Making Secure Requests to Amazon Web Services

Communication on the Internet is susceptible to eavesdropping and malicious tampering. Amazon Web Services recommends you take action to protect the API requests you send.

Submitted By: Craig@AWS
AWS Products Used: Amazon SQS, Amazon S3, Amazon FPS, Amazon EC2, Amazon SimpleDB, Amazon DevPay
Created On: December 11, 2008

This article outlines recommendations for making secure requests to Amazon Web Services and includes the following topics:

SSL: Your Best Protection

The best thing you can do to secure your requests is to use SSL (Secure Sockets Layer, e.g., HTTPS). SSL is a protocol for securing communication across the Internet. AWS uses a typical implementation that provides both confidentiality and integrity (through server authentication and encryption). This means:

  • You as the client can be sure you're talking to AWS
  • Your communication with AWS is encrypted, so others can't intercept it
  • You have verification that the message received is the same as the message sent

Although SSL enhances the security of your communication, the additional negotiation time required for the SSL client/server handshake can increase latency. Also, to use SSL, you need to use a programming language/library that supports it.

Support for SSL

Most AWS services accept HTTPS requests, including:

  • Amazon Associates Web Service
  • Amazon CloudFront (HTTPS is required for the control API; currently only HTTP is accepted for the request API)
  • Amazon DevPay (HTTPS is required for the License Service)
  • Amazon Elastic Compute Cloud
  • Amazon Flexible Payments Service (HTTPS is required)
  • Amazon Fulfillment Web Service (HTTPS is required)
  • Amazon Mechanical Turk
  • Amazon SimpleDB
  • Amazon Simple Queue Service
  • Amazon Simple Storage Service

HTTPS is recommended for the highest level of security for both SOAP and REST/Query requests. Using SOAP over HTTPS is required, so you should make sure the client or SOAP toolkit you're using is configured to use SSL. SOAP requests over HTTP are deprecated and will no longer be accepted after September 2009. The service WSDLs will continue to support both HTTP and HTTPS until September 2009, after which they will support only HTTPS.

The AWS libraries in the following table support the use of HTTPS by default with your requests. Note the table only covers AWS services that don't automatically require HTTPS for REST/Query requests.

AWS Libraries
Amazon EC2 Amazon SimpleDB Amazon SQS
Java
C#
VB.NET
Perl
PHP 		Java
C#
VB.NET
Perl
PHP 		Java
C#
VB.NET
Perl
PHP

If you're using Ruby or Python, these third-party libraries use HTTPS by default:

Securing HTTP Requests

We strongly recommend you use SSL for your authenticated requests to AWS. If you decide not to use SSL, you have different options for securing your requests depending on the AWS service. These options are described here.

Signature Version 2

If you're using one of the following services, you must use signature version 2 for your REST/Query requests:

  • Amazon Elastic Compute Cloud
  • Amazon SimpleDB
  • Amazon Simple Queue Service
The version refers to the particular algorithm for signing the request. These AWS services have deprecated the older, less-secure methods (signature versions 0 and 1) and will no longer allow them after September 2009.

If you're familiar with signature version 1, these are the main differences with signature version 2:

  • You form the string to sign in a different way (see the list that follows)
  • You can use HMAC-SHA256 when you sign the request (we prefer HMAC-SHA256, but we still support HMAC-SHA1)
  • You must set the SignatureMethod request parameter to either HmacSHA256 or HmacSHA1 to indicate which signing method you're using
  • You must set the SignatureVersion request parameter to 2

Here is what's different about forming the string to sign for signature version 2:

  • You include additional components of the request in the string to sign
  • You include the query string control parameters (the equals signs and ampersands) in the string to sign
  • You sort the query string parameters using byte ordering
  • You URL encode the query string parameters and their values before signing the request

For instructions on signing REST/Query requests using signature version 2, see the technical documentation for your service.

All of the AWS libraries for Amazon EC2, Amazon SimpleDB, and Amazon SQS (listed earlier in this article) use signature version 2 to sign the requests.

Replay Attacks

Replay attacks are an attack vector whereby a malicious user fraudulently repeats a request that has already been made, and/or delays the original request's delivery. The best mechanism for defense against a replay attack is to ensure all your requests are made over an SSL connection. If you cannot use SSL, then the mechanism available to you for prevention of replay attacks is the Expires parameter in signature version 2. This requires your client to be synchronized to atomic time (using NTP, or a similar synchronization protocol). If you do not use the Expires parameter, and rely only on the timestamp parameter, your requests are subject to a request expiration period, which varies by service, but can be as long as 15 minutes.

Securing Requests for Other Services

A few AWS services don't support signature version 2:

  • Amazon Simple Storage Service: You can still use HTTP with Amazon S3 and securely make authenticated requests. The service uses a different secure signing protocol.
  • Amazon Mechanical Turk: We recommend you use SSL with Amazon Mechanical Turk, because it provides the highest level of security available.

Using HTTP with the AWS Libraries

The AWS libraries in the preceding table also support signature version 2. The AWS libraries use HTTPS by default, but you can configure them to use HTTP for testing purposes or to avoid the added latency of HTTPS.

To configure one of the AWS libraries to use HTTP

  1. Locate the configuration file in the library's package.

    The following list shows the location of the configuration file in the AWS Amazon EC2 libraries. The files for the AWS Amazon SimpleDB and AWS Amazon SQS libraries have similar locations.

    • Java: /src/com/amazonaws/ec2/AmazonEC2Config.java
    • C#: \src\Amazon.EC2\Amazon.EC2\AmazonEC2Config.cs
    • VB.NET: \src\Amazon.EC2\Amazon.EC2\AmazonEC2Config.vb
    • Perl: /src/Amazon/EC2/client.pm
    • PHP: /src/Amazon/EC2/Client.php
  2. Open the file in a text editor and locate the line that sets the service URL (for Amazon EC2, the URL is https://ec2.amazonaws.com).
  3. Change the service URL to use http (for Amazon EC2, change it to https://ec2.amazonaws.com).
  4. Save the file.
  5. Rebuild/recompile as needed for your programming language.

The library now uses HTTP for the AWS requests.

Contacting AWS about Security Issues

If you have questions related to request security, please use the regular support channels to contact us: