By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SES SIGv4 Usage Update - Connection Header

0

Hi all

On Oct. 12 we received this email from AWS:

Subject: SES SIGv4 Usage Update - Connection Header
Hello,
SES is working on an infrastructure upgrade with improved security controls. As part of this improvement, we monitored SIGv4 requests and determined that our Simple Email Service endpoints are currently receiving SIGv4 requests using the connection header from your AWS account. Please note that SIGv4 signed requests using this header will start to fail progressively after 10/29 and you will be required to remove this header from signed headers. Please refer to the documentation [1] [2] and reach out to AWS support [3] if you have any further questions or concerns.
[1] https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
[3] https://aws.amazon.com/support
Sincerely,
Amazon Web Services

I do not know how to fix this. And any help pointing us in the right direction would be appreciated.
The notification is incredibly sparse on details and the description itself does not make any sense.
We use a rather outdated v2 AWS PHP SDK, so I thought that this might be the problem. Comparing the request body of SES calls sent with v3 and v2 shows that the Authorization header is exactly the same (excepting the signature itself of course):
v2: "Authorization: AWS4-HMAC-SHA256 Credential=AKIAIAVCDEFG1234/20201021/eu-west-1/ses/aws4_request, SignedHeaders=host;x-amz-date, Signature=abcdef1234567890"
v3: "Authorization: AWS4-HMAC-SHA256 Credential=AKIAIAVCDEFG1234/20201021/eu-west-1/ses/aws4_request, SignedHeaders=host;x-amz-date, Signature=1234567890abcdef"

Meaning updating the SDK does not look like it would fix anything. We have checked through all services that use SES, one of them uses https://github.com/mhart/aws4, which also seems to be up to date. The remainders send through SMTP, meaning no SIGv4 issues.

I have a hard time parsing the issue description:

As part of this improvement, we monitored SIGv4 requests and determined that our Simple Email Service endpoints are currently receiving SIGv4 requests using the connection header from your AWS account.

What is a "connection header"? Do they mean HTTP header or would that be wrong to assume?
Is it "currently receiving SIGv4 requests using the connection header from your AWS account." or is it "currently receiving SIGv4 requests using the connection header from your AWS account."? Which part of the sentence does "from your AWS account" refer to?

Please note that SIGv4 signed requests using this header will start to fail progressively after 10/29 and you will be required to remove this header from signed headers.

Which header? SIGv4 supports "Authorization" headers just fine. Is it a header which shouldn't be part of the signature?
Why do we receive a depreciation notice only 17 days before things begin to fail?!

Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
andsens
asked 4 years ago271 views
3 Answers
0

Hello,

This notification means requests from your account were spotted signing the 'connection' HTTP header, like so: SignedHeaders=connection;host...

The fix is to stop signing this header for SigV4 authentication (but the header can still be part of the request)

It seems the problem is therefore not in the examples you pasted, but indeed in the github package you're depending on, as it signs all headers by default

https://github.com/mhart/aws4/blob/cfbf3e38012ab82be48518048d1ed87fbca5bf5a/aws4.js#L292-L297

I created an issue on that repository https://github.com/mhart/aws4/issues/119

This is now fixed in v1.11.0 of this project: https://github.com/mhart/aws4/releases/tag/v1.11.0

We care about our customers and will make sure your business will not be impacted by this upgrade

Edited by: stanataws on Oct 30, 2020 4:56 PM

Edited by: stanataws on Oct 31, 2020 1:47 AM

AWS-User-9331904
answered 3 years ago
0

Thank you Stan! We will bump the library and verify immediately, though the "fail progressively" might make that hard. Is there a notice in the API return body we can look for?

The missing quotes around "connection" really threw me off. Then again, I was looking in the completely wrong place :-)

Your explanation is worlds better than what we received in the email. I would suggest sending some feedback back to whoever wrote that message. Examples can sometimes explain in very few lines what you would otherwise need a paragraph for.

andsens
answered 3 years ago
0

Hi,

There is no specifics in the API response that you can monitor. We will keep monitoring closely customers signing this header, so if you don't get any further communication, it means you're good. I will provide your feedback and make sure future communications are wrapping 'Connection' with quotes, and are more straightforward.

Thanks for letting us know

AWS-User-9331904
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content