Menu
Amazon Simple Storage Service
API Reference (API Version 2006-03-01)

Amazon S3 Signature Version 4 Authentication Specific Policy Keys

The following table shows the policy keys related Amazon S3 Signature Version 4 authentication that can be in Amazon S3 policies. In a bucket policy, you can add these conditions to enforce specific behavior when requests are authenticated by using Signature Version 4. For example policies, see Bucket Policy Examples Using Signature Version 4 Related Condition Keys.

Applicable Keys for s3:* Actions or any of the Amazon S3 Actions

Applicable Keys Description

s3:signatureversion

Identifies the version of AWS Signature that you want to support for authenticated requests. For authenticated requests, Amazon S3 supports both Signature Version 4 and Signature Version 2. You can add this condition in your bucket policy to require a specific signature version.

Valid values:

"AWS" identifies Signature Version 2

"AWS4-HMAC-SHA256" identifies Signature Version 4

s3:authType

Amazon S3 supports various methods of authentication (see Authenticating Requests (AWS Signature Version 4). You can optionally use this condition key to restrict incoming requests to use a specific authentication method. For example, you can allow only the HTTP Authorization header to be used in request authentication.

Valid values:

REST-HEADER

REST-QUERY-STRING

POST

s3:signatureAge

The length of time, in milliseconds, that a signature is valid in an authenticated request.

In Signature Version 4, the signing key is valid for up to seven days (see Introduction to Signing Requests. Therefore, the signatures are also valid for up to seven days. You can use this condition to further limit the signature age.

Example value: 100

s3:x-amz-content-sha256

You can use this condition key to disallow unsigned content in your bucket.

When you use Signature Version 4, for requests that use the Authorization header, you add the x-amz-content-sha256 header in the signature calculation and then set its value to the hash payload.

You can use this condition key in your bucket policy to deny any uploads where payloads are not signed. For example:

Valid value: UNSIGNED-PAYLOAD

Bucket Policy Examples Using Signature Version 4 Related Condition Keys

Deny any Amazon S3 action on the examplebucket to anyone if request is authenticated using Signature Version 4.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Test", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "StringEquals": { "s3:signatureversion": "AWS4-HMAC-SHA256" } } } ] }

The following bucket policy denies any Amazon S3 action on objects in examplebucket if the signature is more than ten minutes old.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny request if signature is more than 10 min old", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "NumericGreaterThan": { "s3:signatureAge": 600000 } } } ] }

The following bucket policy allows only requests that use the Authorization header for request authentication. Any POST or presigned URL requests will be denied.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow only requests that use Authorization header for request authentication. Deny POST or presigned URL requests.", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "StringNotEquals": { "s3:authType": "REST-HEADER" } } } ] }

The following bucket policy denies any uploads that use presigned URLs.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow only requests that use Authorization header for request authentication. Deny POST or presigned URL requests.", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "StringNotEquals": { "s3:x-amz-content-sha256": "UNSIGNED-PAYLOAD" } } } ] }