Steps at a Glance:

  1. Confirm your region’s FIPS support for OpenSearch.
  2. Validate your domain’s endpoint and DNS settings.
  3. Use the AWS CLI to inspect endpoint details and configurations.
  4. Update your application settings to securely use the FIPS endpoint.
  5. Troubleshoot and resolve edge cases if the FIPS endpoint isn’t available.

Step-by-Step Guide:

  1. Confirm your region’s FIPS support for OpenSearch:
    FIPS endpoints are available in specific AWS regions. Verify that your region (us-east-2) supports FIPS endpoints for OpenSearch by consulting the AWS Regional Services List. Regions like us-east-2 typically have FIPS endpoints enabled.
  1. Validate your domain’s endpoint and DNS settings:
    Check if your domain-specific FIPS endpoint is correctly configured and resolving via DNS. Use these tools:

    • nslookup (Windows/Linux):

      nslookup example-abc123.es-fips.us-east-2.amazonaws.com

      Example output:

      Server:  192.168.1.1
Address: 192.168.1.1#53

** server can't find example-abc123.es-fips.us-east-2.amazonaws.com: NXDOMAIN

      If you see NXDOMAIN, it means the domain doesn’t exist in DNS. Proceed to the next steps to validate configuration.

    • dig (Linux/Mac):

      dig example-abc123.es-fips.us-east-2.amazonaws.com

      Example output:

      ;; QUESTION SECTION:
;example-abc123.es-fips.us-east-2.amazonaws.com. IN A

;; ANSWER SECTION:
example-abc123.es-fips.us-east-2.amazonaws.com. 60 IN A 54.239.28.85

      If there’s no ANSWER SECTION, it indicates DNS resolution failure. Move to Step 3.

  1. Use the AWS CLI to inspect endpoint details and configurations:
    Run the following command to retrieve detailed information about your OpenSearch domain: 
    aws opensearch describe-domain --domain-name <your-domain-name>
    Example output: 
    {
  "DomainStatus": {
    "DomainName": "example-abc123",
    "Endpoint": "example-abc123.es.us-east-2.amazonaws.com",
    "EndpointOptions": {
      "EnforceHTTPS": true,
      "TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
    },
    "FIPSCompliantEndpoint": "example-abc123.es-fips.us-east-2.amazonaws.com"
  }
}
    Verify the FIPSCompliantEndpoint field. If it’s missing or doesn’t resolve, AWS Support can assist with enabling FIPS compliance.
  1. Update your application settings to securely use the FIPS endpoint:
    • Replace your current endpoint with the FIPS-compliant URL (e.g., https://example-abc123.es-fips.us-east-2.amazonaws.com) in your application’s configuration.
    • Ensure your application enforces TLS 1.2 or higher to maintain FIPS compliance.
    • Validate your network configuration: Ensure that your VPC’s security groups, NACLs, and firewall rules allow outbound HTTPS traffic to the FIPS endpoint. Misconfigured network rules can often cause connectivity issues.
    • Test connectivity to the endpoint by sending a basic request: 
      curl -XGET https://example-abc123.es-fips.us-east-2.amazonaws.com/_cluster/health
      Example output: 
      {
  "cluster_name": "example-abc123",
  "status": "green",
  "number_of_nodes": 3
}
      If this fails, double-check your credentials, endpoint configuration, and network settings.
  1. Troubleshoot and resolve edge cases if the FIPS endpoint isn’t available:
    If the FIPS endpoint is missing or DNS issues persist:
    • Contact AWS Support: AWS Support can confirm whether FIPS compliance is enabled for your account or region and assist with enabling it if necessary. They can also help troubleshoot DNS or endpoint-specific issues.
    • Use VPC Endpoints: VPC Endpoints provide a private connection to your OpenSearch domain within your VPC. This eliminates public DNS dependencies and ensures secure traffic within the AWS network. This method works not only for OpenSearch but also for other AWS services requiring FIPS compliance, such as S3 or EC2.

Closing Thoughts

Joshua, ensuring FIPS compliance for your OpenSearch domain is an important step for meeting strict encryption standards. By validating your endpoint configurations, testing DNS resolution, and exploring alternative options like VPC Endpoints, you can ensure secure and compliant connectivity. The steps outlined here can also be applied to other AWS services that use FIPS endpoints, making it a versatile approach for maintaining compliance across your architecture.

Farewell

Best of luck with your configuration, Joshua! You’re taking all the right steps to ensure security and compliance. If you need further assistance, feel free to ask here—I’m happy to help. 😊🔒

Cheers,

Aaron 🚀✨

answered a year ago

0

There are no A records using the es-fips.us-east-2.amazonaws.com DNS domain. I have 2 OpenSearch domains. One in us-east-1 and one in us-east-2 and neither resolve. I also do not have a .DomainStatus.FIPSCompliantEndpoint key in the describe-domain output for either domain.

I'd file a support case, but we do not have a support contract. Anyways, this seems like either a product or documentation issue.

As a side note, it looks like .DomainStatus.EndpointOptions may have been changed to .DomainStatus.DomainEndpointOptions in the describe-domain schema at some point. At least, that's what it is in my output.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content