How do I troubleshoot the error "Requests require AWS Signature Version 4" when I try to access Amazon S3 objects that are encrypted with AWS KMS managed keys?

3 minute read
2

I tried to access Amazon Simple Storage Service (Amazon S3) objects that are encrypted with AWS Key Management Service (AWS KMS). I get the following error: "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4".

Resolution

The following reasons can cause the "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4" error message:

  • Your requests aren't signed with AWS Signature Version 4.
  • You made an anonymous request.

Your requests aren't signed with AWS Signature Version 4

When you use Signature Version 2 with an AWS KMS-encrypted object, you might receive an error message. Some S3 REST API endpoints and AWS Regions still support requests that are signed with Signature Version 2. However, it's a best practice to use Signature Version 4 to sign in. For more information, see AWS Signature Version 2 turned off (deprecated) for Amazon S3.

You can make requests that are signed with Signature Version 2 to buckets in Regions that support Signature Version 2. However, AWS KMS requires that your requests are signed with Signature Version 4.

To identify the signature version that you used for requests to objects in your bucket, take the following actions:

  • Use an AWS CloudTrail event log.
  • Check the authorization header for the API. The header must contain AWS4-HMAC-SHA256.
    Note: If you generated a pre-signed URL, then check whether the query parameter contains ?X-Amz-Algorithm=AWS4-HMAC-SHA256. If you can't find the query parameter, then modify the code to use Signature Version 4.

Note: For requests that specify AWS KMS managed keys, you must use SSL or TLS. If you don't use SSL or TLS and you make the request over an unsecure connection, then you get the following error:

"An error occurred (InvalidArgument) when calling the operation_performed operation: Requests specifying Server Side Encryption with AWS KMS managed keys must be made over a secure connection.""Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4"

You made an anonymous request

An anonymous request is a request that's not signed with AWS credentials. For example, you use the object URL on your browser or an HTTP client to download an S3 object.

An example of an object URL is https://bucketname.s3.region.amazonaws.com/folder/file.txt.

The following is an example of a curl command that you run to make an anonymous request:

curl -vo ./local/path/file.txt https://bucketname.s3.region.amazonaws.com/folder/file.txt

To prevent the error message, make sure that your request is signed with AWS credentials.

AWS OFFICIAL
AWS OFFICIALUpdated a month ago