This Guidance demonstrates how to validate checksums for compliance and audit requirements with an on-demand fixity check process. You can check the integrity of objects stored in any Amazon Simple Storage Service (Amazon S3) storage class using either the MD5 or SHA1 checksum algorithm without having to incur the cost and complexity of third-party software.

Architecture Diagram


Download the architecture diagram PDF 

Well-Architected Pillars

The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

  • This Guidance uses AWS CloudFormation templates to prepare and operate. It makes any configuration changes as needed, and all infrastructure can be reprovisioned in the event of a failure. Additionally, it iterates on and implements all feedback and suggestions where possible. By using this Guidance, you can build procedures to support your workloads and their expected behaviors, identify and respond to risks, and adapt accordingly.

    Read the Operational Excellence whitepaper 
  • This Guidance lets you use the RESTful API endpoint to programmatically start a fixity process and start using Management Console and AWS CLI. This Guidance uses AWS Identity and Access Management (IAM) roles and policies and encryption in transit to protect and manage resources and protect data. Step Functions and AWS Lambda functions are granted with the least-privilege permissions.

    Read the Security whitepaper 
  • This Guidance is serverless and multi–Availability Zone by default, can be deployed in any AWS Region, and can scale resources. Serverless services support versioning, so you can manage different versions of your deployed code. Step Functions, Lambda, and Amazon SNS provide a reliable and decoupled architecture for this workflow. Step Functions has built-in fault tolerance and maintains service capacity across multiple Availability Zones in each Region. It protects applications against individual machine or data center failures, providing high availability, and it automatically retries any failed computational runs.

    Read the Reliability whitepaper 
  • This Guidance uses serverless services like API Gateway, Lambda, Step Functions, and Amazon SNS to minimize cost and maintenance and improve performance. By building applications from individual components that each perform a discrete function, you can scale more easily and change applications more quickly. For example, Step Functions helps coordinate the components of distributed applications and microservices using visual workflows, automatically scaling your application’s required operations and underlying compute in response to changing workloads.

    Read the Performance Efficiency whitepaper 
  • This Guidance only uses serverless services, which let you run code without provisioning or managing servers and you only pay for what you use. Lambda functions run on processors configured to balance the speed of processing and the cost. All your data enters a virtual private cloud (VPC), and the cost depends on the data transferred and the Region. Amazon S3 data storage rates depend on your objects’ size, how long you store the objects, and the storage class you choose.

    Read the Cost Optimization whitepaper 
  • This Guidance only uses serverless services, so they scale based on load, and you don’t have to provision or manage any hardware. You can check the integrity of objects stored in any Amazon S3 storage class using the MD5, SHA1, or SHA256 checksum algorithm without the complexity of managing third-party software.

    Read the Sustainability whitepaper 

Implementation Resources

A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.

The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.

[Content Type]


This [blog post/e-book/Guidance/sample code] demonstrates how [insert short description].


The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.

Was this page helpful?