Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is X-Amz-Expires a required header/parameter for requests to AWS?

  1. Is X-Amz-Expires a required header/parameter? Official documentation is inconsistent and uses it in some examples, while not in others.

  2. If it is not required, what is the default expiration value of a signed request? Does it equal to the maximum possible value for X-Amz-Expires parameter, which is 604800 (seven days)?

  3. The documentation (see above links) talks about X-Amz-Expires parameter only in context of passing signing parameters in a query string. If X-Amz-Expires parameter is required, is it only required for passing signing parametes in query string (as opposed to passing them with Authorization header)?


Update:

Introduction to AWS Security Processes paper, on page 17 says

A request must reach AWS within 15 minutes of the time stamp in the request. Otherwise, AWS denies the request.

Now what time stamp are we talking about here? My guess is that it is X-Amz-Date. If I am correct, then another question crops up:

  1. How do X-Amz-Date and X-Amz-Expires parameters relate to each other? To me it sounds like request expiration algorithm falls back to 15 mins from X-Amz-Date timestamp, if X-Amz-Expire is not present.
like image 408
golem Avatar asked Sep 17 '16 20:09

golem


People also ask

What is X-AMZ-credential?

X-Amz-Credential The credential scope value, which is a string that includes your access key, the date, the region you are targeting, the service you are requesting, and a termination string ("aws4_request"). The value is expressed in the following format: access_key/YYYYMMDD/region/service/aws4_request.

How do I create an authorization header in AWS?

In order to create an authorization header, you need an AWS Access Key Id and a Secret Access Key. In ECS, the AWS Access Key Id maps to the ECS user id (UID). An AWS Access Key ID has 20 characters (some S3 clients, such as the S3 Browser, check this), but ECS data service does not have this limitation.

What is AWS4 HMAC SHA256?

AWS4-HMAC-SHA256. The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication.


1 Answers

Is X-Amz-Expires a required header/parameter?

X-Amz-Expires is only used with query string authentication, not with the Authorization: header.

There is no default value with query string authentication. It is a required parameter, and the service will reject a request if X-Amz-Algorithm=AWS4-HMAC-SHA256 is present in the query string but X-Amz-Expires=... is not.

<Error>
  <Code>AuthorizationQueryParametersError</Code>
...

Now what time stamp are we talking about here?

This refers to X-Amz-Date: when used with the Authorization: header. Because X-Amz-Date: is part of the input to the signing algorithm, a change in the date or time also changes the signature. An otherwise-identical request signed 1 second earlier or later has an entirely different signature. AWS essentially allows your server clock to be wrong by up to 15 minutes without breaking your ability to authenticate requests. It is not a fallback or a default. It is a fixed window.

The X-Amz-Date: of Authorization: header-based requests is compared by AWS to their system time, which is of course synched to UTC, and the request is rejected out if hand if this value is more than 15 minutes skewed from UTC when the request arrives. No other validation related to authentication occurs prior to the time check.

Validation of Query String authentication expiration involves different logic:

  • X-Amz-Expires must not be a value larger than 604800 or smaller than 0; otherwise the request is immediately denied without further processing, including a message similar to the one above.
  • X-Amz-Date must not be more than 15 minutes in the future, according to the AWS system clock. The error is Request is not yet valid.
  • X-Amz-Date must not be more than X-Amz-Expires number of seconds in the past, relative to the AWS system clock, and no 15 minute tolerance applies. The error is Request has expired.

If any of these conditions occur, no further validation is done on the signature, so these messages will not change depending on the validity of the signature. This is checked first.

Also, the leftmost 8 characters of your X-Amz-Date: must match the date portion of your Credential component of the Authorization: header. The date itself has zero tolerance for discrepancy against the credential (so, when signing, don't read your system time twice, else you risk generating an occasional invalid signature around midnight UTC).

Finally, requests do not expire while in the middle of processing. If you send a request using either signing method that is deemed valid when it arrives but would have expired very soon thereafter, it is always allowed to run to completion -- for example, a large S3 download or an EBS snapshot creation request will not start, then fail to continue, because the expiration timer struck while the request had already started on the AWS side. If the action was authorized when requested, then it continues and succeeds as normal.

like image 105
Michael - sqlbot Avatar answered Oct 05 '22 03:10

Michael - sqlbot