[ECS] feature request: publish ECS-optimized AMIs with FIPS mode enabled

[matt-domsch-sp]

Summary

feature request: publish ECS-optimized AMIs with FIPS mode enabled

Description

The present published AL2023-based ECS-optimized AMIs do not have FIPS mode pre-enabled, which is the right configuration for most users. However, for environments and customers that require FIPS mode, AL2023 provides instructions to enable FIPS mode. These steps require rebooting the EC2 instance into FIPS mode after being configured.

When using ECS auto-scaling in conjunction with EC2 auto-scaling, the steps of starting an instance, using a userdata script to configure FIPS mode, rebooting into FIPS mode, and then joining the node to the ECS Container Instance pool then takes 10-15 minutes for a new instance to be usable by EC2. If at the same time you dnf update and pick up a new kernel, then that also requires re-running fips-mode-setup --enable and possibly another reboot. To speed this up and to avoid the reboot(s), each FIPS-using customer, when using ECS-on-EC2, must themselves create AMIs that take these configuration steps, and then use the resulting AMIs.

Expected Behavior

Customers may choose AWS-published ECS-optimized FIPS-enabled AMIs, published via Systems Manager Parameter Store value just as the non-FIPS-enabled AMIs are. At a minimum, publish AMIs in the regions where AWS service FIPS endpoints are available.

Observed Behavior

FIPS is not enabled on existing ECS-optimized AMIs containing system-release-2023.2.20231113-1.amzn2023.noarch

Environment Details

Supporting Log Snippets

[danehlim]

Hi @matt-domsch-sp, thank you for bringing this enhancement to our attention. We will be tracking this issue as a feature request.

[harishxr]

This issue will be revisited once AL2023 has been FIPS certified. Ref: https://github.com/amazonlinux/amazon-linux-2023/issues/291