I'm using AWS and I need to comply with FIPS 140-2 Level 3, which requires hardware isolation. Is that for the encryption module only?
Can I replace our dedicated hosts with regular on-demand EC2 instances?
TLDR: you can use on-demand EC2 instances as long as you use the FIPS endpoints
Is that for the encryption module only?
To speak strictly—and you need to when being vetted against government standards—, no the FIPS applies to more than just encryption.
As defined by the NIST, FIPS 140-X are essentially a series of U.S. government computer security standards that define security requirements for cryptography modules, tested by independent labs and ultimately reviewed by the CMVP. Currently, there are three versions defined each having four 'security levels' defined, i.e., FIPS 140-2 Level 3.
The key here is that the standard is not specific to just encryption.
It covers all cryptography modules (e.g., including SSL decryption, etc.).
Can I replace our dedicated hosts with regular on-demand EC2 instances?
Yes, you can use regular EC2s as long as you use the FIPS endpoints specified for the EC2 service.
These are limited to the below regions and endpoints (which shouldn't be an issue):
ec2-fips.us-east-1.amazonaws.com, ec2-fips.us-east-2.amazonaws.co, ec2-fips.us-west-1.amazonaws.com, ec2-fips.us-west-2.amazonaws.comec2.us-gov-east-1.amazonaws.com, ec2.us-gov-west-1.amazonaws.comec2-fips.ca-central-1.amazonaws.comWhen you use a FIPS endpoint, you are given two guarantees:
All in all, FIPS 140-2 does not dictate dedicated hardware to be used for your applications, so you are free to use regular EC2 instances. However, you do need to be mindful to use FIPS-validated endpoints to stay within the standards framework.
Note: regarding Elastic Load Balancers, please do note that ELB SSL is not FIPS 140-2 compliant by default.
You will either need to contact your AWS support / TAM for a FIPS 140-2 compliant ALB, or terminate SSL on a server that you have ensured FIPS compliance of.