Why Query Requests Are Signed

Query requests travel over the Internet using either HTTP or HTTPS, and are vulnerable to being intercepted and altered in transit. To prevent this and ensure that the incoming request is both from a valid AWS account and unaltered, AWS requires all requests to be signed.

To sign a Query request, you calculate a digital signature using a cryptographic hash function over the text of the request and your AWS secret key. A cryptographic hash is a one-way function that returns unique results based on the input.

When Amazon Elastic MapReduce (Amazon EMR) receives the request, it re-calculates the signature using the request text and the secret key that matches the AWS access key in the request. If the two signatures match, Amazon EMR knows that the query has not been altered and that the request originated from your account. This is one reason why it is important to safeguard your private key. Any malicious user who obtains it would be able to make AWS calls, and incur charges, on your account.

For additional security, you should transmit your Query requests using Secure Sockets Layer (SSL) by using HTTPS. SSL encrypts the transmission, protecting your Query request from being viewed in transit. For more information about securing your Query requests, see Making Secure Requests to Amazon Web Services.