fix: enable node-fips compatible body checksums for S3

packages/@aws-cdk/integ-runner/package.json

@@ -74,9 +74,8 @@
     "@aws-cdk/cloud-assembly-schema": "^38.0.0",
     "@aws-cdk/cloudformation-diff": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "cdk-assets": "^2.154.0",
+    "cdk-assets": "^2.155.17",
     "@aws-cdk/aws-service-spec": "^0.1.29",
-
     "@aws-cdk/cdk-cli-wrapper": "0.0.0",
     "aws-cdk": "0.0.0",
     "chalk": "^4",

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -80,6 +80,7 @@ Flags come in three types:
 | [@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId](#aws-cdkaws-rdssetcorrectvaluefordatabaseinstancereadreplicainstanceresourceid) | When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn` | 2.161.0 | (fix) |
 | [@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics](#aws-cdkcorecfnincluderejectcomplexresourceupdatecreatepolicyintrinsics) | When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values. | 2.161.0 | (fix) |
 | [@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy](#aws-cdkaws-stepfunctions-tasksfixrunecstaskpolicy) | When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN. | 2.163.0 | (fix) |
+| [@aws-cdk/aws-dynamodb:resourcePolicyPerReplica](#aws-cdkaws-dynamodbresourcepolicyperreplica) | When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -143,6 +144,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
     "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
     "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
+    "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": true,
     "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": true,
     "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": true,
     "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": true,
@@ -1509,4 +1511,22 @@ When this feature flag is enabled, if the task definition is created in the stac
 | 2.163.0 | `false` | `true` |
 
 
+### @aws-cdk/aws-dynamodb:resourcePolicyPerReplica
+
+*When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas* (fix)
+
+If this flag is not set, the default behavior for `TableV2` is to use a different `resourcePolicy` for each replica. 
+
+If this flag is set to false, the behavior is that each replica shares the same `resourcePolicy` as the source table.
+This will prevent you from creating a new table which has an additional replica and a resource policy.
+
+This is a feature flag as the old behavior was technically incorrect but users may have come to depend on it.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->

packages/aws-cdk/lib/api/aws-auth/sdk.ts

@@ -174,7 +174,18 @@ export class SDK implements ISDK {
   }
 
   public s3(): AWS.S3 {
-    return this.wrapServiceErrorHandling(new AWS.S3(this.config));
+    return this.wrapServiceErrorHandling(new AWS.S3({
+      // In FIPS enabled environments, the MD5 algorithm is not available for use in crypto module.
+      // However by default the S3 client is using an MD5 checksum for content integrity checking.
+      // While this usage is technically allowed in FIPS (MD5 is only prohibited for cryptographic use),
+      // in practice it is just easier to use an allowed checksum mechanism.
+      // We are disabling the S3 content checksums, and are re-enabling the regular SigV4 body signing.
+      // SigV4 uses SHA256 for their content checksum. This configuration matches the default behavior
+      // of the AWS SDKv3 and is a safe choice for all users.
+      s3DisableBodySigning: false,
+      computeChecksums: false,
+      ...this.config,
+    }));
   }
 
   public route53(): AWS.Route53 {

packages/aws-cdk/package.json

@@ -104,7 +104,7 @@
     "archiver": "^5.3.2",
     "aws-sdk": "^2.1691.0",
     "camelcase": "^6.3.0",
-    "cdk-assets": "^2.155.0",
+    "cdk-assets": "^2.155.17",
     "cdk-from-cfn": "^0.162.0",
     "chalk": "^4",
     "chokidar": "^3.6.0",

yarn.lock

@@ -67,17 +67,10 @@
     jsonschema "^1.4.1"
     semver "^7.6.3"
 
-"@aws-cdk/cx-api@^2.158.0":
-  version "2.159.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.159.0.tgz#567c0ae0d7a6fc2f7cb9bda7e6cb23fac8d99094"
-  integrity sha512-HVkHCKQjVi3PCSOF22zLztZMEL+cJcyVvFctS3vXPetgl77L+e/onaGt1AUwRcNY44tvbqJm3oIVQt2HqM3q7w==
-  dependencies:
-    semver "^7.6.3"
-
-"@aws-cdk/cx-api@^2.160.0":
-  version "2.160.0"
-  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.160.0.tgz#08d4599690a39768bb944c411f1141166e313b59"
-  integrity sha512-ujXT/UoUDquCwxJ14jkRzIFeMabMyLATWP32Jv0WJjWpxrGJCa+Lua+CByOyikC1QeSVxq8pZcrx0jjYyG0qzw==
+"@aws-cdk/cx-api@^2.163.1":
+  version "2.163.1"
+  resolved "https://registry.npmjs.org/@aws-cdk/cx-api/-/cx-api-2.163.1.tgz#ef55da9f471c963d877b23d3201ca4560d656b2e"
+  integrity sha512-0bVL/pX0UcliCdXVcgtLVL3W5EHAp4RgW7JN3prz1dIOmLZzZ30DW0qWSc0D0EVE3rVG6RVgfIiuFBFK6WFZ+w==
   dependencies:
     semver "^7.6.3"
 
@@ -6794,26 +6787,13 @@ case@1.6.3, case@^1.6.3:
   resolved "https://registry.npmjs.org/case/-/case-1.6.3.tgz#0a4386e3e9825351ca2e6216c60467ff5f1ea1c9"
   integrity sha512-mzDSXIPaFwVDvZAHqZ9VlbyF4yyXRuX6IvB06WvPYkqJVO24kX1PPhv9bfpKNFZyxYFmmgo03HUiD8iklmJYRQ==
 
-cdk-assets@^2.154.0:
-  version "2.154.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.154.0.tgz#675d239c0156ca05c4a2809b30858c843f984ead"
-  integrity sha512-8M3zLHCx8nj5Fv5ubEps53jh22NN9G7ZLuq1AJwPdXZP7+nb4q5tdl2Ah2ZPMM/dob9u3KTwNeN34oLKHfDzbw==
-  dependencies:
-    "@aws-cdk/cloud-assembly-schema" "^38.0.0"
-    "@aws-cdk/cx-api" "^2.158.0"
-    archiver "^5.3.2"
-    aws-sdk "^2.1691.0"
-    glob "^7.2.3"
-    mime "^2.6.0"
-    yargs "^16.2.0"
-
-cdk-assets@^2.155.0:
-  version "2.155.0"
-  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.0.tgz#2e4f347f850c8850bcb2834807b457f41e62f1cf"
-  integrity sha512-wEztkIxJnQrIh93x6Qxu4MbRLROhl7NeWgasNZdCoOd6ykXsDSuL8JMi0wettbwGArnhhXMcll1m4+X4VQgzcA==
+cdk-assets@^2.155.17:
+  version "2.155.17"
+  resolved "https://registry.npmjs.org/cdk-assets/-/cdk-assets-2.155.17.tgz#d6c285d0279aec8226b45577a151e6dd32a12fa5"
+  integrity sha512-+hJlYYlsPHhPCeMC/V3pMyrjz5K8p9SQdC50qMg6a8/w/3w0WY1ZixyKGtpJfFB11C3Ubb04l2miieaAH00CIA==
   dependencies:
     "@aws-cdk/cloud-assembly-schema" "^38.0.1"
-    "@aws-cdk/cx-api" "^2.160.0"
+    "@aws-cdk/cx-api" "^2.163.1"
     archiver "^5.3.2"
     aws-sdk "^2.1691.0"
     glob "^7.2.3"