Signing Amazon API requests - Amazon Identity and Access Management
When to sign requestsWhy requests are signed
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Signing Amazon API requests

Important

If you use an Amazon SDK or Amazon command line tool to send API requests to Amazon, these tools sign the API requests for you. You must only sign Amazon API requests as described in this documentation if you do not use an Amazon SDK or Amazon command line tool to send Amazon API requests.

When you send API requests to Amazon, you must sign them so that Amazon can identify the sender. For security, most requests are signed using your Amazon security credentials.

When an Amazon Web Service receives an authenticated request, it recreates the signature using the authentication information contained in the request. If the signatures match, the service processes the request. Otherwise, it rejects the request.

Signature Version 4 is the Amazon signing protocol. Amazon also supports an extension, Signature Version 4A, which supports signatures for multi-Region API requests. For more information, see the sigv4a-signing-examples project on GitHub.

Contents

When to sign requests

When you write custom code that sends API requests to Amazon, you must include code that signs the requests. You might write custom code because:

  • You are working with a programming language for which there is no Amazon SDK.

  • You need complete control over how requests are sent to Amazon.

Why requests are signed

The signing process helps secure requests in the following ways:

  • Verify the identity of the requester

    Requests must be sent by someone with a valid access key.

  • Protect data in transit

    To prevent tampering with a request while it's in transit, some of the request elements are used to calculate a hash (digest) of the request, and the resulting hash value is included as part of the request. When an Amazon Web Service receives the request, it uses the same information to calculate a hash and matches it against the hash value in your request. If the values don't match, Amazon denies the request.

  • Protect against potential replay attacks

    In most cases, a request must reach Amazon within five minutes of the time stamp in the request. Otherwise, Amazon denies the request.