SSM-Agent not using FIPS endpoints, on FIPS enabled EKS cluster

[MikeL-sfdc]

What happened:
When FIPS is enabled on an EKS node, the SSM-Agent installed from the amazon-eks-ami is not using FIPS endpoints when making requests between the ec2messages and ssmmessages API endpoints.

What you expected to happen:
When sysctl -n crypto.fips_enabled evaluates to 1, requests between the SSM-Agent and the ec2messages + ssmmessages API endpoints would use the FIPS service endpoints.

How to reproduce it (as minimally and precisely as possible):
On a FIPS enabled machine, monitor traffic between the SSM-Agent and the ec2messages + ssmmessages API endpoints. The current default behavior is to not use FIPS service endpoints.

Anything else we need to know?:

SSM-agent installation here

There is existing logic within the amazon-eks-ami to dynamically use FIPS endpoint - example here

Environment:

• AWS Region: aws-gov-east-1
• Instance Type(s): m5.12xlarge , c5d.9xlarge
• EKS Platform version (use aws eks describe-cluster --name <name> --query cluster.platformVersion): "eks.16"
• Kubernetes version (use aws eks describe-cluster --name <name> --query cluster.version): "1.24"
• AMI Version: fips-eks-node-1.24.17-Feb-04-v0-1707065100
• Kernel (e.g. uname -a): 5.10.205-195.807.amzn2.x86_64 #1 SMP Tue Jan 16 18:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
• Release information (run cat /etc/eks/release on a node): Not able to be provided at the moment

[cartermckinnon]

Looks like we could use the AWS_USE_FIPS_ENDPOINT environment variable to force the SSM agent to call the fips endpoint, but we'd have to handle all the special cases ourselves:

If this setting is enabled and a FIPS endpoint does not exist for the service in your AWS Region, the AWS call may fail.
https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html

I would probably start with an issue in the SSM agent repo, the maintainers may have a better approach.