Making requests - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Making requests

Amazon S3 is a REST service. You can send requests to Amazon S3 using the REST API.

Every interaction with Amazon S3 is either authenticated or anonymous. Authentication is a process of verifying the identity of the requester trying to access an Amazon Web Services (Amazon) product. Authenticated requests must include a signature value that authenticates the request sender. The signature value is, in part, generated from the requester's Amazon access keys (access key ID and secret access key). For more information about getting access keys, see How Do I Get Security Credentials? in the Amazon Web Services General Reference.

If you are using the Amazon SDK, the libraries compute the signature from the keys you provide. However, if you make direct REST API calls in your application, you must write the code to compute the signature and add it to the request.

About access keys

The following sections review the types of access keys that you can use to make authenticated requests.

Amazon Web Services account access keys

The account access keys provide full access to the Amazon resources owned by the account. The following are examples of access keys:

  • Access key ID (a 20-character, alphanumeric string). For example: AKIAIOSFODNN7EXAMPLE

  • Secret access key (a 40-character string). For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

The access key ID uniquely identifies an Amazon Web Services account. You can use these access keys to send authenticated requests to Amazon S3.

IAM user access keys

You can create one Amazon Web Services account for your company; however, there may be several employees in the organization who need access to your organization's Amazon resources. Sharing your Amazon Web Services account access keys reduces security, and creating individual Amazon Web Services accounts for each employee might not be practical. Also, you cannot easily share resources such as buckets and objects because they are owned by different accounts. To share resources, you must grant permissions, which is additional work.

In such scenarios, you can use Amazon Identity and Access Management (IAM) to create users under your Amazon Web Services account with their own access keys and attach IAM user policies that grant appropriate resource access permissions to these users. To better manage these users, IAM enables you to create groups of users and grant group-level permissions that apply to all users in that group.

These users are referred to as IAM users that you create and manage within Amazon. The parent account controls a user's ability to access Amazon. Any resources an IAM user creates are under the control of and paid for by the parent Amazon Web Services account. These IAM users can send authenticated requests to Amazon S3 using their own security credentials. For more information about creating and managing users under your Amazon Web Services account, go to the Amazon Identity and Access Management product details page.

Temporary security credentials

In addition to creating IAM users with their own access keys, IAM also enables you to grant temporary security credentials (temporary access keys and a security token) to any IAM user to enable them to access your Amazon services and resources. You can also manage users in your system outside Amazon. These are referred to as federated users. Additionally, users can be applications that you create to access your Amazon resources.

IAM provides the Amazon Security Token Service API for you to request temporary security credentials. You can use either the Amazon STS API or the Amazon SDK to request these credentials. The API returns temporary security credentials (access key ID and secret access key), and a security token. These credentials are valid only for the duration you specify when you request them. You use the access key ID and secret key the same way you use them when sending requests using your Amazon Web Services account or IAM user access keys. In addition, you must include the token in each request you send to Amazon S3.

An IAM user can request these temporary security credentials for their own use or hand them out to federated users or applications. When requesting temporary security credentials for federated users, you must provide a user name and an IAM policy defining the permissions you want to associate with these temporary security credentials. The federated user cannot get more permissions than the parent IAM user who requested the temporary credentials.

You can use these temporary security credentials in making requests to Amazon S3. The API libraries compute the necessary signature value using those credentials to authenticate your request. If you send requests using expired credentials, Amazon S3 denies the request.

For information on signing requests using temporary security credentials in your REST API requests, see Signing and authenticating REST requests (Amazon signature version 2). For information about sending requests using Amazon SDKs, see Making requests using the Amazon SDKs.

For more information about IAM support for temporary security credentials, see Temporary Security Credentials in the IAM User Guide.

For added security, you can require multifactor authentication (MFA) when accessing your Amazon S3 resources by configuring a bucket policy. For information, see Example bucket policies: Requiring MFA . After you require MFA to access your Amazon S3 resources, the only way you can access these resources is by providing temporary credentials that are created with an MFA key. For more information, see the Amazon Multi-Factor Authentication detail page and Configuring MFA-Protected API Access in the IAM User Guide.

Request endpoints

You send REST requests to the service's predefined endpoint. For a list of all Amazon services and their corresponding endpoints, go to Regions and Endpoints in the Amazon Web Services General Reference.