In order to use FIPS compliant Bouncy castle libs, the java.security file in the JDK has to be modified to only allow FIPS compliant security providers but while deploying JAVA code as AWS lambda function there is no such option to provide/change properties variables to the java execution.

In other JAVA application, we have been overriding the security by setting the java properties value like this: -Djava.security.properties==.../java-deployment.security

Please comment if there is any other way to use FIPS compliant bouncy castle libs in AWS lambda.

Hi @dhruv459,

Can you use the JAVA_TOOL_OPTIONS environment variable as described in the developer guide?

Thanks,

Mark

Thanks @msailes, Is it possible to provide any reference or example on how to override the java.security file and the cacerts used by the JDK that runs the lambda function? Also is there a way to provision external jar files to the lambda function?

As per my initial comment, the default java.security file provided by the JDK is edited to only allow the FIPS security provider. In order to change that security file, I need the current file which being used by the JDK/JVM. Can you please also comment on how I can get that java.security file?

Your zip file is unzipped to a location on the file system. The environment variable LAMBDA_TASK_ROOT has a reference to the path (/var/task/). Any file you include in your zip file will be available there and you can reference them in your application.

Thanks @msailes What I ended up doing is use a containerized environment. I created a docker image based on ubuntu and installed java in it. Then I mentioned the ENTRYPOINT and CMD to provide the custom java arguments. Courtesy: https://rieckpil.de/java-aws-lambda-container-image-support-complete-guide/

This GitHub sample gives extension guidance on this subject area. Serverless mutual TLS