DataDog · RaphaelAllier · Nov 3, 2025
@@ -27,6 +27,17 @@ def get_env_var(envvar, default, boolean=False):
     return value
 
 
+## @param DD_AWS_USE_FIPS_ENDPOINTS - boolean - optional - default: false
+## When set to true, forces all AWS SDK (boto3) clients to use AWS FIPS endpoints.
+## This sets the AWS_USE_FIPS_ENDPOINT environment variable for the process and
+## adds use_fips_endpoint=True to the default boto3 Config used where applicable.
+DD_AWS_USE_FIPS_ENDPOINTS = get_env_var(
+    "DD_AWS_USE_FIPS_ENDPOINTS", "false", boolean=True
+)
+if DD_AWS_USE_FIPS_ENDPOINTS:
+    # Ensure botocore picks this up for all clients created in this process
+    os.environ["AWS_USE_FIPS_ENDPOINT"] = "true"
+
 ## @param DD_API_KEY - String - conditional - default: none
 ## The Datadog API key associated with your Datadog Account
 ## It can be found here:
@@ -157,10 +168,15 @@ def __init__(self, name, pattern, placeholder, enabled=True):
 INCLUDE_AT_MATCH = get_env_var("INCLUDE_AT_MATCH", default=None)
 EXCLUDE_AT_MATCH = get_env_var("EXCLUDE_AT_MATCH", default=None)
 
-# Set boto3 timeout
-boto3_config = botocore.config.Config(
-    connect_timeout=5, read_timeout=5, retries={"max_attempts": 2}
-)
+# Set boto3 timeout (and FIPS if enabled)
+boto3_config_kwargs = {
+    "connect_timeout": 5,
+    "read_timeout": 5,
+    "retries": {"max_attempts": 2},
+}
+if DD_AWS_USE_FIPS_ENDPOINTS:
+    boto3_config_kwargs["use_fips_endpoint"] = True
+boto3_config = botocore.config.Config(**boto3_config_kwargs)
 # DD API Key
 # Check if the DD_API_KEY_SECRET_ARN environment variable is set
 if "DD_API_KEY_SECRET_ARN" in os.environ:

@@ -289,6 +289,13 @@ Parameters:
       - "true"
       - "false"
     Description: Set to true to enable enhanced Lambda metrics. This will generate additional custom metrics for Lambda functions, including cold starts, estimated AWS costs, and custom tags. Default is false.
+  DdAwsUseFipsEndpoints:
+    Type: String
+    Default: false
+    AllowedValues:
+      - true
+      - false
+    Description: Set to true to force AWS SDK calls from the Forwarder to use AWS FIPS endpoints.
 Conditions:
   IsAWSChina: !Equals [!Ref "AWS::Partition", aws-cn]
   IsGovCloud: !Equals [!Ref "AWS::Partition", aws-us-gov]
@@ -378,6 +385,7 @@ Conditions:
     - !Equals [!Join ["", !Ref VPCSubnetIds], ""]
   SetDdLogLevel: !Not
     - !Equals [!Ref DdLogLevel, ""]
+  SetDdAwsUseFipsEndpoints: !Equals [!Ref DdAwsUseFipsEndpoints, true]
 Rules:
   MustSetDdApiKey:
     Assertions:
@@ -577,6 +585,14 @@ Resources:
             - !Ref AWS::NoValue
           DD_TRACE_ENABLED: !Ref DdTraceEnabled
           DD_ENHANCED_METRICS: !Ref DdEnhancedMetrics
+          AWS_USE_FIPS_ENDPOINT: !If
+            - SetDdAwsUseFipsEndpoints
+            - "true"
+            - !Ref AWS::NoValue
+          DD_AWS_USE_FIPS_ENDPOINTS: !If
+            - SetDdAwsUseFipsEndpoints
+            - "true"
+            - !Ref AWS::NoValue
       ReservedConcurrentExecutions: !If
         - SetReservedConcurrentExecutions
         - !Ref ReservedConcurrency
@@ -1055,6 +1071,7 @@ Metadata:
           - DdForwarderBucketName
           - DdStoreFailedEvents
           - DdLogLevel
+          - DdAwsUseFipsEndpoints
     ParameterLabels:
       DdApiKey:
         default: "DdApiKey *"