How can I check the integrity of an object uploaded to Amazon S3?

4 minute read

I want to upload an object to an Amazon Simple Storage Service (Amazon S3) bucket. Additionally, I want to verify the integrity of the uploaded object.

Resolution

For general purpose buckets, use the Content-MD5 header to check the integrity of uploaded objects. For directory buckets, use a supported checksum algorithm to check the integrity of uploaded objects.

Note: Amazon S3 doesn't support integrity checks with Content-MD5 when you use the PutObject operation on directory buckets. Amazon S3 also doesn't support integrity checks for vector or table buckets.

General purpose buckets

For general purpose buckets, calculate the Content-MD5 value of the object.

Note: When you use the Content-MD5 header, Amazon S3 checks the object against the provided Content-MD5 value. If the values don't match, you receive an error.

Windows Operating System (OS)

If you're using a Windows OS, you can use the Get-FileHash cmdlet from Microsoft PowerShell Utility to calculate an MD5 digest.

Note: Amazon S3 requires the Content-MD5 header to use the MD5 algorithm for integrity verification on general purpose buckets. Although MD5 is not recommended for cryptographic purposes, it's required for this Amazon S3 feature.

The following command gets an MD5 digest:

Get-FileHash \path\to\file -algorithm MD5 | Format-List

Note: Replace \path\to\file with the path to your object. The Get-FileHash cmdlet is available with Microsoft PowerShell Utility version 4.0 and later. Here's an example output:

Algorithm : MD5Hash      : C9A5A6878D97B48CC965C1E41859F034  
Path      : \path\to\file

Apply base64-encoding to the calculated MD5Hash value to get the required Content-MD5 value:

hashString ='C9A5A6878D97B48CC965C1E41859F034'$hashByteArray = [byte[]] ($hashString -replace '..', '0x$&,' -split ',' -ne '')  
ContentMD5 = [System.Convert]::ToBase64String($hashByteArray)  
Echo ContentMD5  
yaWmh42XtIzJZcHkGFnwNA==

In this example, the output of Echo ContentMD5, yaWmh42XtIzJZcHkGFnwNA==, is the required Content-MD5 value.

Linux Operating System (OS)

If you're using a Linux OS, run the following OpenSSL command to get the Content-MD5 value of your file:

openssl md5 -binary path/to/file | base64

Note: Replace path/to/file with the path to your object.

Directory buckets

Verify the integrity of uploaded objects in directory buckets with a supported checksum algorithm other than MD5. For example, use the following steps to verify the integrity of uploaded objects with the x-amz-checksum-sha256 header (SHA256).

Note: When you use the x-amz-checksum-sha256 header, Amazon S3 checks the object against the provided x-amz-checksum-sha256 value. If the values don't match, you receive an error.

Windows OS

If you're using a Windows OS, you can use the Get-FileHash cmdlet from Microsoft PowerShell Utility to calculate an SHA256 digest.

The following command gets an SHA256 digest:

Get-FileHash \path\to\file -algorithm SHA256 | Format-List

Note: Replace \path\to\file with the path to your object.Here's an example output:

Algorithm : SHA256  
Hash      : E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855  
Path      : \path\to\file

Apply base64-encoding to the calculated SHA256 digest to get the required SHA256 value:

hashString ='E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855'  
hashByteArray = [byte[]] ($hashString -replace '..', '0x$&,' -split ',' -ne '')  
ContentSHA256 = [System.Convert]::ToBase64String($hashByteArray)  
Echo ContentSHA256  
`47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=`

In this example, the output of Echo ContentSHA256, 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=, is the required SHA256 value.

Linux OS

If you're using a Linux OS, run the following OpenSSL command to get the SHA256 value of your file:

openssl sha256 -binary path/to/file | base64

Note: Replace path/to/file with the path to your object.

Verify the integrity of the uploaded object

When you use PutObject to upload objects to Amazon S3, pass the Content-MD5 value as a request header for general purpose buckets.

For directory buckets, pass an x-amz-checksum-sha256 value and an x-amz-checksum-algorithm header set to SHA256 as request headers. Amazon S3 checks the object against the provided Content-MD5/SHA256 value. If the values don't match, you receive an error. You can also use the SHA256 request header with the Amazon S3 UploadPart API.

Related information

Common request headers

Amazon S3 error responses

Topics: Storage
Tags: Amazon Simple Storage Service
Language: English

AWS OFFICIALUpdated 9 days ago

No comments

Relevant content

Unable to upload an object to cross account S3 bucket through console - ACLs disabled
Accepted Answer
Prachi Kashikar
asked 2 years ago
Error when uploading to s3 bucket from sagemaker training job
rePost-User-1289624
asked 2 years ago
complete-multipart-upload does not take an --object-lock-mode header, why are requests Allowed/Denied by the s3:ObjectLockMode Bucket Policy Condition?
dleung
asked a year ago
Empty S3 bucket has objects that aren't multipart uploads
Accepted Answer
Tim
asked 7 months ago
Where can I found the uri of my Bucket to connect my Symfony application with S3 and upload files?
lDeleted
asked 4 years ago
How do I change object ownership for an Amazon S3 bucket when the objects are uploaded by other AWS accounts?
AWS OFFICIALUpdated 2 years ago
How can I grant a user in another AWS account the access to upload objects to my Amazon S3 bucket?
AWS OFFICIALUpdated 6 months ago
When other AWS accounts upload objects to my Amazon S3 bucket, how can I require that they grant me full control of the objects?
AWS OFFICIALUpdated 3 years ago
How can I configure my S3 bucket to store only objects encrypted by my KMS key?
AWS OFFICIALUpdated 2 years ago
Why can't my S3 File Gateway access objects uploaded by cross-account users?
EXPERT
Tyler
published 2 years ago