AWS requires API request messages to be digitally signed by the owner of an AWS account. The services use this signature to confirm the identity of the sender and to ensure that the request has not been altered in transit. Generating request signatures and attaching them to your requests is a vital part of the communications process when using AWS.
Each AWS user account has an associated set of credentials that you use to sign your REST or Query request messages. These credentials, known as AWS Access Key Identifiers, are composed of a pair of text values that include an Access Key ID and a Secret Access Key. The Access Key ID identifies the AWS account holder who is making a request, and the Secret Access Key is used to calculate a digital signature for the request. As its name implies, your secret key must be kept private to ensure no one else sends requests to AWS pretending to be you. If you are afraid that your secret access key has been compromised, you can generate a new secret key at any time and invalidate the old one.
The SOAP interfaces use X.509 certificates to authenticate request messages instead of the Access and Secret keys. To use the SOAP interfaces, or tools based on this interface, you must obtain your public and private X.509 certificate files in addition to your AWS Access Key Identifiers.
To sign REST or Query API requests, you must generate a keyed Hash Message Authentication Code (HMAC) that authenticates the request. This means that ...