fix: enable node-fips compatible body checksums for S3 (#31883)

### Issue # (if applicable)

Internal reference: D166315367

### Reason for this change

In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
However by default the S3 client is using an MD5 checksum for content integrity checking.
This causes any S3 upload operation to fail with a cryptography error. 

### Description of changes

We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
of the AWS SDKv3 and is a safe choice for all users.

### Description of how you validated changes

For non-FIPS users, we have verified functionality via cli-integ-tests.
For FIPS users, we have manually verified `cdk deploy` is now working in a FIPS enabled environment.
We have also verified the configuration with the affected customer.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mrgrain

packages/@aws-cdk/integ-runner/package.json

@@ -74,9 +74,8 @@
     "@aws-cdk/cloud-assembly-schema": "^38.0.0",
     "@aws-cdk/cloudformation-diff": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "cdk-assets": "^2.154.0",
+    "cdk-assets": "^2.155.17",
     "@aws-cdk/aws-service-spec": "^0.1.29",
-
     "@aws-cdk/cdk-cli-wrapper": "0.0.0",
     "aws-cdk": "0.0.0",
     "chalk": "^4",

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -80,6 +80,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | 2.161.0 | (fix) |
 | [@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics](#aws-cdkcorecfnincluderejectcomplexresourceupdatecreatepolicyintrinsics) | When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. | 2.161.0 | (fix) |
 | [@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy](#aws-cdkaws-stepfunctions-tasksfixrunecstaskpolicy) | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | (fix) |
+| [@aws-cdk/aws-dynamodb:resourcePolicyPerReplica](#aws-cdkaws-dynamodbresourcepolicyperreplica) | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -143,6 +144,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
     "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
     "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
     "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
     "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
     "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
@@ -1509,4 +1511,22 @@ When this feature flag is enabled, if the task definition is created in the stac
 | 2.163.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica
+
+*When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix)
+
+If this flag is not set, the default behavior for `TableV2` is to use a different `resourcePolicy` for each replica. 
+
+If this flag is set to false, the behavior is that each replica shares the same `resourcePolicy` as the source table.
+This will prevent you from creating a new table which has an additional replica and a resource policy.
+
+This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->

packages/aws-cdk/lib/api/aws-auth/sdk.ts

@@ -174,7 +174,18 @@ export class SDK implements ISDK {
   }
 
   public s3(): AWS.S3 {
-    return this.wrapServiceErrorHandling(new AWS.S3(this.config));
+    return this.wrapServiceErrorHandling(new AWS.S3({
+      // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
+      // However by default the S3 client is using an MD5 checksum for content integrity checking.
+      // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
+      // in practice it is just easier to use an allowed checksum mechanism.
+      // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
+      // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
+      // of the AWS SDKv3 and is a safe choice for all users.
+      s3DisableBodySigning: false,
+      computeChecksums: false,
+      ...this.config,
+    }));
   }
 
   public route53(): AWS.Route53 {

packages/aws-cdk/package.json

@@ -104,7 +104,7 @@
     "archiver": "^5.3.2",
     "aws-sdk": "^2.1691.0",
     "camelcase": "^6.3.0",
-    "cdk-assets": "^2.155.0",
+    "cdk-assets": "^2.155.17",
     "cdk-from-cfn": "^0.162.0",
     "chalk": "^4",
     "chokidar": "^3.6.0",

yarn.lock

@@ -67,17 +67,10 @@
     jsonschema "^1.4.1"
     semver "^7.6.3"
 
-"@aws-cdk/cx-api@^2.158.0":
-  version "2.159.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094"
-  integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w==
-  dependencies:
-    semver "^7.6.3"
-
-"@aws-cdk/cx-api@^2.160.0":
-  version "2.160.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59"
-  integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw==
+"@aws-cdk/cx-api@^2.163.1":
+  version "2.163.1"
+  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e"
+  integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w==
   dependencies:
     semver "^7.6.3"
 
@@ -6794,26 +6787,13 @@ [email protected], case@^1.6.3:
   resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
   integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==
 
-cdk-assets@^2.154.0:
-  version "2.154.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead"
-  integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw==
-  dependencies:
-    "@aws-cdk/cloud-assembly-schema" "^38.0.0"
-    "@aws-cdk/cx-api" "^2.158.0"
-    archiver "^5.3.2"
-    aws-sdk "^2.1691.0"
-    glob "^7.2.3"
-    mime "^2.6.0"
-    yargs "^16.2.0"
-
-cdk-assets@^2.155.0:
-  version "2.155.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf"
-  integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA==
+cdk-assets@^2.155.17:
+  version "2.155.17"
+  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5"
+  integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA==
   dependencies:
     "@aws-cdk/cloud-assembly-schema" "^38.0.1"
-    "@aws-cdk/cx-api" "^2.160.0"
+    "@aws-cdk/cx-api" "^2.163.1"
     archiver "^5.3.2"
     aws-sdk "^2.1691.0"
     glob "^7.2.3"