fix: enable node-fips compatible body checksums for S3 uploads

cdklabs · Oct 24, 2024 · 1d640ae · 1d640ae
1 parent c8cefb6
commit 1d640ae
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/lib/aws.ts b/lib/aws.ts
@@ -71,7 +71,18 @@ export class DefaultAwsClient implements IAws {
   }
 
   public async s3Client(options: ClientOptions) {
-    return new this.AWS.S3(await this.awsOptions(options));
+    return new this.AWS.S3({
+      // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
+      // However by default the S3 client is using an MD5 checksum for content integrity checking.
+      // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
+      // in practice it is just easier to use an allowed checksum mechanism.
+      // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
+      // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
+      // of the AWS SDKv3 and is a safe choice for all users.
+      s3DisableBodySigning: false,
+      computeChecksums: false,
+      ...(await this.awsOptions(options)),
+    });
   }
 
   public async ecrClient(options: ClientOptions) {