Authenticating requests - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authenticating requests

If you use a language that Amazon provides an SDK for, we recommend that you use the SDK. All the Amazon SDKs greatly simplify the process of signing requests and save you a significant amount of time when compared with using the Amazon WAF or Shield Advanced API. In addition, the SDKs integrate easily with your development environment and provide easy access to related commands.

Amazon WAF and Shield Advanced require that you authenticate every request that you send by signing the request. To sign a request, you calculate a digital signature using a cryptographic hash function, which returns a hash value based on the input. The input includes the text of your request and your secret access key. The hash function returns a hash value that you include in the request as your signature. The signature is part of the Authorization header of your request.

After receiving your request, Amazon WAF or Shield Advanced recalculates the signature using the same hash function and input that you used to sign the request. If the resulting signature matches the signature in the request, Amazon WAF or Shield Advanced processes the request. If not, the request is rejected.

Amazon WAF and Shield Advanced supports authentication using Amazon Signature Version 4. The process for calculating a signature can be broken into three tasks:

Task 1: Create a Canonical Request

Create your HTTP request in canonical format as described in Task 1: Create a Canonical Request For Signature Version 4 in the Amazon Web Services General Reference.

Task 2: Create a String to Sign

Create a string that you will use as one of the input values to your cryptographic hash function. The string, called the string to sign, is a concatenation of the following values:

  • Name of the hash algorithm

  • Request date

  • Credential scope string

  • Canonicalized request from the previous task

The credential scope string itself is a concatenation of date, region, and service information.

For the X-Amz-Credential parameter, specify the following:

  • The code for the endpoint to which you're sending the request, us-east-2

  • waf for the service abbreviation

For example:


Task 3: Create a Signature

Create a signature for your request by using a cryptographic hash function that accepts two input strings:

  • Your string to sign, from Task 2.

  • A derived key. The derived key is calculated by starting with your secret access key and using the credential scope string to create a series of hash-based message authentication codes (HMACs).