Security

How AWS Signature Version 4 (SigV4) Works - The Cryptographic Mechanics of API Authentication

A cryptographic deep dive into the 4-step SigV4 signing process (canonical request creation, string-to-sign construction, signing key derivation, signature calculation) used for AWS API authentication, plus an overview of SigV4A and presigned URLs.

約 6 分で読めます

Why Signing Is Necessary

Requests to AWS APIs require authentication information proving that the sender is a legitimate AWS user. The simplest authentication method would be to include the access key and secret key directly in the request, but this is dangerous - if the request is intercepted, the secret key is exposed. SigV4 is a signing scheme that authenticates without including the secret key in the request. It uses the secret key to compute a signature (HMAC-SHA256 hash) from the request contents and includes that signature in the request. AWS performs the same calculation with the same secret key, and if the signatures match, authentication succeeds. The secret key itself never travels over the network. Furthermore, since the SigV4 signature is calculated from the request contents (HTTP method, URL, headers, body), any tampering with the request causes the signature to mismatch. This guarantees both authentication and integrity.

The 4-Step Signing Process

The SigV4 signing process consists of 4 steps. Step 1 is creating the Canonical Request. You construct a string by concatenating the HTTP method, URL path, query string, headers, and body hash in a specific format. Headers are sorted alphabetically by key, with leading and trailing whitespace removed from values. This canonicalization ensures that the same request always produces the same canonical request. Step 2 is constructing the String to Sign. You concatenate the algorithm name (AWS4-HMAC-SHA256), timestamp, credential scope (date/region/service/aws4_request), and the SHA-256 hash of the canonical request. Step 3 is deriving the Signing Key. Starting from the secret key, you generate the signing key by sequentially applying HMAC-SHA256 with the date, region, and service name. Step 4 is computing the Signature. You calculate the HMAC-SHA256 of the string to sign using the signing key and convert it to a hexadecimal string. This signature is included in the Authorization header when sending the request.

Signing Key Derivation - Why Multi-Stage HMAC?

The signing key derivation involves 4 stages of HMAC-SHA256 from the secret key: kDate = HMAC(AWS4 + SecretKey, Date), kRegion = HMAC(kDate, Region), kService = HMAC(kRegion, Service), kSigning = HMAC(kService, aws4_request). This multi-stage derivation serves two purposes. First, it limits the scope of the signature. Since the signing key is tied to a specific date, region, and service, a signing key for S3 in the Tokyo region on a given day cannot be used for a different day, region, or service. Even if a signing key is leaked, the damage is contained. Second, it enables signing key caching. For requests to the same service in the same region on the same day, the signing key is identical. SDKs cache the signing key and reuse it until the date changes, eliminating the need to derive it from the secret key every time and improving performance. The timestamp included in the signature must be within 5 minutes of the AWS server time, or the request is rejected. This prevents replay attacks using old signatures.

Presigned URLs - Embedding Signatures in URLs

S3 presigned URLs are URLs with SigV4 signatures embedded in the query string. Anyone with this URL can access S3 objects without AWS credentials. Presigned URLs have an expiration period of up to 7 days (for IAM user access keys) or up to 12 hours (for STS temporary credentials). The presigned URL query string includes X-Amz-Algorithm (signing algorithm), X-Amz-Credential (access key ID and credential scope), X-Amz-Date (timestamp), X-Amz-Expires (expiration in seconds), X-Amz-SignedHeaders (headers included in the signature), and X-Amz-Signature (the signature). An important characteristic of presigned URLs is that they are evaluated based on permissions at the time the URL is used, not at the time it was generated. If the access key is invalidated or IAM policies are changed after URL generation, the URL becomes unusable.

SigV4A - A New Signing Scheme for Multi-Region Support

Since SigV4 signing keys are tied to a specific region, a single signature cannot be used to send requests to multiple regions. For cases like S3 Multi-Region Access Points where requests may be routed to multiple regions, SigV4 cannot handle this. SigV4A (Signature Version 4A) is an extension introduced to solve this limitation. SigV4A uses ECDSA (Elliptic Curve Digital Signature Algorithm) instead of HMAC-SHA256. Since ECDSA is asymmetric cryptography, the signing key derivation does not need to include a region. A single signature can be used to send requests to multiple regions. SigV4A is currently used with S3 Multi-Region Access Points and EventBridge global endpoints. SDKs automatically switch between SigV4 and SigV4A based on the target service and endpoint, so developers rarely need to be aware of the signing scheme. To systematically learn about AWS API authentication, specialized books (Amazon) are a helpful reference.

Related Services

AWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.How AWS API Throttling Works - The Token Bucket Algorithm and the Truth Behind 429 ErrorsLearn how AWS API rate limiting is implemented using the token bucket algorithm, understand the concept of burst capacity, explore differences in throttling limits across services, and discover practical strategies to avoid throttling.IAM Policy Evaluation Logic Explained - How Implicit Deny Loses to Explicit AllowA step-by-step explanation of how IAM evaluates requests to allow or deny them, covering the priority of implicit deny, explicit allow, and explicit deny, as well as intersection logic for SCPs, permission boundaries, and session policies.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container ImagesApply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.AWS SignerA service that signs and verifies code to ensure only trusted code is deployedAWS Secrets Manager Multi-Region Strategy - Replication and Cross-Account SharingLearn how to achieve disaster recovery with multi-region replication and build centralized management from a security account using cross-account access.AWS KMSA fully managed key management service for centrally creating, managing, and rotating encryption keys, integrated with over 100 AWS services