From be4c9fb4f01af8c080b72555eb1d92f4b502c93d Mon Sep 17 00:00:00 2001
From: shreyamalpani <shreya.malpani@datadoghq.com>
Date: Mon, 1 Dec 2025 13:22:44 -0500
Subject: [PATCH 1/4] only override ssm endpoint url in commercial fips

---
 datadog_lambda/api.py |  2 +-
 tests/test_api.py     | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/datadog_lambda/api.py b/datadog_lambda/api.py
index 4921dae90..92437cf07 100644
--- a/datadog_lambda/api.py
+++ b/datadog_lambda/api.py
@@ -94,7 +94,7 @@ def get_api_key() -> str:
         # SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
         fips_endpoint = (
             f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
-            if config.fips_mode_enabled
+            if config.fips_mode_enabled and not config.is_gov_region
             else None
         )
         ssm_client = _boto3_client("ssm", endpoint_url=fips_endpoint)
diff --git a/tests/test_api.py b/tests/test_api.py
index 35a179b1c..566e46765 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -96,13 +96,33 @@ def test_ssm_fips_endpoint(self, mock_boto3_client):
         }
         mock_boto3_client.return_value = mock_client
 
+        os.environ["AWS_REGION"] = "us-east-1"
+        os.environ["DD_API_KEY_SSM_NAME"] = "test-ssm-param"
+
+        api_key = api.get_api_key()
+
+        mock_boto3_client.assert_called_with(
+            "ssm", endpoint_url="https://ssm-fips.us-east-1.amazonaws.com"
+        )
+        self.assertEqual(api_key, "test-api-key")
+
+    @patch("datadog_lambda.config.Config.fips_mode_enabled", True)
+    @patch("datadog_lambda.config.Config.is_gov_region", True)
+    @patch("botocore.session.Session.create_client")
+    def test_ssm_gov_endpoint(self, mock_boto3_client):
+        mock_client = MagicMock()
+        mock_client.get_parameter.return_value = {
+            "Parameter": {"Value": "test-api-key"}
+        }
+        mock_boto3_client.return_value = mock_client
+
         os.environ["AWS_REGION"] = "us-gov-west-1"
         os.environ["DD_API_KEY_SSM_NAME"] = "test-ssm-param"
 
         api_key = api.get_api_key()
 
         mock_boto3_client.assert_called_with(
-            "ssm", endpoint_url="https://ssm-fips.us-gov-west-1.amazonaws.com"
+            "ssm", endpoint_url=None
         )
         self.assertEqual(api_key, "test-api-key")
 

From c5da899d0356573f9ea57df53f1c9947c7bf5f36 Mon Sep 17 00:00:00 2001
From: shreyamalpani <shreya.malpani@datadoghq.com>
Date: Mon, 1 Dec 2025 13:44:06 -0500
Subject: [PATCH 2/4] lint

---
 tests/test_api.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 566e46765..ce9e359de 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -121,9 +121,7 @@ def test_ssm_gov_endpoint(self, mock_boto3_client):
 
         api_key = api.get_api_key()
 
-        mock_boto3_client.assert_called_with(
-            "ssm", endpoint_url=None
-        )
+        mock_boto3_client.assert_called_with("ssm", endpoint_url=None)
         self.assertEqual(api_key, "test-api-key")
 
     @patch("datadog_lambda.config.Config.fips_mode_enabled", True)

From 29a050e7fed04c4d3cfb907d4ca6e768c0a73dc3 Mon Sep 17 00:00:00 2001
From: shreyamalpani <shreya.malpani@datadoghq.com>
Date: Fri, 5 Dec 2025 12:28:23 -0500
Subject: [PATCH 3/4] check ssm-fips supported regions

---
 datadog_lambda/api.py | 23 ++++++++++++++++++-----
 tests/test_api.py     | 26 +++++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/datadog_lambda/api.py b/datadog_lambda/api.py
index 92437cf07..e27528707 100644
--- a/datadog_lambda/api.py
+++ b/datadog_lambda/api.py
@@ -5,6 +5,14 @@
 
 logger = logging.getLogger(__name__)
 KMS_ENCRYPTION_CONTEXT_KEY = "LambdaFunctionName"
+SSM_FIPS_SUPPORTED_REGIONS = {
+    "us-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+    "ca-central-1",
+    "ca-west-1",
+}
 api_key = None
 
 
@@ -92,11 +100,16 @@ def get_api_key() -> str:
         )["SecretString"]
     elif DD_API_KEY_SSM_NAME:
         # SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
-        fips_endpoint = (
-            f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
-            if config.fips_mode_enabled and not config.is_gov_region
-            else None
-        )
+        fips_endpoint = None
+        if config.fips_mode_enabled and LAMBDA_REGION in SSM_FIPS_SUPPORTED_REGIONS:
+            fips_endpoint = f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
+        else:
+            if not config.is_gov_region:
+                # Log warning if FIPS is enabled for a commercial region that does not support SSM FIPS endpoints
+                logger.warning(
+                    "FIPS mode is enabled but region '%s' does not support SSM FIPS endpoints. Using standard SSM endpoint.",
+                    LAMBDA_REGION,
+                )
         ssm_client = _boto3_client("ssm", endpoint_url=fips_endpoint)
         api_key = ssm_client.get_parameter(
             Name=DD_API_KEY_SSM_NAME, WithDecryption=True
diff --git a/tests/test_api.py b/tests/test_api.py
index ce9e359de..3b42cfd76 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -89,7 +89,7 @@ def test_secrets_manager_different_region_but_still_fips(self, mock_boto3_client
 
     @patch("datadog_lambda.config.Config.fips_mode_enabled", True)
     @patch("botocore.session.Session.create_client")
-    def test_ssm_fips_endpoint(self, mock_boto3_client):
+    def test_ssm_fips_endpoint_supported_region(self, mock_boto3_client):
         mock_client = MagicMock()
         mock_client.get_parameter.return_value = {
             "Parameter": {"Value": "test-api-key"}
@@ -124,6 +124,30 @@ def test_ssm_gov_endpoint(self, mock_boto3_client):
         mock_boto3_client.assert_called_with("ssm", endpoint_url=None)
         self.assertEqual(api_key, "test-api-key")
 
+    @patch("datadog_lambda.config.Config.fips_mode_enabled", True)
+    @patch("botocore.session.Session.create_client")
+    def test_ssm_fips_endpoint_unsupported_region(self, mock_boto3_client):
+        mock_client = MagicMock()
+        mock_client.get_parameter.return_value = {
+            "Parameter": {"Value": "test-api-key"}
+        }
+        mock_boto3_client.return_value = mock_client
+
+        os.environ["AWS_REGION"] = "eu-west-1"
+        os.environ["DD_API_KEY_SSM_NAME"] = "test-ssm-param"
+
+        with self.assertLogs("datadog_lambda.api", level="WARNING") as log_context:
+            api_key = api.get_api_key()
+
+        mock_boto3_client.assert_called_with("ssm", endpoint_url=None)
+        self.assertEqual(api_key, "test-api-key")
+        self.assertTrue(
+            any(
+                "does not support SSM FIPS endpoints" in log_msg
+                for log_msg in log_context.output
+            )
+        )
+
     @patch("datadog_lambda.config.Config.fips_mode_enabled", True)
     @patch("botocore.session.Session.create_client")
     @patch("datadog_lambda.api.decrypt_kms_api_key")

From e79a3b5b8ef81ec8de1d9f3a177dd8fb2f7902ee Mon Sep 17 00:00:00 2001
From: shreyamalpani <shreya.malpani@datadoghq.com>
Date: Fri, 5 Dec 2025 12:44:06 -0500
Subject: [PATCH 4/4] fix

---
 datadog_lambda/api.py | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/datadog_lambda/api.py b/datadog_lambda/api.py
index e27528707..88f2cbe27 100644
--- a/datadog_lambda/api.py
+++ b/datadog_lambda/api.py
@@ -101,15 +101,17 @@ def get_api_key() -> str:
     elif DD_API_KEY_SSM_NAME:
         # SSM endpoints: https://docs.aws.amazon.com/general/latest/gr/ssm.html
         fips_endpoint = None
-        if config.fips_mode_enabled and LAMBDA_REGION in SSM_FIPS_SUPPORTED_REGIONS:
-            fips_endpoint = f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
-        else:
-            if not config.is_gov_region:
-                # Log warning if FIPS is enabled for a commercial region that does not support SSM FIPS endpoints
-                logger.warning(
-                    "FIPS mode is enabled but region '%s' does not support SSM FIPS endpoints. Using standard SSM endpoint.",
-                    LAMBDA_REGION,
-                )
+        if config.fips_mode_enabled:
+            if LAMBDA_REGION in SSM_FIPS_SUPPORTED_REGIONS:
+                fips_endpoint = f"https://ssm-fips.{LAMBDA_REGION}.amazonaws.com"
+            else:
+                # Log warning if SSM FIPS endpoint is not supported for commercial region
+                if not config.is_gov_region:
+                    logger.warning(
+                        "FIPS mode is enabled, but '%s' does not support SSM FIPS endpoints. "
+                        "Using standard SSM endpoint.",
+                        LAMBDA_REGION,
+                    )
         ssm_client = _boto3_client("ssm", endpoint_url=fips_endpoint)
         api_key = ssm_client.get_parameter(
             Name=DD_API_KEY_SSM_NAME, WithDecryption=True