AWS Storage Blog
AWS Storage Gateway adds support for FIPS 140-2 compliant endpoints
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. When Storage Gateway is deployed, it must communicate back to the Storage Gateway-managed service hosted in that AWS Region for both management and data movement. This is the case whether Storage Gateway is deployed on-premises or as an Amazon EC2 instance within an Amazon Virtual Private Cloud (Amazon VPC). To provide this connectivity between the gateway and the service, the Storage Gateway-managed service hosts what are called ‘service endpoints.’ Until today, there were two options available:
- Public endpoint – Storage Gateway connects to a public endpoint over the internet.
- VPC endpoint – Storage Gateway connects to Storage Gateway VPC endpoints over a private connection to AWS (AWS Direct Connect or VPN).
In any case, it is important that there is a secure connection between the Storage Gateway and the Storage Gateway-managed service. By default, Storage Gateway provides encryption in transit by communicating with the Storage Gateway service endpoint over an SSL connection.
We are pleased to announce that Storage Gateway now offers a third type of service endpoint, Federal Information Processing Standards (FIPS) 140-2 compliant endpoints in AWS GovCloud (US) Regions. This third type of endpoint can act as an additional security measure, to further protect sensitive information for regulated workloads (Figure 1). These endpoints terminate Transport Layer Security (TLS) sessions using a FIPS 140-2 validated cryptographic software module, making it easier for you to use Storage Gateway for regulated workloads. US Federal agencies and companies contracting with the US Federal government can now meet the FIPS security requirement to encrypt sensitive data.
Figure 1: High level architecture diagram of how Storage Gateway is deployed in a customer environment, and how it communicates back to the AWS Storage Gateway Managed Service
What are AWS FIPS endpoints?
All AWS services offer TLS 1.2 encrypted endpoints that can be used for all API calls. Some AWS services, now including Storage Gateway, also offer FIPS 140-2 endpoints for customers that require use of FIPS validated cryptographic libraries. When you use a FIPS endpoint, all data in transit is encrypted using cryptographic standards that comply with FIPS 140-2.
What is Transport Layer Security (TLS)?
TLS is a cryptographic protocol designed to provide secure communication across a computer network. API calls to AWS services are secured using TLS.
Where is it available?
FIPS 140-2 compliant endpoints for Storage Gateway are available in AWS GovCloud (US-East) and AWS GovCloud (US-West). You can learn more by reading the AWS Storage Gateway user guide or see the AWS GovCloud (US) service endpoints page.
How do I get started?
To use this new capability, choose the FIPS endpoint option when creating your Storage Gateway in the AWS Console (Figure 2). Your gateway will connect to the FIPS endpoint to activate in your chosen AWS GovCloud (US) Region, and all data subsequently transferred by this gateway will only use FIPS validated encryption.
Figure 2: Choosing the FIPS endpoint option in the AWS Console when creating your Storage Gateway
Summary
In this blog post, we discussed that Storage Gateway now supports the use of FIPS 140-2 compliant endpoints in AWS GovCloud (US) Regions. We shared details about FIPS 140-2 compliant endpoints, and the security benefits provided. Finally, we showed you how to configure FIPS 140-2 compliant endpoints to take advantage of the enhanced security provided by this feature. To learn more about Storage Gateway, common use cases, deployment options, and to get started with using FIPS 140-2 compliant endpoints, check out the following links:
- Blog: Cloud storage in minutes with AWS Storage Gateway
- User Guide: Choosing a service endpoint
- Web Page: GovCloud
- Web Page: FIPS compliance
Thanks for reading this blog post to learn how Storage Gateway now supports the use of FIPS 140-2 compliant endpoints. Please leave a comment in the comments section if you have any questions.