# FIPS compliance in Amazon OpenSearch Serverless
<a name="fips-compliance-opensearch-serverless"></a>

Amazon OpenSearch Serverless supports Federal Information Processing Standards (FIPS) 140-2, which is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules that protect sensitive information. When you connect to FIPS-enabled endpoints with OpenSearch Serverless, cryptographic operations occur using FIPS-validated cryptographic libraries.

OpenSearch Serverless FIPS endpoints are available in Amazon Web Services Regions where FIPS is supported. These endpoints use TLS 1.2 or later and FIPS-validated cryptographic algorithms for all communications. For more information, see [FIPS compliance](https://docs.amazonaws.cn/verified-access/latest/ug/fips-compliance.html) in the *Amazon Verified access User Guide*.

**Topics**
+ [Using FIPS endpoints with OpenSearch Serverless](#using-fips-endpoints-opensearch-serverless)
+ [Use FIPS endpoints with Amazon SDKs](#using-fips-endpoints-aws-sdks)
+ [Configure security groups for VPC endpoints](#configuring-security-groups-vpc-endpoints)
+ [Use the FIPS VPC endpoint](#using-fips-vpc-endpoint)
+ [Verify FIPS compliance](#verifying-fips-compliance)
+ [Resolve FIPS endpoint connectivity issues in private hosted zones](serverless-fips-endpoint-issues.md)

## Using FIPS endpoints with OpenSearch Serverless
<a name="using-fips-endpoints-opensearch-serverless"></a>

In Amazon Web Services Regions where FIPS is supported, OpenSearch Serverless collections are accessible through both standard and FIPS-compliant endpoints. For more information, see [FIPS compliance](https://docs.amazonaws.cn/verified-access/latest/ug/fips-compliance.html) in the *Amazon Verified access User Guide*.

In the following examples, replace *collection\$1id* and *Amazon Web Services Region* with your collection ID and its Amazon Web Services Region.
+ **Standard endpoint** – **https://*collection\$1id*.*Amazon Web Services Region*.aoss.amazonaws.com**.
+ **FIPS-compliant endpoint** – **https://*collection\$1id*.*Amazon Web Services Region*.aoss-fips.amazonaws.com**.

Similarly, OpenSearch Dashboards are accessible through both standard and FIPS-compliant endpoints:
+ **Standard Dashboards endpoint** – **https://*collection\$1id*.*Amazon Web Services Region*.aoss.amazonaws.com/\$1dashboards**.
+ **FIPS-compliant Dashboards endpoint** – **https://*collection\$1id*.*Amazon Web Services Region*.aoss-fips.amazonaws.com/\$1dashboards**.

**Note**  
In FIPS-enabled Regions, both standard and FIPS-compliant endpoints provide FIPS-compliant cryptography. The FIPS-specific endpoints help you meet compliance requirements that specifically mandate the use of endpoints with **FIPS** in the name.

## Use FIPS endpoints with Amazon SDKs
<a name="using-fips-endpoints-aws-sdks"></a>

When using Amazon SDKs, you can specify the FIPS endpoint when creating the client. In the following example, replace *collection\$1id* and *Amazon Web Services Region* with your collection ID and its Amazon Web Services Region.

```
# Python SDK example
from opensearchpy import OpenSearch, RequestsHttpConnection, AWSV4SignerAuth
import boto3
host = '"https://collection_id.Amazon Web Services Region.aoss-fips.amazonaws.com"
region = 'us-west-2'
service = 'aoss'
credentials = boto3.Session().get_credentials()
auth = AWSV4SignerAuth(credentials, region, service)
client = OpenSearch(
    hosts = [{'host': host, 'port': 443}],
    http_auth = auth,
    use_ssl = True,
    verify_certs = True,
    connection_class = RequestsHttpConnection,
    pool_maxsize = 20
)
```

## Configure security groups for VPC endpoints
<a name="configuring-security-groups-vpc-endpoints"></a>

To ensure proper communication with your FIPS-compliant Amazon VPC (VPC) endpoint, create or modify a security group to allow inbound HTTPS traffic (TCP port 443) from the resources in your VPC that need to access OpenSearch Serverless. Then associate this security group with your VPC endpoint during creation or by modifying the endpoint after creation. For more information, see [Create a security group](https://docs.amazonaws.cn/vpc/latest/userguide/creating-security-groups.html) in the *Amazon VPC User Guide*.

## Use the FIPS VPC endpoint
<a name="using-fips-vpc-endpoint"></a>

After creating the FIPS-compliant VPC endpoint, you can use it to access OpenSearch Serverless from resources within your VPC. To use the endpoint for API operations, configure your SDK to use the Regional FIPS endpoint as described in the [Using FIPS endpoints with OpenSearch Serverless](#using-fips-endpoints-opensearch-serverless) section. For OpenSearch Dashboards access, use the collection-specific Dashboards URL, which will automatically route through the FIPS-compliant VPC endpoint when accessed from within your VPC. For more information, see [Using OpenSearch Dashboards with Amazon OpenSearch Service](dashboards.md).

## Verify FIPS compliance
<a name="verifying-fips-compliance"></a>

To verify that your connections to OpenSearch Serverless are using FIPS-compliant cryptography, use Amazon CloudTrail to monitor API calls made to OpenSearch Serverless. Check that the `eventSource` field in CloudTrail logs displays `aoss-fips.amazonaws.com` for API calls. 

For OpenSearch Dashboards access, you can use browser developer tools to inspect the TLS connection details and verify that FIPS-compliant cipher suites are being used.