Amazon S3 Signature Version 4 Authentication Specific Policy Keys
The following table shows the policy keys related Amazon S3 Signature Version 4 authentication that can be in Amazon S3 policies. In a bucket policy, you can add these conditions to enforce specific behavior when requests are authenticated by using Signature Version 4. For example policies, see Bucket Policy Examples Using Signature Version 4 Related Condition Keys.
| Applicable Keys | Description |
|---|---|
|
Identifies the version of AWS Signature that you want to support for authenticated requests. For authenticated requests, Amazon S3 supports both Signature Version 4 and Signature Version 2. You can add this condition in your bucket policy to require a specific signature version. Valid values:
|
|
Amazon S3 supports various methods of authentication (see Authenticating Requests (AWS Signature Version
4). You can
optionally use this condition key to restrict incoming requests to
use a specific authentication method. For example, you can allow
only the HTTP Valid values:
|
|
The length of time, in milliseconds, that a signature is valid in an authenticated request. This condition works for:
In Signature Version 2, this value is always set to 0. In Signature Version 4, the signing key is valid for up to seven days. Therefore, the signatures are also valid for up to seven days. You can use this condition to further limit the signature age. For more information, see Introduction to Signing Requests. Example value: |
|
You can use this condition key to disallow unsigned content in your bucket. When you use Signature Version 4, for requests that use the You can use this condition key in your bucket policy to deny any uploads where payloads are not signed. For example:
Valid value: |
Bucket Policy Examples Using Signature Version 4 Related Condition Keys
The following bucket policy denies any Amazon S3 presigned URL request on objects in
examplebucket if the signature is more than ten minutes old.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny a presigned URL request if the signature is more than 10 min old", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "NumericGreaterThan": { "s3:signatureAge": 600000 } } } ] }
The following bucket policy allows only requests that use the Authorization header
for request authentication. Any POST or presigned URL requests will be
denied.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow only requests that use Authorization header for request authentication. Deny POST or presigned URL requests.", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "StringNotEquals": { "s3:authType": "REST-HEADER" } } } ] }
The following bucket policy denies any uploads with unsigned payloads, such as uploads using presigned URLs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Deny uploads with unsigned payloads.", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket3/*", "Condition": { "StringEquals": { "s3:x-amz-content-sha256": "UNSIGNED-PAYLOAD" } } } ] }
