FIPS Endpoints for Administrative Use FIPS Endpoints for User Streaming Sessions Exceptions

Protecting Data in Transit with FIPS Endpoints

By default, when you communicate with the AppStream 2.0 service, whether as an administrator using the AppStream 2.0 console, the AWS Command Line Interface (AWS CLI), or an AWS SDK, or as a user streaming from an image builder or a fleet instance, all data in transit is encrypted using TLS 1.2.

If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. AppStream 2.0 offers FIPS endpoints in all United States AWS Regions where AppStream 2.0 is available. When you use a FIPS endpoint, all data in transit is encrypted using cryptographic standards that comply with Federal Information Processing Standard (FIPS) 140-2. For information about FIPS endpoints, including a list of AppStream 2.0 endpoints, see Federal Information Processing Standard (FIPS) 140-2.

FIPS Endpoints for Administrative Use

To specify a FIPS endpoint when you run an AWS CLI command for AppStream 2.0, use the endpoint-url parameter. The following example uses the AppStream 2.0 FIPS endpoint in the US West (Oregon) Region to retrieve a list of all stacks in the Region:


aws appstream describe-stacks --endpoint-url https://appstream2-fips.us-west-2.amazonaws.com

To specify a FIPS endpoint for AppStream 2.0 API operations, use the procedure in your AWS SDK for specifying a custom endpoint.

FIPS Endpoints for User Streaming Sessions

If you use SAML 2.0 or a streaming URL to authenticate users, you can configure FIPS-compliant connections for your users' streaming sessions.

To use a FIPS-compliant connection for users who authenticate using SAML 2.0, specify an AppStream 2.0 FIPS endpoint when you configure the relay state of your federation. For more information about constructing a relay state URL for identity federation using SAML 2.0, see Setting Up SAML.

To configure a FIPS-compliant connection for users who authenticate through a streaming URL, specify an AppStream 2.0 FIPS endpoint when you call the CreateStreamingURL or CreateImageBuilderStreamingURL operation from the AWS CLI or an AWS SDK. A user who connects to a streaming instance using the resulting URL is connected through a FIPS-compliant connection. The following example uses the AppStream 2.0 FIPS endpoint in the US East (Virginia) Region to generate a FIPS-compliant streaming URL:


aws appstream create-streaming-url --stack-name stack-name --fleet-name fleet-name --user-id user-id --endpoint-url https://appstream2-fips.us-east-1.amazonaws.com

Exceptions

FIPS-compliant connections are not supported in the following scenarios:

Administration of AppStream 2.0 through the AppStream 2.0 console
Streaming sessions for users who authenticate using the AppStream 2.0 user pool feature
Streaming using an interface VPC endpoint
Generating FIPS-compliant streaming URLs through the AppStream 2.0 console
Connections to your Google Drive or OneDrive storage accounts where your storage provider does not provide a FIPS endpoint

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access the AppStream 2.0 API and CLI Through an Interface VPC Endpoint

Security Groups