Using FIPS endpoints with OpenSearch Serverless Use FIPS endpoints with the AWS CLI Use FIPS endpoints with AWS SDKs Configure security groups for VPC endpoints Use the FIPS VPC endpoint Verify FIPS compliance

FIPS compliance in Amazon OpenSearch Serverless

Amazon OpenSearch Serverless supports Federal Information Processing Standards (FIPS) 140-2, which is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules that protect sensitive information. When you connect to FIPS-enabled endpoints with OpenSearch Serverless, cryptographic operations occur using FIPS-validated cryptographic libraries.

OpenSearch Serverless FIPS endpoints are available in AWS Regions where FIPS is supported. These endpoints use TLS 1.2 or later and FIPS-validated cryptographic algorithms for all communications. For more information, see FIPS compliance in the AWS Verified access User Guide.

Topics

Using FIPS endpoints with OpenSearch Serverless
Use FIPS endpoints with the AWS CLI
Use FIPS endpoints with AWS SDKs
Configure security groups for VPC endpoints
Use the FIPS VPC endpoint
Verify FIPS compliance
Create FIPS-compliant VPC endpoints for OpenSearch Serverless
Resolve FIPS endpoint connectivity issues in private hosted zones

Using FIPS endpoints with OpenSearch Serverless

In AWS Regions where FIPS is supported, OpenSearch Serverless collections are accessible through both standard and FIPS-compliant endpoints. For more information, see FIPS compliance in the AWS Verified access User Guide.

In the following examples, replace collection_id and region with your collection ID and its AWS Region.

Standard endpoint – https://collection_id.region.aoss.amazonaws.com.
FIPS-compliant endpoint – https://collection_id.region.aoss-fips.amazonaws.com.

Similarly, OpenSearch Dashboards are accessible through both standard and FIPS-compliant endpoints:

Standard Dashboards endpoint – https://collection_id.region.aoss.amazonaws.com/_dashboards.
FIPS-compliant Dashboards endpoint – https://collection_id.region.aoss-fips.amazonaws.com/_dashboards.

For API operations, the FIPS-compliant endpoint follows this format:

aoss-fips.region.amazonaws.com

The following is an example endpoint in the US East (N. Virginia) Region:

aoss-fips.us-east-1.amazonaws.com

Note

In FIPS-enabled Regions, both standard and FIPS-compliant endpoints provide FIPS-compliant cryptography. The FIPS-specific endpoints help you meet compliance requirements that specifically mandate the use of endpoints with FIPS in the name.

Use FIPS endpoints with the AWS CLI

To configure the AWS CLI to use FIPS endpoints for OpenSearch Serverless operations, set the --endpoint-url parameter to the FIPS endpoint when making API calls:


aws opensearchserverless create-collection \
    --name my-collection \
    --type SEARCH \
    --endpoint-url https://aoss-fips.us-east-1.amazonaws.com

You can also configure the AWS CLI to always use FIPS endpoints for OpenSearch Serverless by adding the following to your AWS CLI configuration file (~/.aws/config):


[profile your-profile-name]
aoss-fips = true

Use FIPS endpoints with AWS SDKs

When using AWS SDKs, you can specify the FIPS endpoint when creating the client:


// Java SDK example
AmazonOpenSearchServerlessClientBuilder clientBuilder = AmazonOpenSearchServerlessClientBuilder.standard()
    .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(
        "https://aoss-fips.us-east-1.amazonaws.com",
        "us-east-1"))
    .withCredentials(credentialsProvider);
AmazonOpenSearchServerless client = clientBuilder.build();


# Python SDK example
import boto3
client = boto3.client(
    'opensearchserverless',
    region_name='us-east-1',
    endpoint_url='https://aoss-fips.us-east-1.amazonaws.com'
)

Configure security groups for VPC endpoints

To ensure proper communication with your FIPS-compliant Amazon VPC (VPC) endpoint, create or modify a security group to allow inbound HTTPS traffic (TCP port 443) from the resources in your VPC that need to access OpenSearch Serverless. Then associate this security group with your VPC endpoint during creation or by modifying the endpoint after creation. For more information, see Create a security group in the Amazon VPC User Guide.

Use the FIPS VPC endpoint

After creating the FIPS-compliant VPC endpoint, you can use it to access OpenSearch Serverless from resources within your VPC. To use the endpoint for API operations, configure your AWS CLI or SDK to use the regional FIPS endpoint as described in the Using FIPS endpoints with OpenSearch Serverless section. For OpenSearch Dashboards access, use the collection-specific Dashboards URL, which will automatically route through the FIPS-compliant VPC endpoint when accessed from within your VPC. For more information, see Using OpenSearch Dashboards with Amazon OpenSearch Service.

Verify FIPS compliance

To verify that your connections to OpenSearch Serverless are using FIPS-compliant cryptography, use AWS CloudTrail to monitor API calls made to OpenSearch Serverless. Check that the eventSource field in CloudTrail logs displays aoss-fips.amazonaws.com for API calls.

For OpenSearch Dashboards access, you can use browser developer tools to inspect the TLS connection details and verify that FIPS-compliant cipher suites are being used.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Network access

Create FIPS VPC endpoints