The server rejected the connection at midnight. No warnings. No errors you could trace to code. Only the quiet refusal of a system enforcing rules you didn’t know were active. You dug through logs and configs until the pattern emerged: your AWS CLI calls were failing because FIPS 140-3 mode wasn’t in play.
FIPS 140-3 is no longer niche. It is the U.S. government standard for cryptographic modules, and AWS now enforces it for certain workloads, regions, and compliance profiles. If your CLI commands need to pass in regulated environments, you have to speak the FIPS 140-3 dialect.
Understanding AWS CLI FIPS 140-3 Support
The AWS Command Line Interface supports FIPS endpoints for services across multiple regions. When you enable them, your CLI requests route through endpoints that enforce cryptographic standards validated against FIPS 140-3. This affects authentication, API calls, and all data in transit. Without it, some workloads will reject your requests outright.
AWS provides specific FIPS endpoints per service and region. They look like this: service-fips.region.amazonaws.com
For example: sts-fips.us-east-1.amazonaws.com
Switching to these endpoints ensures that TLS and all cryptographic operations meet FIPS 140-3 requirements.
How to Enable FIPS Mode in AWS CLI
You can configure FIPS endpoints in multiple ways:
1. Command-line argument:
aws s3 ls --endpoint-url https://s3-fips.us-east-1.amazonaws.com
2. Profile configuration in ~/.aws/config:
[profile fips]
region = us-east-1
s3 =
endpoint_url = https://s3-fips.us-east-1.amazonaws.com
3. Environment variables:
export AWS_ENDPOINT_URL_S3=https://s3-fips.us-east-1.amazonaws.com
Pick the method that matches your workflow. In production automation, profiles or environment variables are cleaner and easier to manage.
Regions, Services, and Limitations
Not all services support FIPS endpoints in every AWS region. The AWS documentation lists supported combinations. Always check that the service-fips endpoint exists for your target region. If it doesn’t, route traffic to the nearest supported one. Some latency may be unavoidable, but compliance comes first.
Why FIPS 140-3 Matters Now
AWS has moved from FIPS 140-2 to FIPS 140-3 for new validations. Compliance frameworks like FedRAMP High, DoD SRG, and CJIS require these standards. If your CLI scripts still use non-FIPS endpoints, you are already behind. Every non-compliant request is a security gap. Every unsupported endpoint is a potential outage.
Best Practices for AWS CLI FIPS 140-3 Usage
- Use IAM roles with least privilege while in FIPS mode.
- Validate your OpenSSL and system crypto libraries meet FIPS 140-3 compatibility.
- Test endpoints in staging to confirm functionality before deploying to production.
- Monitor AWS announcements for service FIPS endpoint changes.
If you want to see AWS CLI FIPS 140-3 in action without spending hours setting up profiles and configs, spin it up live at hoop.dev. You can connect, test endpoints, and validate compliance in minutes—no guesswork, no log digging, no midnight surprises.