Amazon Web Services
General Reference (Version 1.0)

Changes in Signature Version 4

Signature Version 4 is the current AWS signing protocol. It includes several changes from the previous Signature Version 2:

  • To sign your message, you use a signing key that is derived from your secret access key rather than using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the Signature for AWS Signature Version 4.

  • You derive your signing key from the credential scope, which means that you don't need to include the key itself in the request. Credential scope is represented by a slash-separated string of dimensions in the following order:

    1. Date information as an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (for example, 20150830). For more information about handling dates, see Handling Dates in Signature Version 4.

    2. Region information as a lowercase alphanumeric string. Use the region name that is part of the service's endpoint. For services with a globally unique endpoint such as IAM, use us-east-1.

    3. Service name information as a lowercase alphanumeric string (for example, iam). Use the service name that is part of the service's endpoint. For example, the IAM endpoint is, so you use the string iam as part of the Credential parameter.

    4. A special termination string: aws4_request.

  • You use the credential scope in each signing task: