Protecting Data in Transit with FIPS Endpoints
By default, when you communicate with the AppStream 2.0 service, whether as an administrator using the AppStream 2.0 console, the AWS Command Line Interface (AWS CLI), or an AWS SDK, or as a user streaming from an image builder or a fleet instance, all data in transit is encrypted using TLS 1.2.
If you require FIPS 140-2 validated cryptographic modules when accessing AWS through
a command line interface or an API, use a FIPS endpoint. AppStream 2.0 offers FIPS endpoints in all United
States AWS Regions where AppStream 2.0 is available. When you use a FIPS endpoint, all data in
transit is encrypted using cryptographic standards that comply with Federal Information
Processing Standard (FIPS) 140-2. For information about FIPS endpoints, including a list
of AppStream 2.0 endpoints, see Federal Information Processing
Standard (FIPS) 140-2
FIPS Endpoints for Administrative Use
To specify a FIPS endpoint when you run an AWS CLI command for AppStream 2.0, use the endpoint-url
parameter. The following example uses the AppStream 2.0 FIPS endpoint in the US West (Oregon) Region to retrieve a list of all stacks in the Region:
aws appstream describe-stacks --endpoint-url https://appstream2-fips.us-west-2.amazonaws.com
To specify a FIPS endpoint for AppStream 2.0 API operations, use the procedure in your AWS SDK for specifying a custom endpoint.
FIPS Endpoints for User Streaming Sessions
If you use SAML 2.0 or a streaming URL to authenticate users, you can configure FIPS-compliant connections for your users' streaming sessions.
To use a FIPS-compliant connection for users who authenticate using SAML 2.0, specify an AppStream 2.0 FIPS endpoint when you configure the relay state of your federation. For more information about constructing a relay state URL for identity federation using SAML 2.0, see Setting Up SAML.
To configure a FIPS-compliant connection for users who authenticate through a streaming URL, specify an AppStream 2.0 FIPS endpoint when you call the CreateStreamingURL or CreateImageBuilderStreamingURL operation from the AWS CLI or an AWS SDK. A user who connects to a streaming instance using the resulting URL is connected through a FIPS-compliant connection. The following example uses the AppStream 2.0 FIPS endpoint in the US East (Virginia) Region to generate a FIPS-compliant streaming URL:
aws appstream create-streaming-url --stack-name
stack-name
--fleet-name
fleet-name
--user-id
user-id
--endpoint-url https://appstream2-fips.us-east-1.amazonaws.com
Exceptions
FIPS-compliant connections are not supported in the following scenarios:
Administration of AppStream 2.0 through the AppStream 2.0 console
Streaming sessions for users who authenticate using the AppStream 2.0 user pool feature
Streaming using an interface VPC endpoint
Generating FIPS-compliant streaming URLs through the AppStream 2.0 console
Connections to your Google Drive or OneDrive storage accounts where your storage provider does not provide a FIPS endpoint