fix(cli): disable FIPS support for garbage collection

Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum. GC is using them, so we will temporarily disable the feature in FIPS environments.

Author: mrgrain

packages/aws-cdk/lib/api/aws-auth/sdk.ts

@@ -21,6 +21,16 @@ if (!regionUtil.getEndpointSuffix) {
   throw new Error('This version of AWS SDK for JS does not have the \'getEndpointSuffix\' function!');
 }
 
+export interface S3ClientOptions {
+  /**
+   * If APIs are used that require MD5 checksums.
+   *
+   * Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum.
+   * These APIs are not going to be supported in a FIPS environment.
+   */
+  needsMd5Checksums?: boolean;
+}
+
 export interface ISDK {
   /**
    * The region this SDK has been instantiated for
@@ -56,7 +66,7 @@ export interface ISDK {
   ec2(): AWS.EC2;
   iam(): AWS.IAM;
   ssm(): AWS.SSM;
-  s3(): AWS.S3;
+  s3(options?: S3ClientOptions): AWS.S3;
   route53(): AWS.Route53;
   ecr(): AWS.ECR;
   ecs(): AWS.ECS;
@@ -173,19 +183,24 @@ export class SDK implements ISDK {
     return this.wrapServiceErrorHandling(new AWS.SSM(this.config));
   }
 
-  public s3(): AWS.S3 {
-    return this.wrapServiceErrorHandling(new AWS.S3({
+  public s3({
+    needsMd5Checksums: apiRequiresMd5Checksum = false,
+  }: S3ClientOptions = {}): AWS.S3 {
+    const config = { ...this.config };
+
+    if (!apiRequiresMd5Checksum) {
       // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
       // However by default the S3 client is using an MD5 checksum for content integrity checking.
       // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
       // in practice it is just easier to use an allowed checksum mechanism.
       // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
       // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
-      // of the AWS SDKv3 and is a safe choice for all users.
-      s3DisableBodySigning: false,
-      computeChecksums: false,
-      ...this.config,
-    }));
+      // of the AWS SDKv3 and is a safe choice for all users, except in the above APIs.
+      config.s3DisableBodySigning = false;
+      config.computeChecksums = false;
+    }
+
+    return this.wrapServiceErrorHandling(new AWS.S3(config));
   }
 
   public route53(): AWS.Route53 {

packages/aws-cdk/lib/api/garbage-collection/garbage-collector.ts

@@ -1,3 +1,4 @@
+import * as crypto from 'node:crypto';
 import * as cxapi from '@aws-cdk/cx-api';
 import { S3 } from 'aws-sdk';
 import * as chalk from 'chalk';
@@ -162,7 +163,19 @@ export class GarbageCollector {
     // SDKs
     const sdk = (await this.props.sdkProvider.forEnvironment(this.props.resolvedEnvironment, Mode.ForWriting)).sdk;
     const cfn = sdk.cloudFormation();
-    const s3 = sdk.s3();
+
+    // Some S3 APIs in SDKv2 have a bug that always requires them to use a MD5 checksum.
+    // These APIs are not going to be supported in a FIPS environment.
+    // We fail with a nice error message.
+    // Once we switch this code to SDKv3, this can be made work again by adding
+    // `ChecksumAlgorithm: 'SHA256'` to the affected APIs.
+    // Currently known to affect only DeleteObjects (note the plural)
+    if (crypto.getFips() === 1) {
+      throw new Error('Garbage Collection is currently not supported in FIPS environments');
+    }
+    const s3 = sdk.s3({
+      needsMd5Checksums: true,
+    });
 
     const qualifier = await this.bootstrapQualifier(sdk, this.bootstrapStackName);
     const activeAssets = new ActiveAssetCache();