Connecting to AWS IoT FIPS endpoints - AWS IoT Core

Connecting to AWS IoT FIPS endpoints

AWS IoT provides endpoints that support the Federal Information Processing Standard (FIPS) 140-2. FIPS compliant endpoints are different from standard AWS endpoints. To interact with AWS IoT in a FIPS-compliant manner, you must use the endpoints described below with your FIPS compliant client. The AWS IoT console is not FIPS compliant.

The following sections describe how to access the FIPS compliant AWS IoT endpoints by using the REST API, an SDK, or the AWS CLI.

AWS IoT Core - control plane endpoints

The FIPS compliant AWS IoT Core - control plane endpoints that support the AWS IoT operations and their related CLI commands are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Core - control plane service, and look up the endpoint for your AWS Region.

To use the FIPS compliant endpoint when you access the AWS IoT operations, use the AWS SDK or the REST API with the endpoint that is appropriate for your AWS Region.

To use the FIPS compliant endpoint when you run aws iot CLI commands, add the --endpoint parameter with the appropriate endpoint for your AWS Region to the command.

AWS IoT Core - data plane endpoints

The FIPS compliant AWS IoT Core - data plane endpoints are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Core - data plane service, and look up the endpoint for your AWS Region.

You can use the FIPS compliant endpoint for your AWS Region with a FIPS compliant client by using the AWS IoT Device SDK and providing the endpoint to the SDK's connection function in place of your account's default AWS IoT Core - data plane endpoint. The connection function is specific to the AWS IoT Device SDK. For an example of a connection function, see the Connection function in the AWS IoT Device SDK for Python.

Note

AWS IoT doesn't support AWS account-specific AWS IoT Core - data plane endpoints that are FIPS-compliant. Service features that require an AWS account-specific endpoint in the Server Name Indication (SNI) can't be used. FIPS-compliant AWS IoT Core - data plane endpoints can't support Multi-Account Registration Certificates, Custom Domains, Custom Authorizers, and Configurable Endpoints (including supported TLS policies).

AWS IoT Core - credential provider endpoints

The FIPS compliant AWS IoT Core - credential provider endpoints are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Core - credential provider service, and look up the endpoint for your AWS Region.

Note

AWS IoT doesn't support AWS account-specific AWS IoT Core - credential provider endpoints that are FIPS-compliant. Service features that require an AWS account-specific endpoint in the Server Name Indication (SNI) can't be used. FIPS-compliant AWS IoT Core - credential provider endpoints can't support Multi-Account Registration Certificates, Custom Domains, Custom Authorizers, and Configurable Endpoints (including supported TLS policies).

AWS IoT Device Management - jobs data endpoints

The FIPS compliant AWS IoT Device Management - jobs data endpoints are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Device Management - jobs data service, and look up the endpoint for your AWS Region.

To use the FIPS compliant AWS IoT Device Management - jobs data endpoint when you run aws iot-jobs-data CLI commands, add the --endpoint parameter with the appropriate endpoint for your AWS Region to the command. You can also use the REST API with this endpoint.

You can use the FIPS compliant endpoint for your AWS Region with a FIPS compliant client by using the AWS IoT Device SDK and providing the endpoint to the SDK's connection function in place of your account's default AWS IoT Device Management - jobs data endpoint. The connection function is specific to the AWS IoT Device SDK. For an example of a connection function, see the Connection function in the AWS IoT Device SDK for Python.

AWS IoT Device Management - Fleet Hub endpoints

The FIPS compliant AWS IoT Device Management - Fleet Hub endpoints to use with Fleet Hub for AWS IoT Device Management CLI commands are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Device Management - Fleet Hub service, and look up the endpoint for your AWS Region.

To use the FIPS compliant AWS IoT Device Management - Fleet Hub endpoint when you run aws iotfleethub CLI commands, add the --endpoint parameter with the appropriate endpoint for your AWS Region to the command. You can also use the REST API with this endpoint.

AWS IoT Device Management - secure tunneling endpoints

The FIPS compliant AWS IoT Device Management - secure tunneling endpoints for the AWS IoT secure tunneling API and the corresponding CLI commands are listed in FIPS Endpoints by Service. In FIPS Endpoints by Service, find the AWS IoT Device Management - secure tunneling service, and look up the endpoint for your AWS Region.

To use the FIPS compliant AWS IoT Device Management - secure tunneling endpoint when you run aws iotsecuretunneling CLI commands, add the --endpoint parameter with the appropriate endpoint for your AWS Region to the command. You can also use the REST API with this endpoint.