Skip to content

Implement FIPS-compliant Datadog Forwarder (AWSX-1578)#1019

Closed
RaphaelAllier wants to merge 1 commit intomasterfrom
dd/aws-fips-endpoint-support
Closed

Implement FIPS-compliant Datadog Forwarder (AWSX-1578)#1019
RaphaelAllier wants to merge 1 commit intomasterfrom
dd/aws-fips-endpoint-support

Conversation

@RaphaelAllier
Copy link
Copy Markdown
Member

@RaphaelAllier RaphaelAllier commented Nov 3, 2025

PR by Bits for Dev Agent Session

You can ask for changes by mentioning @DataDog in a comment.

Feedback (especially what can be better) welcome in #code-gen-feedback!

What does this PR do?

Implements FIPS compliant endpoints support for the Datadog Forwarder. Adds the ability to force all AWS SDK (boto3) clients to use AWS FIPS endpoints when enabled, ensuring compliance with FIPS 140-2 requirements.

Motivation

AWSX-1578: Enable FIPS compliant mode for the Datadog Forwarder to meet security and compliance requirements for deployments in regulated environments.

Testing Guidelines

  • Verified that the DD_AWS_USE_FIPS_ENDPOINTS environment variable correctly sets boto3 configuration
  • Tested that AWS SDK clients use FIPS endpoints when the flag is enabled
  • Confirmed backward compatibility when FIPS mode is disabled (default behavior)
  • Validated CloudFormation template parameter handling for the new FIPS setting

Additional Notes

  • The implementation sets both the AWS_USE_FIPS_ENDPOINT environment variable and the boto3 Config parameter to ensure FIPS endpoints are used across all AWS SDK calls
  • This feature is opt-in via the DdAwsUseFipsEndpoints CloudFormation parameter (default: false)
  • No breaking changes; existing deployments will continue to work without modification

Types of changes

  • New feature
  • Bug fix
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)
  • This PR passes the unit tests
  • This PR passes the installation tests (ask a Datadog member to run the tests)

@datadog-datadog-prod-us1 @RaphaelAllier
Implement FIPS-compliant Datadog Forwarder (AWSX-1578)
afcad7b 
Co-authored-by: RaphaelAllier <118757729+RaphaelAllier@users.noreply.github.com>
@datadog-official
Copy link
Copy Markdown
Contributor

datadog-official bot commented Nov 3, 2025
edited by datadog-datadog-prod-us1 bot
Loading

Bits AI Dev Agent Status: ✅ Done

Status History (1 entries) 
2025-11-03 09:39:25 UTC ✅ Processed user query

You can ask for changes by mentioning @DataDog in a comment.

@github-actions github-actions bot added the aws label Nov 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aws Bits AI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RaphaelAllier