The Federal Information Processing Standard (FIPS) Publication 140-3 is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information.
The AWS SDK will be instructed to use FIPS endpoints via the AWS_USE_FIPS_ENDPOINT environment variable by setting helm parameter useFIPS to true (Both control plane communication in AWS SDK and mount operation will be in FIPS mode). FIPS endpoints are only supported in US and Canada regions, and thus the option will only work in regions that have both an STS and EC2 FIPS endpoint available. For a full list of current regions with FIPS endpoints available, see the FIPS section of the AWS documentation.
Note: If you are using EFS CSI driver v2.0.3 or higher in regions without FIPS endpoint support but set
useFIPSto true, you will encounter invalid FIPS endpoint errors, which is expected. Versions v2.0.2 and lower do not encounter this error because the bugfix for an AWS SDK for Go issue whereAWS_USE_FIPS_ENDPOINTis not inferred on resolved credentials is only incorporated in v2.0.3 or higher versions. This means v2.0.2 and lower always use non-FIPS endpoints even whenAWS_USE_FIPS_ENDPOINTis set to true. If you are upgrading from v2.0.2 or lower to v2.0.3 or higher versions withuseFIPSenabled in non-supported regions and look for a workaround for the invalid FIPS endpoint errors, see FIPS workaround for non-US/Canada regions in the FAQ.