API requests sent to AWS should include a digital signature that contains information about the requestor's identity. This identity is verified by AWS for all API requests. This process is known as signing API requests. For all API requests generated through AWS tools, such as AWS SDKs and AWS Command Line Interface, the digital signature is included for you, however, for all API requests that you create manually, you have to include this digital signature yourself.

In other words, you need to sign your HTTP requests when you create them. You need to do this if you are writing a code in a programming language that does not have an AWS SDK. Furthermore, if you need to control what is sent along with an API request, you can choose to sign requests yourself.

A digital signature includes your AWS access keys, that is, your secret access key and access key ID, along with API information. An API request should reach the AWS within 15 minutes of the timestamp stored in this request, otherwise it is rejected by AWS.

There are certain anonymous API requests that do not include digital signatures with identity information, such as anonymous requests to S3 or to API operations requests in the Security Token Service (STS).

Requests are signed to secure your communication with AWS in the following ways:

AWS recommends using signature version 4 that uses the HMAC-SHA256 protocol for signing all your requests. It supports signature version 4 and signature version 2.

You sign a request by calculating a hash (digest) for the request. Then you calculate another hash, also known as a signature, by using the previous hash value, information from the request, and your access key. This signature is then added to the request by using either the HTTP Header (authorization) or by adding a query string value to this request.