Amazon Web Services General Reference Version 1.0

Amazon Web Services General Reference Version 1.0
Amazon Web Services
General Reference
Version 1.0
Amazon Web Services General Reference
Amazon Web Services: General Reference
Copyright © 2016 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon Web Services General Reference
Table of Contents
AWS General Reference ................................................................................................................. 1
AWS Regions and Endpoints ........................................................................................................... 2
Amazon API Gateway ............................................................................................................ 4
Amazon AppStream ............................................................................................................... 4
Auto Scaling ......................................................................................................................... 5
AWS Certificate Manager ........................................................................................................ 5
AWS CloudFormation ............................................................................................................. 6
Amazon CloudFront ............................................................................................................... 6
AWS CloudHSM .................................................................................................................... 6
Amazon CloudSearch ............................................................................................................ 7
AWS CloudTrail ..................................................................................................................... 7
Amazon CloudWatch ............................................................................................................. 8
Amazon CloudWatch Events ................................................................................................... 9
Amazon CloudWatch Logs ...................................................................................................... 9
AWS CodeCommit ............................................................................................................... 10
AWS CodeDeploy ................................................................................................................ 10
AWS CodePipeline .............................................................................................................. 11
Amazon Cognito Identity ....................................................................................................... 11
Amazon Cognito Sync .......................................................................................................... 11
AWS Config ........................................................................................................................ 11
AWS Config Rules ....................................................................................................... 12
AWS Data Pipeline .............................................................................................................. 12
AWS Device Farm ............................................................................................................... 13
Amazon DevPay .................................................................................................................. 13
AWS Direct Connect ............................................................................................................ 13
AWS Directory Service ......................................................................................................... 14
Amazon DynamoDB ............................................................................................................. 14
Amazon DynamoDB Streams ................................................................................................ 15
AWS Elastic Beanstalk ......................................................................................................... 16
AWS Elastic Beanstalk Health Service .................................................................................... 16
Amazon ElastiCache ............................................................................................................ 17
Amazon EC2 ...................................................................................................................... 18
Amazon EC2 Container Registry ............................................................................................ 18
Amazon EC2 Container Service ............................................................................................. 19
Amazon EC2 Simple Systems Manager ................................................................................... 19
Amazon Elastic File System .................................................................................................. 20
Elastic Load Balancing ......................................................................................................... 20
Amazon Elastic MapReduce .................................................................................................. 21
Amazon Elastic Transcoder ................................................................................................... 21
Amazon Elasticsearch Service ............................................................................................... 22
Amazon GameLift ................................................................................................................ 23
Amazon Glacier ................................................................................................................... 23
AWS Identity and Access Management (IAM) ........................................................................... 23
AWS Import/Export .............................................................................................................. 24
AWS Import/Export Disk ............................................................................................... 24
Amazon Inspector ................................................................................................................ 24
AWS IoT ............................................................................................................................ 24
AWS Key Management Service .............................................................................................. 25
Amazon Kinesis Firehose ...................................................................................................... 26
Amazon Kinesis Streams ...................................................................................................... 26
AWS Lambda ...................................................................................................................... 27
Amazon Machine Learning .................................................................................................... 27
Amazon Mechanical Turk ...................................................................................................... 27
Amazon Mobile Analytics ...................................................................................................... 28
AWS OpsWorks .................................................................................................................. 28
Version 1.0
iii
Amazon Web Services General Reference
Amazon Redshift .................................................................................................................
Amazon Relational Database Service (Amazon RDS) ................................................................
Amazon Route 53 ................................................................................................................
Amazon Simple Storage Service (Amazon S3) ..........................................................................
Amazon Simple Storage Service Website Endpoints ..........................................................
AWS Service Catalog ...........................................................................................................
Amazon SimpleDB ...............................................................................................................
Amazon Simple Email Service (Amazon SES) ..........................................................................
Amazon Simple Notification Service (Amazon SNS) ...................................................................
Amazon Simple Queue Service (Amazon SQS) ........................................................................
Amazon SQS Legacy Endpoints .....................................................................................
AWS Storage Gateway .........................................................................................................
AWS Security Token Service (AWS STS) .................................................................................
AWS Support ......................................................................................................................
Amazon Simple Workflow Service (Amazon SWF) .....................................................................
Amazon VPC ......................................................................................................................
AWS WAF ..........................................................................................................................
Amazon WorkMail ................................................................................................................
Amazon WorkSpaces ...........................................................................................................
China (Beijing) Region ..........................................................................................................
AWS Security Credentials .............................................................................................................
Root Account Credentials vs. IAM User Credentials ...................................................................
Types of Security Credentials .................................................................................................
How Do I Get Security Credentials? ........................................................................................
AWS Account Identifiers .......................................................................................................
Finding Your Account Identifiers ......................................................................................
Best Practices for Managing AWS Access Keys ........................................................................
Remove (or Don't Generate) a Root Account Access Key ...................................................
Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys ..............
Manage IAM User Access Keys Properly .........................................................................
More Resources ..........................................................................................................
Managing Access Keys for your AWS Account ..........................................................................
Creating, Disabling, and Deleting Access Keys for your AWS Account ...................................
AWS Security Audit Guidelines ..............................................................................................
When Should You Perform a Security Audit? .....................................................................
General Guidelines for Auditing ......................................................................................
Review Your AWS Account Credentials ............................................................................
Review Your IAM Users .................................................................................................
Review Your IAM Groups ...............................................................................................
Review Your IAM Roles .................................................................................................
Review Your IAM Providers for SAML and OpenID Connect (OIDC) ......................................
Review Your Mobile Apps ..............................................................................................
Review Your Amazon EC2 Security Configuration ..............................................................
Review AWS Policies in Other Services ...........................................................................
Monitor Activity in Your AWS Account ..............................................................................
Tips for Reviewing IAM Policies ......................................................................................
More Information .........................................................................................................
Amazon Resource Names (ARNs) and AWS Service Namespaces ......................................................
ARN Format .......................................................................................................................
Example ARNs ....................................................................................................................
Amazon API Gateway ...................................................................................................
Auto Scaling ...............................................................................................................
AWS Certificate Manager ..............................................................................................
AWS CloudFormation ...................................................................................................
Amazon CloudSearch ...................................................................................................
AWS CloudTrail ...........................................................................................................
Amazon CloudWatch Events ..........................................................................................
Amazon CloudWatch Logs ............................................................................................
Version 1.0
iv
28
29
29
30
31
32
32
33
33
34
35
36
36
37
37
38
39
39
40
40
42
42
43
44
45
45
46
46
46
47
48
49
49
50
50
50
51
51
51
51
52
52
52
52
53
53
54
55
55
56
57
57
58
58
58
58
59
59
Amazon Web Services General Reference
AWS CodeCommit ....................................................................................................... 59
AWS CodeDeploy ........................................................................................................ 59
AWS CodePipeline ...................................................................................................... 60
Amazon DynamoDB ..................................................................................................... 60
Amazon EC2 Container Registry (Amazon ECR) ............................................................... 60
Amazon EC2 Container Service (Amazon ECS) ................................................................ 60
Amazon Elastic Compute Cloud (Amazon EC2) ................................................................ 61
AWS Elastic Beanstalk ................................................................................................. 61
Elastic Load Balancing ................................................................................................. 62
Amazon Elastic Transcoder ........................................................................................... 62
Amazon ElastiCache .................................................................................................... 62
Amazon Elasticsearch Service ....................................................................................... 63
Amazon Glacier ........................................................................................................... 63
AWS Identity and Access Management (IAM) ................................................................... 63
AWS Key Management Service (AWS KMS) .................................................................... 64
Amazon Kinesis Firehose (Firehose) ............................................................................... 64
Amazon Kinesis Streams (Streams) ................................................................................ 64
AWS Lambda (Lambda) ................................................................................................ 65
Amazon Machine Learning (Amazon ML) ......................................................................... 65
Amazon Redshift ......................................................................................................... 65
Amazon Relational Database Service (Amazon RDS) ........................................................ 66
Amazon Route 53 ........................................................................................................ 66
Amazon Simple Notification Service (Amazon SNS) ........................................................... 66
Amazon Simple Queue Service (Amazon SQS) ................................................................ 66
Amazon Simple Storage Service (Amazon S3) .................................................................. 67
Amazon Simple Workflow Service (Amazon SWF) ............................................................. 67
AWS Storage Gateway ................................................................................................. 67
AWS Trusted Advisor .................................................................................................... 68
AWS WAF .................................................................................................................. 68
Paths in ARNs ..................................................................................................................... 68
AWS Service Namespaces .................................................................................................... 69
Signing AWS API Requests ........................................................................................................... 73
When Do You Need to Sign Requests? .................................................................................... 73
Why Requests Are Signed ..................................................................................................... 74
Making and Signing Requests Using REST or the Query API ...................................................... 74
Signature Version 4 Signing Process ....................................................................................... 75
Supported Regions and Services ................................................................................... 75
Signing AWS Requests ................................................................................................. 76
Handling Dates ........................................................................................................... 88
Key Derivation Examples .............................................................................................. 89
Signing Examples (Python) ........................................................................................... 92
Test Suite ................................................................................................................. 100
Troubleshooting ......................................................................................................... 102
Signature Version 2 Signing Process ..................................................................................... 106
Supported Regions and Services .................................................................................. 106
Components of a Query Request for Signature Version 2 .................................................. 106
How to Generate a Signature Version 2 for a Query Request ............................................. 107
AWS Service Limits .................................................................................................................... 114
Amazon API Gateway Limits ................................................................................................ 115
Amazon AppStream Limits .................................................................................................. 116
Auto Scaling Limits ............................................................................................................. 116
AWS Certificate Manager Limits ........................................................................................... 116
AWS CloudFormation Limits ................................................................................................ 117
Amazon CloudFront Limits ................................................................................................... 117
AWS CloudHSM Limits ....................................................................................................... 117
Amazon CloudSearch Limits ................................................................................................ 118
AWS CodeCommit Limits .................................................................................................... 118
AWS CodeDeploy Limits ..................................................................................................... 118
Version 1.0
v
Amazon Web Services General Reference
AWS CodePipeline Limits ....................................................................................................
AWS Database Migration Service Limits ................................................................................
AWS Device Farm Limits .....................................................................................................
AWS Directory Service Limits ...............................................................................................
Amazon DynamoDB Limits ..................................................................................................
Amazon EC2 Container Registry (Amazon ECR) Limits ............................................................
Amazon EC2 Container Service (Amazon ECS) Limits .............................................................
AWS Elastic Beanstalk Limits ...............................................................................................
Amazon Elastic Block Store (Amazon EBS) Limits ...................................................................
Amazon Elastic Compute Cloud (Amazon EC2) Limits ..............................................................
Amazon EC2 Simple Systems Manager Limits ........................................................................
Amazon ElastiCache Limits .................................................................................................
Elastic Load Balancing Limits ...............................................................................................
Amazon Elastic Transcoder Limits .........................................................................................
Amazon Elasticsearch Service Limits ....................................................................................
Amazon GameLift Limits .....................................................................................................
AWS Identity and Access Management (IAM) Limits ................................................................
AWS IoT Limits ..................................................................................................................
Throttling Limits .........................................................................................................
AWS IoT Rules Engine Limits .......................................................................................
AWS Snowball (Snowball) Limits ..........................................................................................
AWS Key Management Service (AWS KMS) Limits ..................................................................
Amazon Kinesis Firehose Limits ...........................................................................................
Amazon Kinesis Streams Limits ............................................................................................
AWS Lambda Limits ...........................................................................................................
Amazon Machine Learning (Amazon ML) Limits ......................................................................
AWS OpsWorks Limits ........................................................................................................
Amazon Redshift Limits .......................................................................................................
Amazon Relational Database Service (Amazon RDS) Limits ......................................................
Amazon Route 53 Limits .....................................................................................................
AWS Service Catalog Limits ................................................................................................
Amazon Simple Email Service (Amazon SES) Limits ................................................................
Amazon Simple Notification Service (Amazon SNS) Limits ........................................................
Amazon Simple Storage Service (Amazon S3) Limits ...............................................................
Amazon Simple Workflow Service (Amazon SWF) Limits ..........................................................
Amazon SimpleDB Limits ....................................................................................................
Amazon Virtual Private Cloud (Amazon VPC) Limits .................................................................
AWS WAF Limits ................................................................................................................
Amazon WorkSpaces Limits .................................................................................................
AWS IP Address Ranges .............................................................................................................
Download .........................................................................................................................
Syntax .............................................................................................................................
Filtering the JSON File ........................................................................................................
Windows ..................................................................................................................
Linux .......................................................................................................................
AWS IP Address Ranges Notifications ...................................................................................
API Retries ...............................................................................................................................
AWS Command Line Tools ..........................................................................................................
AWS Command Line Interface (AWS CLI) ..............................................................................
Previous AWS Command Line Interface Tools .........................................................................
Document Conventions ...............................................................................................................
Typographical Conventions ..................................................................................................
Documentation History ................................................................................................................
AWS Glossary ...........................................................................................................................
Version 1.0
vi
118
119
119
120
120
120
121
121
121
122
122
123
123
123
124
124
125
125
128
129
129
129
130
130
130
130
131
131
132
132
133
133
134
134
134
134
135
137
138
139
139
139
140
140
141
142
144
147
147
147
150
150
152
153
Amazon Web Services General Reference
AWS General Reference
This is the AWS Documentation General Reference. It covers the following topics:
•
•
•
•
•
•
•
•
•
AWS Regions and Endpoints (p. 2)
AWS Security Credentials (p. 42)
Amazon Resource Names (ARNs) and AWS Service Namespaces (p. 55)
Signing AWS API Requests (p. 73)
AWS Service Limits (p. 114)
AWS IP Address Ranges (p. 139)
Error Retries and Exponential Backoff in AWS (p. 144)
AWS Command Line Tools (p. 147)
AWS Glossary (p. 153)
Version 1.0
1
Amazon Web Services General Reference
AWS Regions and Endpoints
To reduce data latency in your applications, most Amazon Web Services offer a regional endpoint to
make your requests. An endpoint is a URL that is the entry point for a web service. For example,
https://dynamodb.us-west-2.amazonaws.com is an entry point for the Amazon DynamoDB service.
Some services, such as IAM, do not support regions; therefore, their endpoints do not include a region.
Some services, such as Amazon EC2, let you specify an endpoint that does not include a specific region,
for example, https://ec2.amazonaws.com. In that case, AWS routes the endpoint to us-east-1.
If a service supports regions, the resources in each region are independent. For example, if you create
an Amazon EC2 instance or an Amazon SQS queue in one region, the instance or queue is independent
from instances or queues in another region.
To see the supported services per region in a tabbed format, see the Region Table. This page does not
include endpoint information.
For information about which regions and endpoints are supported for each service, see the following
tables.
For information about the AWS services and endpoints available in the China (Beijing) isolated region,
see China (Beijing) Region (p. 40).
Topics
• Amazon API Gateway (p. 4)
• Amazon AppStream (p. 4)
• Auto Scaling (p. 5)
• AWS Certificate Manager (p. 5)
• AWS CloudFormation (p. 6)
• Amazon CloudFront (p. 6)
• AWS CloudHSM (p. 6)
• Amazon CloudSearch (p. 7)
• AWS CloudTrail (p. 7)
• Amazon CloudWatch (p. 8)
• Amazon CloudWatch Events (p. 9)
• Amazon CloudWatch Logs (p. 9)
• AWS CodeCommit (p. 10)
• AWS CodeDeploy (p. 10)
Version 1.0
2
Amazon Web Services General Reference
• AWS CodePipeline (p. 11)
• Amazon Cognito Identity (p. 11)
• Amazon Cognito Sync (p. 11)
• AWS Config (p. 11)
• AWS Data Pipeline (p. 12)
• AWS Device Farm (p. 13)
• Amazon DevPay (p. 13)
• AWS Direct Connect (p. 13)
• AWS Directory Service (p. 14)
• Amazon DynamoDB (p. 14)
• Amazon DynamoDB Streams (p. 15)
• AWS Elastic Beanstalk (p. 16)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AWS Elastic Beanstalk Health Service (p. 16)
Amazon ElastiCache (p. 17)
Amazon EC2 (p. 18)
Amazon EC2 Container Registry (p. 18)
Amazon EC2 Container Service (p. 19)
Amazon EC2 Simple Systems Manager (p. 19)
Amazon Elastic File System (p. 20)
Elastic Load Balancing (p. 20)
Amazon Elastic MapReduce (p. 21)
Amazon Elastic Transcoder (p. 21)
Amazon Elasticsearch Service (p. 22)
Amazon GameLift (p. 23)
Amazon Glacier (p. 23)
AWS Identity and Access Management (IAM) (p. 23)
AWS Import/Export (p. 24)
Amazon Inspector (p. 24)
AWS IoT (p. 24)
AWS Key Management Service (p. 25)
Amazon Kinesis Firehose (p. 26)
Amazon Kinesis Streams (p. 26)
• AWS Lambda (p. 27)
• Amazon Machine Learning (p. 27)
• Amazon Mechanical Turk (p. 27)
• Amazon Mobile Analytics (p. 28)
• AWS OpsWorks (p. 28)
• Amazon Redshift (p. 28)
• Amazon Relational Database Service (Amazon RDS) (p. 29)
• Amazon Route 53 (p. 29)
• Amazon Simple Storage Service (Amazon S3) (p. 30)
• AWS Service Catalog (p. 32)
• Amazon SimpleDB (p. 32)
• Amazon Simple Email Service (Amazon SES) (p. 33)
• Amazon Simple Notification Service (Amazon SNS) (p. 33)
• Amazon Simple Queue Service (Amazon SQS) (p. 34)
Version 1.0
3
Amazon Web Services General Reference
Amazon API Gateway
• AWS Storage Gateway (p. 36)
• AWS Security Token Service (AWS STS) (p. 36)
• AWS Support (p. 37)
• Amazon Simple Workflow Service (Amazon SWF) (p. 37)
• Amazon VPC (p. 38)
• AWS WAF (p. 39)
• Amazon WorkMail (p. 39)
• Amazon WorkSpaces (p. 40)
• China (Beijing) Region (p. 40)
Amazon API Gateway
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
apigateway.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
apigateway.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
apigateway.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
apigateway.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
apigateway.ap-southeast-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
apigateway.eu-central-1.amazonaws.com
HTTPS
Amazon AppStream
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
appstream.us-east-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
appstream.ap-northeast-1.amazonaws.com
HTTPS
Version 1.0
4
Amazon Web Services General Reference
Auto Scaling
Auto Scaling
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
autoscaling.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
autoscaling.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
autoscaling.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
autoscaling.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
autoscaling.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
autoscaling.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
autoscaling.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
autoscaling.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
autoscaling.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
autoscaling.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
If you just specify the general endpoint (autoscaling.amazonaws.com), Auto Scaling directs your request
to the us-east-1 endpoint.
AWS Certificate Manager
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
acm.us-east-1.amazonaws.com
HTTPS
Version 1.0
5
Amazon Web Services General Reference
AWS CloudFormation
AWS CloudFormation
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cloudformation.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
cloudformation.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
cloudformation.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
cloudformation.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
cloudformation.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
cloudformation.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
cloudformation.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
cloudformation.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
cloudformation.ap-southeast-2.amazonaws.com
HTTPS
cloudformation.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon CloudFront
Amazon CloudFront distributions have a single endpoint: cloudfront.amazonaws.com and only supports
HTTPS requests. When you submit requests to CloudFront programmatically, specify the us-east-1 region.
AWS CloudHSM
Region Name Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cloudhsm.us-east-1.amazonaws.com
HTTPS
US West (Ore- us-west-2
gon)
cloudhsm.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
cloudhsm.eu-west-1.amazonaws.com
HTTPS
cloudhsm.eu-central-1.amazonaws.com
HTTPS
eu-west-1
EU (Frankfurt) eu-central-1
Version 1.0
6
Amazon Web Services General Reference
Amazon CloudSearch
Region Name Region
Endpoint
Protocol
Asia Pacific
(Tokyo)
ap-northeast-1
cloudhsm.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
cloudhsm.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
cloudhsm.ap-southeast-2.amazonaws.com
HTTPS
Amazon CloudSearch
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cloudsearch.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
cloudsearch.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
cloudsearch.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
cloudsearch.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
cloudsearch.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
cloudsearch.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
cloudsearch.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
cloudsearch.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
cloudsearch.ap-southeast-2.amazonaws.com
HTTPS
cloudsearch.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS CloudTrail
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cloudtrail.us-east-1.amazonaws.com
HTTPS
Version 1.0
7
Amazon Web Services General Reference
Amazon CloudWatch
Region
Name
Region
Endpoint
Protocol
US West (N. us-west-1
California)
cloudtrail.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
cloudtrail.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
cloudtrail.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
cloudtrail.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
cloudtrail.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
cloudtrail.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
cloudtrail.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
cloudtrail.ap-southeast-2.amazonaws.com
HTTPS
cloudtrail.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon CloudWatch
Region Name
Region
Endpoint
Protocol
US East (N. Virginia)
us-east-1
monitoring.us-east-1.amazonaws.com
HTTP and HTTPS
US West (N.
California)
us-west-1
monitoring.us-west-1.amazonaws.com
HTTP and HTTPS
US West (Oregon)
us-west-2
monitoring.us-west-2.amazonaws.com
HTTP and HTTPS
EU (Ireland)
eu-west-1
monitoring.eu-west-1.amazonaws.com
HTTP and HTTPS
EU (Frankfurt)
eu-central-1
monitoring.eu-central-1.amazonaws.com
HTTP and HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
monitoring.ap-northeast-1.amazonaws.com
HTTP and HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
monitoring.ap-northeast-2.amazonaws.com
HTTP and HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
monitoring.ap-southeast-1.amazonaws.com
HTTP and HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
monitoring.ap-southeast-2.amazonaws.com
HTTP and HTTPS
Version 1.0
8
Amazon Web Services General Reference
Amazon CloudWatch Events
Region Name
Region
Endpoint
Protocol
South America
(São Paulo)
sa-east-1
monitoring.sa-east-1.amazonaws.com
HTTP and HTTPS
Amazon CloudWatch Events
Region Name
Region
Endpoint
Protocol
US East (N. Virginia)
us-east-1
events.us-east-1.amazonaws.com
HTTPS
US West (Oregon)
us-west-2
events.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
events.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
events.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
events.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
events.ap-southeast-2.amazonaws.com
HTTPS
Amazon CloudWatch Logs
Region Name
Region
Endpoint
Protocol
US East (N. Virginia)
us-east-1
logs.us-east-1.amazonaws.com
HTTPS
US West (N.
California)
us-west-1
logs.us-west-1.amazonaws.com
HTTPS
US West (Oregon)
us-west-2
logs.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
logs.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
logs.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
logs.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
logs.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
logs.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
logs.ap-southeast-2.amazonaws.com
HTTPS
Version 1.0
9
Amazon Web Services General Reference
AWS CodeCommit
Region Name
Region
Endpoint
Protocol
South America
(São Paulo)
sa-east-1
logs.sa-east-1.amazonaws.com
HTTPS
AWS CodeCommit
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
codecommit.us-east-1.amazonaws.com
HTTPS and
SSH
AWS CodeDeploy
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
codedeploy.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
codedeploy.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
codedeploy.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
codedeploy.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
codedeploy.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
codedeploy.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
codedeploy.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
codedeploy.ap-southeast-2.amazonaws.com
HTTPS
codedeploy.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Version 1.0
10
Amazon Web Services General Reference
AWS CodePipeline
AWS CodePipeline
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
codepipeline.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
codepipeline.us-west-2.amazonaws.com
HTTPS
Amazon Cognito Identity
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cognito-identity.us-east-1.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
cognito-identity.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
cognito-identity.ap-northeast-1.amazonaws.com
HTTPS
Amazon Cognito Sync
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
cognito-sync.us-east-1.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
cognito-sync.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
cognito-sync.ap-northeast-1.amazonaws.com
HTTPS
AWS Config
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
config.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
config.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
config.us-west-2.amazonaws.com
HTTPS
us-west-2
Version 1.0
11
Amazon Web Services General Reference
AWS Config Rules
Region
Name
Region
Endpoint
Protocol
EU (Ireland)
eu-west-1
config.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
config.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
config.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
config.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
config.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
config.ap-southeast-2.amazonaws.com
HTTPS
config.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS Config Rules
You can use AWS Config rules to evaluate your AWS resource configurations in the following regions.
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
config.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
config.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
config.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
config.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
config.ap-northeast-1.amazonaws.com
HTTPS
AWS Data Pipeline
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
datapipeline.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
datapipeline.us-west-2.amazonaws.com
HTTPS
Version 1.0
12
Amazon Web Services General Reference
AWS Device Farm
Region
Name
Region
Endpoint
Protocol
EU (Ireland)
eu-west-1
datapipeline.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
datapipeline.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
datapipeline.ap-southeast-2.amazonaws.com
HTTPS
AWS Device Farm
Region
Name
Region
Endpoint
Protocol
US West
(Oregon)
us-west-2
devicefarm.us-west-2.amazonaws.com
HTTPS
Amazon DevPay
Region Name Region
Endpoint
Protocol
n/a
ls.amazonaws.com
HTTPS
n/a
AWS Direct Connect
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
directconnect.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
directconnect.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
directconnect.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
directconnect.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
directconnect.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
directconnect.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
directconnect.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
directconnect.ap-southeast-1.amazonaws.com
HTTPS
Version 1.0
13
Amazon Web Services General Reference
AWS Directory Service
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Sydney)
ap-southeast-2
directconnect.ap-southeast-2.amazonaws.com
HTTPS
directconnect.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS Directory Service
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ds.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
ds.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
ds.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
ds.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
ds.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
ds.ap-southeast-2.amazonaws.com
HTTPS
Amazon DynamoDB
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
dynamodb.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
dynamodb.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
dynamodb.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
dynamodb.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
dynamodb.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
dynamodb.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Version 1.0
14
Amazon Web Services General Reference
Amazon DynamoDB Streams
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Seoul)
ap-northeast-2
dynamodb.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
dynamodb.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
dynamodb.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
dynamodb.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon DynamoDB Streams
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
streams.dynamodb.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
streams.dynamodb.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
streams.dynamodb.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
streams.dynamodb.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
streams.dynamodb.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
streams.dynamodb.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
streams.dynamodb.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
streams.dynamodb.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
streams.dynamodb.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
streams.dynamodb.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Version 1.0
15
Amazon Web Services General Reference
AWS Elastic Beanstalk
AWS Elastic Beanstalk
Region
Name
Region
Endpoint
US East (N.
Virginia)
us-east-1
elasticbeanstalk.us-east-1.amazon- HTTPS
aws.com
Z117KPS5GTRQ2G
US West (N. us-west-1
California)
elasticbeanstalk.us-west1.amazonaws.com
HTTPS
Z1LQECGX5PH1X
US West
(Oregon)
us-west-2
elasticbeanstalk.us-west2.amazonaws.com
HTTPS
Z38NKT9BP95V3O
EU (Ireland)
eu-west-1
elasticbeanstalk.eu-west1.amazonaws.com
HTTPS
Z2NYPWQ7DFZAZH
EU (Frankfurt)
eu-central-1
elasticbeanstalk.eu-central1.amazonaws.com
HTTPS
Z1FRNW7UH4DEZJ
Asia Pacific
(Tokyo)
ap-northeast-1
elasticbeanstalk.ap-northeast1.amazonaws.com
HTTPS
Z1R25G3KIG2GBW
Asia Pacific
(Seoul)
ap-northeast-2
elasticbeanstalk.ap-northeast2.amazonaws.com
HTTPS
Z3JE5OI70TWKCP
Asia Pacific
(Singapore)
ap-southeast-1
elasticbeanstalk.ap-southeast1.amazonaws.com
HTTPS
Z16FZ9L249IFLT
Asia Pacific
(Sydney)
ap-southeast-2
elasticbeanstalk.ap-southeast2.amazonaws.com
HTTPS
Z2PCDNR3VC2G1N
elasticbeanstalk.sa-east-1.amazon- HTTPS
aws.com
Z10X7K2B4QSOFV
South Amer- sa-east-1
ica (São
Paulo)
Protocol
Amazon Route 53
Hosted Zone ID
AWS Elastic Beanstalk Health Service
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
elasticbeanstalk-health.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
elasticbeanstalk-health.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
elasticbeanstalk-health.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
elasticbeanstalk-health.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
elasticbeanstalk-health.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
elasticbeanstalk-health.ap-northeast-1.amazonaws.com
HTTPS
Version 1.0
16
Amazon Web Services General Reference
Amazon ElastiCache
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Seoul)
ap-northeast-2
elasticbeanstalk-health.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
elasticbeanstalk-health.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
elasticbeanstalk-health.ap-southeast-2.amazonaws.com
HTTPS
elasticbeanstalk-health.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon ElastiCache
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
elasticache.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
elasticache.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
elasticache.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
elasticache.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
elasticache.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
elasticache.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
elasticache.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
elasticache.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
elasticache.ap-southeast-2.amazonaws.com
HTTPS
elasticache.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Version 1.0
17
Amazon Web Services General Reference
Amazon EC2
Amazon EC2
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ec2.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
ec2.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
ec2.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
ec2.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
ec2.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
ec2.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
ec2.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
ec2.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
ec2.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
ec2.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon EC2 Container Registry
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ecr.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
ecr.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
ecr.eu-west-1.amazonaws.com
HTTPS
Version 1.0
18
Amazon Web Services General Reference
Amazon EC2 Container Service
Amazon EC2 Container Service
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ecs.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
ecs.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
ecs.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
ecs.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
ecs.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
ecs.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
ecs.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
ecs.ap-southeast-2.amazonaws.com
HTTPS
Amazon EC2 Simple Systems Manager
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ssm.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
ssm.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
ssm.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
ssm.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
ssm.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
ssm.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
ssm.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
ssm.ap-southeast-2.amazonaws.com
HTTPS
Version 1.0
19
Amazon Web Services General Reference
Amazon Elastic File System
Region
Name
Region
South Amer- sa-east-1
ica (São
Paulo)
Endpoint
Protocol
ssm.sa-east-1.amazonaws.com
HTTPS
Amazon Elastic File System
Region
Name
Region
Endpoint
Protocol
US West
(Oregon)
us-west-2
elasticfilesystem.us-west-2.amazonaws.com
HTTPS
Elastic Load Balancing
To create or work with a load balancer in a specific region, use the corresponding regional service endpoint.
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
elasticloadbalancing.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
elasticloadbalancing.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
elasticloadbalancing.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
elasticloadbalancing.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
elasticloadbalancing.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
elasticloadbalancing.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
elasticloadbalancing.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
elasticloadbalancing.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
elasticloadbalancing.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
elasticloadbalancing.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Version 1.0
20
Amazon Web Services General Reference
Amazon Elastic MapReduce
If you just specify the general endpoint (elasticloadbalancing.amazonaws.com), Elastic Load Balancing
directs your request to the us-east-1 endpoint.
Amazon Elastic MapReduce
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
elasticmapreduce.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
elasticmapreduce.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
elasticmapreduce.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
elasticmapreduce.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
elasticmapreduce.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
elasticmapreduce.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
elasticmapreduce.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
elasticmapreduce.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
elasticmapreduce.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
elasticmapreduce.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
If you specify the general endpoint (elasticmapreduce.amazonaws.com), Amazon Elastic MapReduce
directs your request to an endpoint in the default region. For accounts created on or after March 8, 2013,
the default region is us-west-2; for older accounts, the default region is us-east-1.
Amazon Elastic Transcoder
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
elastictranscoder.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
elastictranscoder.us-west-1.amazonaws.com
HTTPS
Version 1.0
21
Amazon Web Services General Reference
Amazon Elasticsearch Service
Region
Name
Region
Endpoint
Protocol
US West
(Oregon)
us-west-2
elastictranscoder.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
elastictranscoder.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
elastictranscoder.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
elastictranscoder.ap-southeast-1.amazonaws.com
HTTPS
Amazon Elasticsearch Service
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
es.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
es.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
es.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
es.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
es.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
es.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
es.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
es.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
es.ap-southeast-2.amazonaws.com
HTTPS
es.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Version 1.0
22
Amazon Web Services General Reference
Amazon GameLift
Amazon GameLift
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
gamelift.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
gamelift.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
gamelift.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
gamelift.ap-northeast-1.amazonaws.com
HTTPS
Amazon Glacier
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
glacier.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
glacier.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
glacier.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
glacier.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
glacier.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
glacier.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
glacier.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
glacier.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
AWS Identity and Access Management (IAM)
IAM has a single endpoint: https://iam.amazonaws.com.
Version 1.0
23
Amazon Web Services General Reference
AWS Import/Export
AWS Import/Export
AWS Import/Export Disk
AWS Import/Export Disk has a single endpoint for all regions.
Endpoint
Protocol
importexport.amazonaws.com
HTTPS
Amazon Inspector
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
inspector.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
inspector.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
inspector.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
inspector.ap-northeast-1.amazonaws.com
HTTPS
AWS IoT
The following table provides a list of region-specific endpoints that AWS IoT supports for working with
rules, certificates, and policies.
Region Name Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
iot.us-east-1.amazonaws.com
HTTPS
US West (Ore- us-west-2
gon)
iot.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
iot.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt) eu-central-1
iot.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
iot.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-northeast-1
iot.ap-southeast-1.amazonaws.com
HTTPS
eu-west-1
The following table provides a list of region-specific endpoints that AWS IoT supports for working with
Thing Shadows. To look up your account-specific prefix, use the describe-endpoint command.
Version 1.0
24
Amazon Web Services General Reference
AWS Key Management Service
Region Name Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
prefix.iot.us-east-1.amazonaws.com
HTTPS, MQTT
US West (Ore- us-west-2
gon)
prefix.iot.us-west-2.amazonaws.com
HTTPS, MQTT
EU (Ireland)
prefix.iot.eu-west-1.amazonaws.com
HTTPS, MQTT
EU (Frankfurt) eu-central-1
prefix.iot.eu-central-1.amazonaws.com
HTTPS, MQTT
Asia Pacific
(Tokyo)
ap-northeast-1
prefix.iot.ap-northeast-1.amazonaws.com
HTTPS, MQTT
Asia Pacific
(Singapore)
ap-southeast-1
prefix.iot.ap-southeast-1.amazonaws.com
HTTPS, MQTT
eu-west-1
AWS IoT supports multiple protocols for accessing the message broker and the Thing Shadows component.
The following table lists the ports to use for each protocol.
Port
Protocol
Authentication Mechanism
443
HTTPS
Signature Version 4
443
MQTT over WebSocket
Signature Version 4
8443
HTTPS
TLS client authentication, with certificates
8883
MQTT
TLS client authentication, with certificates
AWS Key Management Service
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
kms.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
kms.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
kms.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
kms.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
kms.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
kms.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
kms.ap-northeast-2.amazonaws.com
HTTPS
Version 1.0
25
Amazon Web Services General Reference
Amazon Kinesis Firehose
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Singapore)
ap-southeast-1
kms.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
kms.ap-southeast-2.amazonaws.com
HTTPS
kms.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon Kinesis Firehose
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
firehose.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
firehose.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
firehose.eu-west-1.amazonaws.com
HTTPS
Amazon Kinesis Streams
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
kinesis.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
kinesis.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
kinesis.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
kinesis.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
kinesis.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
kinesis.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
kinesis.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
kinesis.ap-southeast-1.amazonaws.com
HTTPS
Version 1.0
26
Amazon Web Services General Reference
AWS Lambda
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Sydney)
ap-southeast-2
kinesis.ap-southeast-2.amazonaws.com
HTTPS
kinesis.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS Lambda
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
lambda.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
lambda.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
lambda.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
lambda.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
lambda.ap-northeast-1.amazonaws.com
HTTPS
Amazon Machine Learning
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
machinelearning.us-east-1.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
machinelearning.eu-west-1.amazonaws.com
HTTPS
Amazon Mechanical Turk
Region
Endpoint
Protocol
Sandbox endpoint
mechanicalturk.sandbox.amazonaws.com
for Amazon Mechanical Turk actions.
HTTPS
Production endpoint mechanicalturk.amazonaws.com
for Amazon Mechanical Turk actions.
HTTPS
Version 1.0
27
Amazon Web Services General Reference
Amazon Mobile Analytics
Amazon Mobile Analytics
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
mobileanalytics.us-east-1.amazonaws.com
HTTPS
AWS OpsWorks
AWS OpsWorks has a single endpoint: opsworks.us-east-1.amazonaws.com and only supports HTTPS
requests.
Amazon Redshift
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
redshift.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
redshift.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
redshift.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
redshift.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
redshift.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
redshift.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
redshift.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
redshift.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
redshift.ap-southeast-2.amazonaws.com
HTTPS
Version 1.0
28
Amazon Web Services General Reference
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon
RDS)
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
rds.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
rds.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
rds.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
rds.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
rds.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
rds.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
rds.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
rds.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
rds.ap-southeast-2.amazonaws.com
HTTPS
rds.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon Route 53
Amazon Route 53 uses two endpoints. The endpoint that you use depends on the operation that you
want to perform.
Requests for hosted zones, resource record sets, health checks, and cost allocation tags use the following
endpoint.
Region Name Region
Endpoint
Protocol
US East (N.
Virginia)
route53.amazonaws.com
HTTPS
us-east-1
Requests for domain registration use the following endpoint.
Version 1.0
29
Amazon Web Services General Reference
Amazon Simple Storage Service (Amazon S3)
Region Name Region
Endpoint
Protocol
US East (N.
Virginia)
route53domains.us-east-1.amazonaws.com
HTTPS
us-east-1
Amazon Simple Storage Service (Amazon S3)
When sending requests to these endpoints using the REST API, you can use the virtual-hosted style and
path-style methods. For more information, see Virtual Hosting of Buckets.
Note
Amazon S3 renamed the US Standard region to the US East (N. Virginia) region to be consistent
with AWS regional naming conventions. There is no change to the endpoint and you do not need
to make any changes to your application.
Region
Name
Region
US East (N. us-east-1
Virginia)
Endpoint
Location
Protocol
Constraint
You can use either one of the fol- (none relowing two endpoints:
quired)
Signature
Version(s)
Support
HTTP and
HTTPS
Versions 2
and 4
• s3.amazonaws.com
• s3-external-1.amazonaws.com
US West
(N. California)
us-west-1
s3-us-west-1.amazonaws.com
us-west-1
HTTP and
HTTPS
Versions 2
and 4
US West
(Oregon)
us-west-2
s3-us-west-2.amazonaws.com
us-west-2
HTTP and
HTTPS
Versions 2
and 4
EU (Ireland)
eu-west-1
s3-eu-west-1.amazonaws.com
EU or euwest-1
HTTP and
HTTPS
Versions 2
and 4
EU (Frankfurt)
eu-central1
You can use either one of the fol- eu-centrallowing two endpoints:
1
HTTP and
HTTPS
Version 4
only
• s3.eu-central-1.amazonaws.com
• s3-eu-central-1.amazonaws.com
Asia Pacific ap-north(Tokyo)
east-1
s3-ap-northeast-1.amazonaws.com
ap-northeast-1
HTTP and
HTTPS
Versions 2
and 4
Asia Pacific ap-north(Seoul)
east-2
You can use either one of the fol- ap-northlowing two endpoints:
east-2
HTTP and
HTTPS
Version 4
only
• s3.ap-northeast-2.amazonaws.com
• s3-ap-northeast-2.amazonaws.com
Version 1.0
30
Amazon Web Services General Reference
Amazon Simple Storage Service Website Endpoints
Region
Name
Region
Endpoint
Location
Protocol
Constraint
Signature
Version(s)
Support
Asia Pacific ap-south(Singapore) east-1
s3-ap-southeast-1.amazonaws.com
ap-southeast-1
HTTP and
HTTPS
Versions 2
and 4
Asia Pacific ap-south(Sydney)
east-2
s3-ap-southeast-2.amazonaws.com
ap-southeast-2
HTTP and
HTTPS
Versions 2
and 4
South
sa-east-1
America
(São Paulo)
s3-sa-east-1.amazonaws.com
sa-east-1
HTTP and
HTTPS
Versions 2
and 4
Important
If you use a region other than the US East (N. Virginia) endpoint to create a bucket, you must
set the LocationConstraint bucket parameter to the same region. Both the AWS SDK for
Java and AWS SDK for .NET use an enumeration for setting location constraints (Region for
Java, S3Region for .NET). For more information, go to PUT Bucket in the Amazon Simple
Storage Service API Reference.
Amazon Simple Storage Service Website
Endpoints
When you configure your bucket as a website, the website is available using the following region-specific
website endpoints. Note that the website endpoints are different than the REST API endpoints listed in
the preceding table. For more information about hosting websites on Amazon S3, go to Hosting Websites
on Amazon S3 in the Amazon Simple Storage Service Developer Guide. You need the hosted zone IDs
when using the Amazon Route 53 API to add an alias record to your hosted zone.
Note
The website endpoints do not support https.
Region Name
Website Endpoint
Amazon Route 53
Hosted Zone ID
US East (N. Virginia)
s3-website-us-east-1.amazonaws.com
Z3AQBSTGFYJSTF
US West (N.
California)
s3-website-us-west-1.amazonaws.com
Z2F56UZL2M1ACD
US West (Oregon)
s3-website-us-west-2.amazonaws.com
Z3BJ6K6RIION7M
EU (Ireland)
s3-website-eu-west-1.amazonaws.com
Z1BKCTXD74EZPE
EU (Frankfurt)
s3-website.eu-central-1.amazonaws.com
Z21DNDUVLTQW6Q
Asia Pacific
(Tokyo)
s3-website-ap-northeast-1.amazonaws.com
Z2M4EHUR26P7ZW
Asia Pacific
(Seoul)
s3-website.ap-northeast-2.amazonaws.com
Z3W03O7B5YMIYP
Version 1.0
31
Amazon Web Services General Reference
AWS Service Catalog
Region Name
Website Endpoint
Amazon Route 53
Hosted Zone ID
Asia Pacific
(Singapore)
s3-website-ap-southeast-1.amazonaws.com
Z3O0J2DXBE1FTB
Asia Pacific
(Sydney)
s3-website-ap-southeast-2.amazonaws.com
Z1WCIGYICN2BYD
South America
(São Paulo)
s3-website-sa-east-1.amazonaws.com
Z7KQH4QJS55SO
AWS Service Catalog
You can use AWS Service Catalog supports the following regions in the AWS Management Console.
AWS Service Catalog has no API.
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
n/a
HTTPS
US West
(Oregon)
us-west-2
n/a
HTTPS
EU (Ireland)
eu-west-1
n/a
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
n/a
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
n/a
HTTPS
Amazon SimpleDB
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
sdb.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
sdb.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
sdb.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
sdb.eu-west-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
sdb.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Version 1.0
32
Amazon Web Services General Reference
Amazon Simple Email Service (Amazon SES)
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Singapore)
ap-southeast-1
sdb.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
sdb.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
sdb.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon Simple Email Service (Amazon SES)
Region Name
Region
API (HTTPS) End- SMTP Endpoint
point
Email Sending or
Receiving
US East (N. Virgin- us-east-1
ia)
email.us-eastemail-smtp.us1.amazonaws.com east-1.amazonaws.com
Email sending
US West (Oregon) us-west-2
email.us-westemail-smtp.us2.amazonaws.com west-2.amazonaws.com
Email sending
EU (Ireland)
email.eu-westemail-smtp.eu1.amazonaws.com west-1.amazonaws.com
Email sending
US East (N. Virgin- us-east-1
ia)
N/A
inbound-smtp.useast-1.amazonaws.com
Email receiving
US West (Oregon) us-west-2
N/A
inbound-smtp.uswest-2.amazonaws.com
Email receiving
EU (Ireland)
N/A
inbound-smtp.euwest-1.amazonaws.com
Email receiving
eu-west-1
eu-west-1
Amazon Simple Notification Service (Amazon
SNS)
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
sns.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
sns.us-west-1.amazonaws.com
HTTP and
HTTPS
Version 1.0
33
Amazon Web Services General Reference
Amazon Simple Queue Service (Amazon SQS)
Region
Name
Region
Endpoint
Protocol
US West
(Oregon)
us-west-2
sns.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
sns.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
sns.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
sns.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
sns.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
sns.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
sns.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
sns.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon Simple Queue Service (Amazon SQS)
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
sqs.us-east-1.amazonaws.com
HTTP and
HTTPS
US West (N. us-west-1
California)
sqs.us-west-1.amazonaws.com
HTTP and
HTTPS
US West
(Oregon)
us-west-2
sqs.us-west-2.amazonaws.com
HTTP and
HTTPS
EU (Ireland)
eu-west-1
sqs.eu-west-1.amazonaws.com
HTTP and
HTTPS
EU (Frankfurt)
eu-central-1
sqs.eu-central-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
sqs.ap-northeast-1.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
sqs.ap-northeast-2.amazonaws.com
HTTP and
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
sqs.ap-southeast-1.amazonaws.com
HTTP and
HTTPS
Version 1.0
34
Amazon Web Services General Reference
Amazon SQS Legacy Endpoints
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Sydney)
ap-southeast-2
sqs.ap-southeast-2.amazonaws.com
HTTP and
HTTPS
sqs.sa-east-1.amazonaws.com
HTTP and
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon SQS Legacy Endpoints
If you use the AWS CLI or SDK for Python, you can use the following legacy endpoints.
Region Name
Region
Endpoint
US East (N. Virginia)
us-east-1
queue.amazonaws.com HTTP and HTTPS
US West (N. California)
us-west-1
us-west1.queue.amazonaws.com
HTTP and HTTPS
US West (Oregon)
us-west-2
us-west2.queue.amazonaws.com
HTTP and HTTPS
EU (Ireland)
eu-west-1
eu-west1.queue.amazonaws.com
HTTP and HTTPS
EU (Frankfurt)
eu-central-1
eu-central1.queue.amazonaws.com
HTTP and HTTPS
Asia Pacific (Tokyo)
ap-northeast-1
ap-northeast1.queue.amazonaws.com
HTTP and HTTPS
Asia Pacific (Seoul)
ap-northeast-2
ap-northeast2.queue.amazonaws.com
HTTP and HTTPS
Asia Pacific (Singapore) ap-southeast-1
ap-southeast1.queue.amazonaws.com
HTTP and HTTPS
Asia Pacific (Sydney)
ap-southeast-2
ap-southeast2.queue.amazonaws.com
HTTP and HTTPS
South America (São
Paulo)
sa-east-1
sa-east1.queue.amazonaws.com
HTTP and HTTPS
AWS GovCloud (US)
us-gov-west-1
us-gov-west1.queue.amazonaws.com
HTTP and HTTPS
Version 1.0
35
Protocol
Amazon Web Services General Reference
AWS Storage Gateway
AWS Storage Gateway
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
storagegateway.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
storagegateway.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
storagegateway.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
storagegateway.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
storagegateway.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
storagegateway.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
storagegateway.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
storagegateway.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
storagegateway.ap-southeast-2.amazonaws.com
HTTPS
storagegateway.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS Security Token Service (AWS STS)
The default endpoint for AWS Security Token Service is https://sts.amazonaws.com, which serves all
global requests. You can also make calls to other regional endpoints that are activated for your AWS
account. All regions are activated by default, but you can deactivate regions that you do not intend to
use. If you deactivate a region, you must reactivate it for your account in the AWS Management Console
before you can use that region’s endpoint.
For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User
Guide.
Region
Name
Region
Endpoint
Protocol
--Global--
--Global--
sts.amazonaws.com
HTTPS
US East (N.
Virginia)
us-east-1
sts.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
sts.us-west-1.amazonaws.com
HTTPS
Version 1.0
36
Amazon Web Services General Reference
AWS Support
Region
Name
Region
Endpoint
Protocol
US West
(Oregon)
us-west-2
sts.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
sts.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
sts.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
sts.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
sts.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
sts.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
sts.ap-southeast-2.amazonaws.com
HTTPS
sts.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
AWS Support
AWS Support has a single endpoint: support.us-east-1.amazonaws.com (HTTPS).
Amazon Simple Workflow Service (Amazon SWF)
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
swf.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
swf.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
swf.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
swf.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
swf.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
swf.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
swf.ap-northeast-2.amazonaws.com
HTTPS
Version 1.0
37
Amazon Web Services General Reference
Amazon VPC
Region
Name
Region
Endpoint
Protocol
Asia Pacific
(Singapore)
ap-southeast-1
swf.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
swf.ap-southeast-2.amazonaws.com
HTTPS
swf.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
Amazon VPC
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
ec2.us-east-1.amazonaws.com
HTTPS
US West (N. us-west-1
California)
ec2.us-west-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
ec2.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
ec2.eu-west-1.amazonaws.com
HTTPS
EU (Frankfurt)
eu-central-1
ec2.eu-central-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
ec2.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Seoul)
ap-northeast-2
ec2.ap-northeast-2.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
ec2.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
ec2.ap-southeast-2.amazonaws.com
HTTPS
ec2.sa-east-1.amazonaws.com
HTTPS
South Amer- sa-east-1
ica (São
Paulo)
If you specify the general endpoint (ec2.amazonaws.com), Amazon VPC directs your request to the
us-east-1 endpoint.
Version 1.0
38
Amazon Web Services General Reference
AWS WAF
AWS WAF
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
waf.amazonaws.com
HTTPS
Amazon WorkMail
Region Name
Region
Service
Endpoint
US East (N. Virginia) us-east-1
Autodiscover
autodiscover-service.mail.us-east1.awsapps.com
US East (N. Virginia) us-east-1
Exchange Web Service
ews.mail.us-east-1.awsapps.com
US East (N. Virginia) us-east-1
Exchange Active
Sync
mobile.mail.us-east-1.awsapps.com
US East (N. Virginia) us-east-1
MAPI MAPI Proxy
mailbox.mail.us-east-1.mail.awsapps.com
outlook.mail.us-east-1.awsapps.com
US West (Oregon)
us-west-2
Autodiscover
autodiscover-service.mail.us-west2.awsapps.com
US West (Oregon)
us-west-2
Exchange Web Service
ews.mail.us-west-2.awsapps.com
US West (Oregon)
us-west-2
Exchange Active
Sync
mobile.mail.us-west-2.awsapps.com
US West (Oregon)
us-west-2
MAPI MAPI Proxy
mailbox.mail.us-west-2.mail.awsapps.com
outlook.mail.us-west-2.mail.awsapps.com
EU (Ireland)
eu-west-1
Autodiscover
autodiscover-service.mail.eu-west1.awsapps.com
EU (Ireland)
eu-west-1
Exchange Web Service
ews.mail.eu-west-1.awsapps.com
EU (Ireland)
eu-west-1
Exchange Active
Sync
mobile.mail.eu-west-1.awsapps.com
EU (Ireland)
eu-west-1
MAPI MAPI Proxy
mailbox.mail.eu-west-1.mail.awsapps.com
outlook.mail.eu-west-1.awsapps.com
Version 1.0
39
Amazon Web Services General Reference
Amazon WorkSpaces
Amazon WorkSpaces
Region
Name
Region
Endpoint
Protocol
US East (N.
Virginia)
us-east-1
workspaces.us-east-1.amazonaws.com
HTTPS
US West
(Oregon)
us-west-2
workspaces.us-west-2.amazonaws.com
HTTPS
EU (Ireland)
eu-west-1
workspaces.eu-west-1.amazonaws.com
HTTPS
Asia Pacific
(Tokyo)
ap-northeast-1
workspaces.ap-northeast-1.amazonaws.com
HTTPS
Asia Pacific
(Singapore)
ap-southeast-1
workspaces.ap-southeast-1.amazonaws.com
HTTPS
Asia Pacific
(Sydney)
ap-southeast-2
workspaces.ap-southeast-2.amazonaws.com
HTTPS
China (Beijing) Region
The following table contains information about endpoints and protocols that are available in the China
(Beijing) region. For more information, go to the Getting Started with Amazon AWS guide.
AWS Service
China (Beijing) region Endpoint
Protocol
Auto Scaling
autoscaling.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
AWS CloudForma- cloudformation.cn-north-1.amazonaws.com.cn
tion
HTTPS
AWS CloudTrail
cloudtrail.cn-north-1.amazonaws.com.cn
HTTPS
Amazon CloudWatch
monitoring.cn-north-1.amazonaws.com.cn
logs.cn-north-1.amazonaws.com.cn
HTTPS
HTTPS
AWS Direct Connect
directconnect.cn-north-1.amazonaws.com.cn
HTTPS
Amazon DynamoDB
dynamodb.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon DynamoDB Streams
streams.dynamodb.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon CloudWatch Logs
Amazon
ec2.cn-north-1.amazonaws.com.cn
EC2/Amazon
EBS/Amazon VPC
HTTPS
AWS Elastic Bean- elasticbeanstalk.cn-north-1.amazonaws.com.cn
stalk
HTTPS
Version 1.0
40
Amazon Web Services General Reference
China (Beijing) Region
AWS Service
China (Beijing) region Endpoint
Protocol
Elastic Load Balan- elasticloadbalancing.cn-north-1.amazonaws.com.cn
cing
HTTP and HTTPS
Amazon EMR
elasticmapreduce.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon Glacier
glacier.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
IAM
iam.cn-north-1.amazonaws.com.cn
HTTPS
Amazon Kinesis
kinesis.cn-north-1.amazonaws.com.cn
HTTPS
Amazon Redshift
redshift.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon RDS
rds.cn-north-1.amazonaws.com.cn
HTTPS
AWS STS
sts.cn-north-1.amazonaws.com.cn
HTTPS
Amazon SNS
sns.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon SQS
sqs.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon S3
s3.cn-north-1.amazonaws.com.cn
HTTP and HTTPS
Amazon S3 (Website)
s3-website.cn-north-1.amazonaws.com.cn
HTTP
Amazon SWF
swf.cn-north-1.amazonaws.com.cn
HTTPS
AWS Storage
Gateway
storagegateway.cn-north-1.amazonaws.com.cn
HTTPS
Important
The Amazon S3 s3.cn-north-1.amazonaws.com.cn region supports only Signature Version 4 in
request authentications.
Version 1.0
41
Amazon Web Services General Reference
Root Account Credentials vs. IAM User Credentials
AWS Security Credentials
When you interact with AWS, you use AWS security credentials to verify who you are and whether you
have permission to access the resources that you are requesting. In other words, security credentials are
used to authenticate and authorize calls that you make to AWS.
For example, if you want to download a specific file from an Amazon Simple Storage Service (Amazon
S3) bucket, the credentials that you use must allow that access. If your credentials aren't authorized to
download the file, your request is denied. In some cases, you can make calls without security credentials
to AWS, like when you download a file that is publicly shared in an Amazon S3 bucket.
Topics
• Root Account Credentials vs. IAM User Credentials (p. 42)
• Types of Security Credentials (p. 43)
• How Do I Get Security Credentials? (p. 44)
• AWS Account Identifiers (p. 45)
• Best Practices for Managing AWS Access Keys (p. 46)
• Managing Access Keys for your AWS Account (p. 49)
• AWS Security Audit Guidelines (p. 50)
Root Account Credentials vs. IAM User
Credentials
All AWS accounts have root account credentials. These credentials allow full access to all resources in
the account. Because you can't control the privileges of the root account credentials, you should store
them in a safe place and instead use AWS Identity and Access Management (IAM) user credentials for
day-to-day interaction with AWS.
With IAM, you can securely control access to AWS services and resources for users in your AWS account.
For example, if you require administrator-level permissions, you can create an IAM user, grant that user
full access, and then use those credentials to interact with AWS. Later, if you need to revoke or modify
your permissions, you can delete or modify any policies that are associated with that IAM user.
Additionally, if you have multiple users that require access to your AWS account, you can create unique
credentials for each user and define who has access to which resources. In other words, you don't need
to share credentials. For example, you can create IAM users with read-only access to resources in your
Version 1.0
42
Amazon Web Services General Reference
Types of Security Credentials
AWS account and distribute those credentials to users that require read access. For more information
about IAM, see IAM User Guide.
Note
Any activity or costs that are associated with the IAM user are billed to the AWS account.
Types of Security Credentials
You use different types of security credentials depending on how you interact with AWS. For example,
to use the AWS Management Console, you use a user name and password to sign in to the console. In
contrast, to make programmatic calls to AWS API actions, you use access keys. The following list
summarizes the different types of AWS security credentials and when you might use each one.
Email address and password
When you sign up for AWS, you provide an email address and password that is associated with your
AWS account. You use these credentials to sign in to secure AWS web pages like the AWS
Management Console, AWS Discussion Forums, or AWS Support Center. The account email address
and password are root-level credentials, meaning anyone who uses these credentials has full access
to all resources in the account. We recommend instead that you can use an IAM user name and
password to sign in to AWS web pages. For more information, see Root Account Credentials vs. IAM
User Credentials (p. 42).
IAM user name and password
When multiple individuals or applications require access to your AWS account, AWS Identity and
Access Management (IAM) lets you create unique IAM user identities. Each user can use his or her
own user names and passwords to sign in to the AWS Management Console, AWS Discussion
Forums, or AWS Support Center. In some cases, an IAM user name and password are required to
use a service, such as sending email with SMTP by using Amazon Simple Email Service.
For more information about IAM users, see Users and Groups in IAM User Guide.
Multi-Factor Authentication (MFA)
AWS Multi-Factor Authentication (AWS MFA) provides an extra level of security that you can apply
to your AWS environment. With AWS MFA enabled, when you sign in to an AWS website, you are
prompted for your user name and password, as well as for an authentication code from an MFA
device. Taken together, these multiple factors provide increased security for your AWS account
settings and resources. You can enable MFA for the root account and for IAM users. For more
information, see Using Multi-Factor Authentication (MFA) Devices with AWS in IAM User Guide.
Access keys (access key ID and secret access key)
Access keys consist of an access key ID (like AKIAIOSFODNN7EXAMPLE) and a secret access
key (like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to sign
programmatic requests that you make to AWS whether you're using the AWS SDK, REST, or Query
APIs. The AWS SDKs use your access keys to sign requests for you so that you don't have to handle
the signing process. If you're unable to use the AWS SDK, you can sign requests manually. For more
information, see Signing AWS API Requests.
Access keys are also used with command line interfaces (CLIs). When you use a CLI, the commands
that you issue are signed by your access keys, which you can either pass with the command or store
as configuration settings on your computer.
You can also create and use temporary access keys, known as temporary security credentials. In
addition to the access key ID and secret access key, temporary security credentials include a security
token that you must submit to AWS when you use temporary security credentials. The advantage of
temporary security credentials is that they have a limited life (after they expire, they're no longer
valid), so you can use them in less secure environments or distribute them to grant users temporary
access to resources in your AWS account. For example, you can use temporary security credentials
to grant entities from other AWS accounts access to resources in your AWS account (cross-account
Version 1.0
43
Amazon Web Services General Reference
How Do I Get Security Credentials?
access) or grant users who don't have AWS security credentials access to resources in your AWS
account (federation). For more information, see Using Temporary Security Credentials.
Key pairs
Key pairs consist of a public and private key, where you use the private key to create a digital signature,
and then AWS uses the corresponding public key to validate the signature. Key pairs are used only
for Amazon EC2 and Amazon CloudFront.
For Amazon EC2, you use key pairs to access Amazon EC2 instances, such as when you use SSH
to log in to a Linux instance. For more information, see Connecting to Amazon EC2 Instances in the
=Amazon EC2 User Guide for Linux Instances.
For Amazon CloudFront, you use key pairs to create signed URLs for private content, such as when
you want to distribute restricted content that someone paid for. For more information, see Serving
Private Content through CloudFront in Amazon CloudFront Developer Guide
How Do I Get Security Credentials?
If your credentials have been lost or forgotten, you cannot recover them. However, you can create new
credentials and then disable or delete the old set of credentials. For security reasons, AWS doesn't allow
you to retrieve your passwords or secret access keys, and does not store the private keys that are part
of a key pair.
Note
Security credentials are account specific, so if you have access to multiple AWS accounts, you
must use credentials that are associated with the account that you want to access.
Getting AWS root account credentials is different than getting IAM user credentials. For AWS root account
credentials, you get credentials, like access keys or key pairs, by going to the Security Credentials page
in the AWS Management Console. For IAM user credentials, you get credentials by using IAM. The
following list describes how you can get each type of credential for the AWS root account or for an IAM
user.
Email address and password
The email address and password are specified when the AWS account was created.You can change
the email address and password by going to the Security Credentials page.
IAM user name and password
You specify user names when you create them. After you create users, you can create passwords
for each user. For more information, see Managing Passwords for IAM Users in IAM User Guide.
Note
IAM users can manage their own password but only if they have been given permission to
do so. For more information, see Granting IAM Users Permission to Change Their Own
Password in IAM User Guide.
Access keys (access key ID and secret access key)
For AWS account access keys (root users), after you sign up for AWS, you must create access keys
for the account. You can retrieve the access key ID from the Security Credentials page, but you
cannot retrieve the secret access key. If the secret access key is lost or forgotten, you need to create
new access keys.You can create new access keys for the account by going to the Security Credentials
page. In the Access Keys section, click Create New Access Key.
For IAM access keys, when you create IAM users, you can create access keys for that user or create
them later. For more information, see Creating, Modifying, and Viewing User Access Keys in IAM
User Guide. You'll need to create new access keys if a secret access key is lost or forgotten. You
create new access keys for IAM users by using the AWS Management Console.
Version 1.0
44
Amazon Web Services General Reference
AWS Account Identifiers
MFA
By default, MFA is not enabled. You can enable and manage MFA devices for the AWS root account
by going to the Security Credentials page or the IAM dashboard in the AWS Management Console.
For more information about enabling MFA for IAM users, see Setting Up an MFA Device in IAM User
Guide.
Note
AWS recommends that you require MFA on the root account credentials and highly privileged
IAM users for additional security.
Key pairs
AWS does not provide key pairs for your account; you must create them.
You can create Amazon EC2 key pairs by using the Amazon EC2 console, CLI, or API. For more
information, see Amazon EC2 Key Pairs in the Amazon EC2 User Guide for Linux Instances.
You create Amazon CloudFront key pairs by using the Security Credentials page. CloudFront key
pairs can be created only by the root account and cannot be created by IAM users. For more
information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer
Guide.
AWS Account Identifiers
AWS assigns two unique IDs to each AWS account:
• An AWS account ID
• A canonical user ID
The AWS account ID is a 12-digit number, such as 123456789012, that you use to construct Amazon
Resource Names (ARNs). When you refer to resources, like an IAM user or an Amazon Glacier vault,
the account ID distinguishes your resources from resources in other AWS accounts.
The canonical user ID is a long string, such as
79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be.
You can use canonical user IDs in an Amazon S3 bucket policy for cross-account access, which means
an AWS account can access resources in another AWS account. For example, to grant another AWS
account access to your bucket, you specify the account's canonical user ID in the bucket's policy. For
more information, see Bucket Policy Examples in the Amazon Simple Storage Service Developer Guide.
Finding Your Account Identifiers
For AWS account users (root account users), you can get both IDs from the Account Identifiers section
of the AWS Security Credentials page. You can't change either ID.
For IAM or federated users, you can get your AWS account ID from the Support Center dashboard. You
can also choose Support and then choose Support Center. The ID is displayed on the upper right.
Note
You can also return the canonical user ID with the Amazon S3 ListBuckets API. For more
information, see GET Service Response Elements in the Amazon Simple Storage Service API
Reference.
Version 1.0
45
Amazon Web Services General Reference
Best Practices for Managing AWS Access Keys
Best Practices for Managing AWS Access Keys
When you access AWS programmatically, you use an access key to verify your identity and the identity
of your applications. An access key consists of an access key ID (something like AKIAIOSFODNN7EXAMPLE)
and a secret access key (something like wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Anyone who has your access key has the same level of access to your AWS resources that you do.
Consequently, AWS goes to significant lengths to protect your access keys, and, in keeping with our
shared-responsibility model, you should as well.
The steps that follow can help you protect access keys. For general background, see AWS Security
Credentials (p. 42).
Note
Your organization may have different security requirements and policies than those described
in this topic. The suggestions provided here are intended to be general guidelines.
Topics
•
•
•
•
Remove (or Don't Generate) a Root Account Access Key (p. 46)
Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys (p. 46)
Manage IAM User Access Keys Properly (p. 47)
More Resources (p. 48)
Remove (or Don't Generate) a Root Account
Access Key
An access key is required in order to sign requests that you make using the AWS Command Line Tools,
the AWS SDKs, or direct API calls. Anyone who has the access key for your root account has unrestricted
access to all the resources in your account, including billing information.You cannot restrict the permissions
for your root account.
One of the best ways to protect your account is to not have an access key for your root account.
Unless you must have a root access key (which is very rare), it is best not to generate one. Instead, the
recommended best practice is to create one or more AWS Identity and Access Management (IAM) users,
give them the necessary permissions, and use IAM users for everyday interaction with AWS.
If you already have an access key for your account, we recommend that you find places in your applications
where you are currently using that key (if any), replace the root access key with an IAM user access key,
and then disable and remove the root access key. For details about how to substitute one access key for
another, see the post How to rotate access keys for IAM users on the AWS Security Blog.
By default, AWS does not generate an access key for new accounts.
For information about how to create an IAM user with administrative permissions, see Creating an
Administrators Group Using the Console in the IAM User Guide guide.
Use Temporary Security Credentials (IAM Roles)
Instead of Long-Term Access Keys
In many scenarios, you don't need a long-term access key that never expires (as you have with an IAM
user). Instead, you can create IAM roles and generate temporary security credentials. Temporary security
credentials consist of an access key ID and a secret access key, but they also include a security token
that indicates when the credentials expire.
Version 1.0
46
Amazon Web Services General Reference
Manage IAM User Access Keys Properly
Long-term access keys, such as those associated with IAM users and AWS accounts (root), remain valid
until you manually revoke them. However, temporary security credentials obtained through IAM roles and
other features of the AWS Security Token Service expire after a short period of time. Use temporary
security credentials to help reduce your risk in case credentials are accidentally exposed.
Use an IAM role and temporary security credentials in these scenarios:
• You have an application or AWS CLI scripts running on an Amazon EC2 instance. Do not pass
an access key to the application, embed it in the application, or have the application read a key from
a source such as an Amazon S3 bucket (even if the bucket is encrypted). Instead, define an IAM role
that has appropriate permissions for your application and launch the Amazon EC2 instance with roles
for EC2. This associates an IAM role with the Amazon EC2 instance and lets the application get
temporary security credentials that it can in turn use to make AWS calls. The AWS SDKs and the AWS
CLI can get temporary credentials from the role automatically.
• You need to grant cross-account access. Use an IAM role to establish trust between accounts, and
then grant users in one account limited permissions to access the trusted account. For more information,
see Walkthrough: Delegating Access Across AWS Accounts Using IAM Roles in the IAM User Guide
guide.
• You have a mobile app. Do not embed an access key with the app, even in encrypted storage. Instead,
use Amazon Cognito to manage user identity in your app. This service lets you authenticate users
using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity
provider. You can then use the Amazon Cognito credentials provider to manage credentials that your
app uses to make requests to AWS. For more information, see Using the Amazon Cognito Credentials
Provider on the AWS Mobile Development blog.
• You want to federate into AWS and your organization supports SAML 2.0. If you work for an
organization that has an identity provider that supports SAML 2.0, configure the provider to use SAML
to exchange authentication information with AWS and get back a set of temporary security credentials.
For more information, see Using Your Organization's Authentication System and SAML to Grant Access
to AWS Resources in the Using Temporary Security Credentials guide.
• You want to federate into AWS and your organization has an on-premises identity store. If users
can authenticate inside your organization, you can write an application that can issue them temporary
security credentials for access to AWS resources. For more information, see Using Your Organization's
Authentication System to Grant Access to AWS Resources in the Using Temporary Security Credentials
guide.
Manage IAM User Access Keys Properly
If you do need to create access keys for programmatic access to AWS, create an IAM user and grant
that user only the permissions he or she needs. Then generate an access key for that user. For details,
see Managing Access Keys for IAM Users in the IAM User Guide guide.
Note
Remember that if you are running an application on an Amazon EC2 instance and the application
needs access to AWS resources, you should use IAM roles for EC2, as described in the previous
section.
Observe these precautions when using access keys:
• Don't embed access keys directly into code. The AWS SDKs and the AWS Command Line Tools
allow you to put access keys in known locations so that you do not have to keep them in code.
Put access keys in one of the following locations:
• The AWS credentials file. The AWS SDKs and AWS CLI automatically use the credentials that you
store in the AWS credentials file.
Version 1.0
47
Amazon Web Services General Reference
More Resources
For information about using the AWS credentials file, see the documentation for your SDK. Examples
include Set Up your AWS Credentials for Use with the SDK for Java in the AWS SDK for Java
Developer Guide and Configuration and Credential Files in the AWS Command Line Interface User
Guide.
Note
To store credentials for the AWS SDK for .NET and the AWS Tools for Windows PowerShell,
we recommend you use the SDK Store. For more information, see Using the SDK Store in
the AWS SDK for .NET Developer Guide.
• Environment variables. On a multitenant system, choose user environment variables, not system
environment variables.
For more information about using environment variables to store credentials, see Environment
Variables in the AWS Command Line Interface User Guide.
• Use different access keys for different applications. Do this so that you can isolate the permissions
and revoke the access keys for individual applications if an access key is exposed. Having separate
access keys for different applications also generates distinct entries in AWS CloudTrail log files, which
makes it easier for you to determine which application performed specific actions.
• Rotate access keys periodically. Change access keys on a regular basis. For details, see Rotating
Access Keys (AWS CLI and API) in the IAM User Guide guide and How to rotate access keys for IAM
users on the AWS Security Blog.
• Remove unused access keys. If a user leaves your organization, remove the corresponding IAM user
so that the user's access to your resources is removed. To find out when an access key was last used,
use the GetAccessKeyLastUsed API (AWS CLI command: aws iam get-access-key-last-used).
• Configure multifactor authentication for your most sensitive operations. For details, see Using
Multifactor Authentication (MFA) Devices with AWS in the IAM User Guide guide.
More Resources
For more information about best practices for keeping your AWS account secure, see the following
resources:
• IAM Best Practices. This topic presents a list of suggestions for using the AWS Identity and Access
Management (IAM) service to help secure your AWS resources.
• The following pages provide guidance for setting up the AWS SDKs and the AWS CLI to use access
keys.
• Set Up your AWS Credentials for Use with the SDK for Java in the AWS SDK for Java Developer
Guide.
• Using the SDK Store in the AWS SDK for .NET Developer Guide.
• Providing Credentials to the SDK in the AWS SDK for PHP Developer Guide.
• Credentials in the boto (Python) documentation.
• Using AWS Credentials in the AWS Tools for Windows PowerShell guide.
• Configuration and Credential Files in the AWS Command Line Interface User Guide.
• Tutorial: Grant Access Using an IAM Role and the AWS SDK for .NET. This walkthrough discusses
how programs written using the .NET SDK can automatically get temporary security credentials when
running on an Amazon EC2 instance. Similar topics are available for the AWS SDK for Java and the
AWS SDK for Ruby.
Version 1.0
48
Amazon Web Services General Reference
Managing Access Keys for your AWS Account
Managing Access Keys for your AWS Account
This section explains how to create, rotate, disable, or delete access keys (access key IDs and secret
access keys) for your AWS (root) account. Anyone who has the access key for your AWS account has
unrestricted access to all the resources in your account, including billing information.
Important
We recommend that you not have an access key for your root account. Instead, we recommend
that you create one or more AWS Identity and Access Management (IAM) users, give them the
necessary permissions, and use IAM users for everyday interaction with AWS. For more
information, see IAM Best Practices in the IAM User Guide guide. For more information about
why you should not have root access keys, see Remove (or Don't Generate) a Root Account
Access Key (p. 46) in Best Practices for Managing AWS Access Keys (p. 46).
When you create an access key, AWS displays the access key ID and a secret access key. To ensure
the security of your AWS account, the secret access key is displayed only one time, when you create the
access key. If a secret key is lost, you can delete the access key and then create a new key.
By default, when you create an access key, its status is Active, which means you can use the access
key for API calls. Each AWS account can have two sets of access keys, which is useful when you rotate
the access keys. You can disable an access key, which means it can't be used for API calls. You might
do this while you're replacing your root access key with an IAM user access key.
You can delete an access key at any time. However, when you delete an access key, it's gone forever
and cannot be retrieved. You can create new access keys at any time.
Creating, Disabling, and Deleting Access Keys for
your AWS Account
To create, disable, or delete an access key for your AWS (root) account
1.
Use your AWS account email address and password to sign in to the AWS Management Console.
Note
If you previously signed in to the console with IAM user credentials, your browser might
open your IAM user sign-in page. You cannot use the user sign-in page to sign in with your
root credentials. Instead, click Sign in using AWS Account credentials near the bottom
of the page to go to the account sign-in page.
2.
3.
4.
5.
6.
7.
In the upper-right corner of the console, click the arrow next to the account name or number and
then click Security Credentials.
On the AWS Security Credentials page, expand the Access Keys (Access Key ID and Secret
Access Key) section.
Click Create New Access Key. Note that you can have a maximum of two access keys (active or
inactive) at a time.
Click Download Key File to save the access key ID and secret access key to a .csv file on your
computer. You will not have access to this secret access key again after this dialog box closes.
To disable an access key, for example, when you are rotating your access keys, click Make Inactive.
AWS requests signed with inactive access keys will be rejected by AWS. To re-enable the key, click
Make Active.
To delete an access key, click Delete. To confirm that the access key was deleted, look for Deleted
in the Status column.
Caution
Before you delete an access key, make sure it is no longer in use. You cannot recover a
deleted access key.
Version 1.0
49
Amazon Web Services General Reference
AWS Security Audit Guidelines
AWS Security Audit Guidelines
You should periodically audit your security configuration to make sure it meets your current business
needs. An audit gives you an opportunity to remove unneeded IAM users, roles, groups, and policies,
and to make sure that your users and software have only the permissions that are required.
Following are guidelines for systematically reviewing and monitoring your AWS resources for security
best practices.
Topics
• When Should You Perform a Security Audit? (p. 50)
• General Guidelines for Auditing (p. 50)
• Review Your AWS Account Credentials (p. 51)
• Review Your IAM Users (p. 51)
•
•
•
•
•
•
•
•
•
Review Your IAM Groups (p. 51)
Review Your IAM Roles (p. 51)
Review Your IAM Providers for SAML and OpenID Connect (OIDC) (p. 52)
Review Your Mobile Apps (p. 52)
Review Your Amazon EC2 Security Configuration (p. 52)
Review AWS Policies in Other Services (p. 52)
Monitor Activity in Your AWS Account (p. 53)
Tips for Reviewing IAM Policies (p. 53)
More Information (p. 54)
When Should You Perform a Security Audit?
You should audit your security configuration in the following situations:
• On a periodic basis. You should perform the steps described in this document at regular intervals as
a best practice for security.
• If there are changes in your organization, such as people leaving.
• If you have stopped using one or more individual AWS services. This is important for removing
permissions that users in your account no longer need.
• If you've added or removed software in your accounts, such as applications on Amazon EC2 instances,
AWS OpsWorks stacks, AWS CloudFormation templates, etc.
• If you ever suspect that an unauthorized person might have accessed your account.
General Guidelines for Auditing
As you review your account's security configuration, follow these guidelines:
• Be thorough. Look at all aspects of your security configuration, including those you might not use
regularly.
• Don't assume. If you are unfamiliar with some aspect of your security configuration (for example, the
reasoning behind a particular policy or the existence of a role), investigate the business need until you
are satisfied.
• Keep things simple. To make auditing (and management) easier, use IAM groups, consistent naming
schemes, and straightforward policies.
Version 1.0
50
Amazon Web Services General Reference
Review Your AWS Account Credentials
Review Your AWS Account Credentials
Take these steps when you audit your AWS account credentials:
1. If you're not using the root access keys for your account, remove them. We strongly recommend that
you do not use root access keys for everyday work with AWS, and that instead you create IAM users.
2. If you do need to keep the access keys for your account, rotate them regularly.
Review Your IAM Users
Take these steps when you audit your existing IAM users:
1. Delete users that are not active.
2. Remove users from groups that they don't need to be a part of.
3. Review the policies attached to the groups the user is in. See Tips for Reviewing IAM Policies (p. 53).
4. Delete security credentials that the user doesn't need or that might have been exposed. For example,
an IAM user that is used for an application does not need a password (which is necessary only to sign
in to AWS websites). Similarly, if a user does not use access keys, there's no reason for the user to
have one. For more information, see Managing Passwords for IAM Users and Managing Access Keys
for IAM Users in the IAM User Guide guide.
You can generate and download a credential report that lists all IAM users in your account and the
status of their various credentials, including passwords, access keys, and MFA devices. For passwords
and access keys, the credential report shows how recently the password or access key has been used.
Credentials that have not been used recently might be good candidates for removal. For more
information, see Getting Credential Reports for your AWS Account in the IAM User Guide guide.
5. Rotate (change) user security credentials periodically, or immediately if you ever share them with an
unauthorized person. For more information, see Managing Passwords for IAM Users and Managing
Access Keys for IAM Users in the IAM User Guide guide.
Review Your IAM Groups
Take these steps when you audit your IAM groups:
1. Delete unused groups.
2. Review users in each group and remove users who don't belong. See Review Your IAM Users (p. 51)
earlier.
3. Review the policies attached to the group. See Tips for Reviewing IAM Policies (p. 53).
Review Your IAM Roles
Take these steps when you audit your IAM roles:
1. Delete roles that are not in use.
2. Review the role's trust policy. Make sure that you know who the principal is and that you understand
why that account or user needs to be able to assume the role.
3. Review the access policy for the role to be sure that it grants suitable permissions to whoever assumes
the role—see Tips for Reviewing IAM Policies (p. 53).
Version 1.0
51
Amazon Web Services General Reference
Review Your IAM Providers for SAML and OpenID
Connect (OIDC)
Review Your IAM Providers for SAML and OpenID
Connect (OIDC)
If you have created an IAM entity for establishing trust with a SAML or OIDC identity provider, take these
steps:
1. Delete unused providers.
2. Download and review the AWS metadata documents for each SAML provider and make sure the
documents reflect your current business needs. Alternatively, get the latest metadata documents from
the SAML IdPs that you want to establish trust with and update the provider in IAM.
Review Your Mobile Apps
If you have created a mobile app that makes requests to AWS, take these steps:
1. Make sure that the mobile app does not contain embedded access keys, even if they are in encrypted
storage.
2. Get temporary credentials for the app by using APIs that are designed for that purpose. We recommend
that you use Amazon Cognito to manage user identity in your app. This service lets you authenticate
users using Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)–compatible identity
provider. You can then use the Amazon Cognito credentials provider to manage credentials that your
app uses to make requests to AWS.
If your mobile app doesn't support authentication using Login with Amazon, Facebook, Google, or any
other OIDC-compatible identity provider, you can create a proxy server that can dispense temporary
credentials to your app.
Review Your Amazon EC2 Security Configuration
Take the following steps for each AWS region:
1. Delete Amazon EC2 key pairs that are unused or that might be known to people outside your
organization.
2. Review your Amazon EC2 security groups:
• Remove security groups that no longer meet your needs.
• Remove rules from security groups that no longer meet your needs. Make sure you know why the
ports, protocols, and IP address ranges they permit have been allowed.
3. Terminate instances that aren't serving a business need or that might have been started by someone
outside your organization for unapproved purposes. Remember that if an instance is started with a
role, applications that run on that instance can access AWS resources using the permissions that are
granted by that role.
4. Cancel spot instance requests that aren't serving a business need or that might have been made by
someone outside your organization.
5. Review your Auto Scaling groups and configurations. Shut down any that no longer meet your needs
or that might have been configured by someone outside your organization.
Review AWS Policies in Other Services
Review the permissions for services that use resource-based policies or that support other security
mechanisms. In each case, make sure that only users and roles with a current business need have access
Version 1.0
52
Amazon Web Services General Reference
Monitor Activity in Your AWS Account
to the service's resources, and that the permissions granted on the resources are the fewest necessary
to meet your business needs.
• Review your Amazon S3 bucket policies and ACLs.
• Review your Amazon SQS queue policies.
• Review your Amazon SNS topic policies.
• Review your AWS OpsWorks permissions.
• Review your AWS KMS key policies.
Monitor Activity in Your AWS Account
Follow these guidelines for monitoring AWS activity:
• Turn on AWS CloudTrail in each account and use it in each supported region.
• Periodically examine CloudTrail log files. (CloudTrail has a number of partners who provide tools for
reading and analyzing log files.)
• Enable Amazon S3 bucket logging to monitor requests made to each bucket.
• If you believe there has been unauthorized use of your account, pay particular attention to temporary
credentials that have been issued. If temporary credentials have been issued that you don't recognize,
disable their permissions.
• Enable billing alerts in each account and set a cost threshold that lets you know if your charges exceed
your normal usage.
Tips for Reviewing IAM Policies
Policies are powerful and subtle, so it's important to study and understand the permissions that are granted
by each policy. Use the following guidelines when reviewing policies:
• As a best practice, attach policies to groups instead of to individual users. If an individual user has a
policy, make sure you understand why that user needs the policy.
• Make sure that IAM users, groups, and roles have only the permissions that they need.
• Use the IAM Policy Simulator to test policies that are attached to users or groups.
• Remember that a user's permissions are the result of all applicable policies—user policies, group
policies, and resource-based policies (on Amazon S3 buckets, Amazon SQS queues, Amazon SNS
topics, and AWS KMS keys). It's important to examine all the policies that apply to a user and to
understand the complete set of permissions granted to an individual user.
• Be aware that allowing a user to create an IAM user, group, role, or policy and attach a policy to the
principal entity is effectively granting that user all permissions to all resources in your account. That is,
users who are allowed to create policies and attach them to a user, group, or role can grant themselves
any permissions. In general, do not grant IAM permissions to users or roles whom you do not trust with
full access to the resources in your account. The following list contains IAM permissions that you should
review closely:
• iam:PutGroupPolicy
• iam:PutRolePolicy
• iam:PutUserPolicy
• iam:CreatePolicy
• iam:CreatePolicyVersion
• iam:AttachGroupPolicy
• iam:AttachRolePolicy
• iam:AttachUserPolicy
Version 1.0
53
Amazon Web Services General Reference
More Information
• Make sure policies don't grant permissions for services that you don't use. For example, if you use
AWS managed policies, make sure the AWS managed policies that are in use in your account are for
services that you actually use. To find out which AWS managed policies are in use in your account,
use the IAM GetAccountAuthorizationDetails API (AWS CLI command: aws iam
get-account-authorization-details).
• If the policy grants a user permission to launch an Amazon EC2 instance, it might also allow the
iam:PassRole action, but if so it should explicitly list the roles that the user is allowed to pass to the
Amazon EC2 instance.
• Closely examine any values for the Action or Resource element that include *. It's a best practice
to grant Allow access to only the individual actions and resources that users need. However, the
following are reasons that it might be suitable to use * in a policy:
• The policy is designed to grant administrative-level privileges.
• The wildcard character is used for a set of similar actions (for example, Describe*) as a convenience,
and you are comfortable with the complete list of actions that are referenced in this way.
• The wildcard character is used to indicate a class of resources or a resource path (e.g.,
arn:aws:iam::account-id:users/division_abc/*), and you are comfortable granting access
to all of the resources in that class or path.
• A service action does not support resource-level permissions, and the only choice for a resource is
*.
• Examine policy names to make sure they reflect the policy's function. For example, although a policy
might have a name that includes "read only," the policy might actually grant write or change permissions.
More Information
For information about managing IAM resources, see the following:
•
•
•
•
IAM Users and Groups in the IAM User Guide guide.
Permissions and Policies in the IAM User Guide guide.
IAM Roles (Delegation and Federation) in the IAM User Guide guide.
IAM Policy Simulator in the Using IAM Policy Simulator guide.
For more information about Amazon EC2 security, see the following:
• Network and Security in the Amazon EC2 User Guide for Linux Instances.
• Demystifying EC2 Resource-Level Permissions on the AWS Security Blog.
For more information about monitoring an AWS account, see the re:Invent 2013 presentation "Intrusion
Detection in the Cloud" (video, PDF of slide presentation). You can also download a sample Python
program that shows how to automate security auditing functions.
Version 1.0
54
Amazon Web Services General Reference
ARN Format
Amazon Resource Names (ARNs)
and AWS Service Namespaces
Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need
to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational
Database Service (Amazon RDS) tags, and API calls.
Topics
• ARN Format (p. 55)
• Example ARNs (p. 56)
• Paths in ARNs (p. 68)
• AWS Service Namespaces (p. 69)
ARN Format
Here are some example ARNs:
<!-- Elastic Beanstalk application version -->
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
<!-- IAM user name -->
arn:aws:iam::123456789012:user/David
<!-- Amazon RDS instance used for tagging -->
arn:aws:rds:eu-west-1:123456789012:db:mysql-db
<!-- Object in an Amazon S3 bucket -->
arn:aws:s3:::my_corporate_bucket/exampleobject.png
The following are the general formats for ARNs; the specific components and values used depend on
the AWS service.
Version 1.0
55
Amazon Web Services General Reference
Example ARNs
arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource
partition
The partition that the resource is in. For standard AWS regions, the partition is aws. If you have
resources in other partitions, the partition is aws-partitionname. For example, the partition for
resources in the China (Beijing) region is aws-cn.
service
The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon
RDS). For a list of namespaces, see AWS Service Namespaces (p. 69).
region
The region the resource resides in. Note that the ARNs for some resources do not require a region,
so this component might be omitted.
account
The ID (p. 45) of the AWS account that owns the resource, without the hyphens. For example,
123456789012. Note that the ARNs for some resources don't require an account number, so this
component might be omitted.
resource, resourcetype:resource, or resourcetype/resource
The content of this part of the ARN varies by service. It often includes an indicator of the type of
resource—for example, an IAM user or Amazon RDS database —followed by a slash (/) or a colon
(:), followed by the resource name itself. Some services allows paths for resource names, as described
in Paths in ARNs (p. 68).
Example ARNs
The following sections provide syntax and examples of the ARNs for different services. For more information
about using ARNs in a specific AWS service, see the documentation for that service.
Note
Some services support IAM resource-level permissions. For more information, see AWS Services
That Work with IAM.
Topics
• Amazon API Gateway (p. 57)
• Auto Scaling (p. 57)
• AWS Certificate Manager (p. 58)
• AWS CloudFormation (p. 58)
• Amazon CloudSearch (p. 58)
• AWS CloudTrail (p. 58)
• Amazon CloudWatch Events (p. 59)
• Amazon CloudWatch Logs (p. 59)
• AWS CodeCommit (p. 59)
• AWS CodeDeploy (p. 59)
• AWS CodePipeline (p. 60)
• Amazon DynamoDB (p. 60)
• Amazon EC2 Container Registry (Amazon ECR) (p. 60)
• Amazon EC2 Container Service (Amazon ECS) (p. 60)
• Amazon Elastic Compute Cloud (Amazon EC2) (p. 61)
• AWS Elastic Beanstalk (p. 61)
Version 1.0
56
Amazon Web Services General Reference
Amazon API Gateway
• Elastic Load Balancing (p. 62)
• Amazon Elastic Transcoder (p. 62)
• Amazon ElastiCache (p. 62)
• Amazon Elasticsearch Service (p. 63)
• Amazon Glacier (p. 63)
• AWS Identity and Access Management (IAM) (p. 63)
• AWS Key Management Service (AWS KMS) (p. 64)
• Amazon Kinesis Firehose (Firehose) (p. 64)
• Amazon Kinesis Streams (Streams) (p. 64)
• AWS Lambda (Lambda) (p. 65)
• Amazon Machine Learning (Amazon ML) (p. 65)
• Amazon Redshift (p. 65)
•
•
•
•
•
•
•
•
•
Amazon Relational Database Service (Amazon RDS) (p. 66)
Amazon Route 53 (p. 66)
Amazon Simple Notification Service (Amazon SNS) (p. 66)
Amazon Simple Queue Service (Amazon SQS) (p. 66)
Amazon Simple Storage Service (Amazon S3) (p. 67)
Amazon Simple Workflow Service (Amazon SWF) (p. 67)
AWS Storage Gateway (p. 67)
AWS Trusted Advisor (p. 68)
AWS WAF (p. 68)
Amazon API Gateway
Syntax:
arn:aws:apigateway:region::resource-path
Examples:
arn:aws:apigateway:us-east-1::/restapis/a123456789012bc3de45678901f23a45/*
arn:aws:apigateway:us-east-1::a123456789012bc3de45678901f23a45:/test/mydemore
source/*
arn:aws:apigateway:*::a123456789012bc3de45678901f23a45:/*/petstorewalk
through/pets
Auto Scaling
Syntax:
arn:aws:autoscaling:region:account-id:scalingPolicy:policyid:autoScalingGroup
Name/groupfriendlyname:policyname/policyfriendlyname
arn:aws:autoscaling:region:account-id:autoScalingGroup:groupid:autoScalingGroup
Name/groupfriendlyname
Version 1.0
57
Amazon Web Services General Reference
AWS Certificate Manager
Example:
arn:aws:autoscaling:us-east-1:123456789012:scalingPolicy:c7a27f55-d35e-4153b044-8ca9155fc467:autoScalingGroupName/my-test-asg1:policyName/my-scaleoutpolicy
AWS Certificate Manager
Syntax:
arn:aws:acm:region:account-id:certificate/certificate-id
Example:
arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234123456789012
AWS CloudFormation
Syntax:
arn:aws:cloudformation:region:account-id:stack/stackname/additionalidentifier
Examples:
arn:aws:cloudformation:us-east-1:123456789012:stack/MyProductionStack/abc9dbf043c2-11e3-a6e8-50fa526be49c
Amazon CloudSearch
Syntax:
arn:aws:cloudsearch:region:account-id:domain/domainname
Example:
arn:aws:cloudsearch:us-east-1:123456789012:domain/imdb-movies
AWS CloudTrail
Syntax:
arn:aws:cloudtrail:region:account-id:trail/trailname
Example:
arn:aws:cloudtrail:us-east-1:123456789012:trail/mytrailname
Version 1.0
58
Amazon Web Services General Reference
Amazon CloudWatch Events
Amazon CloudWatch Events
Syntax:
arn:aws:events:region:*:*
Examples:
arn:aws:events:us-east-1:*:*
arn:aws:events:us-east-1:account-id:*
arn:aws:events:us-east-1:account-id:rule/rule_name
Amazon CloudWatch Logs
Syntax:
arn:aws:logs:region:*:*
Examples:
arn:aws:logs:us-east-1:*:*
arn:aws:logs:us-east-1:account-id:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:logstream:log_stream_name
arn:aws:logs:us-east-1:account-id:log-group:log_group_name:logstream:log_stream_name_prefix*
arn:aws:logs:us-east-1:account-id:log-group:log_group_name_prefix*:logstream:log_stream_name_prefix*
AWS CodeCommit
Syntax:
arn:aws:codecommit:region:account-id:resource-specifier
Example:
arn:aws:codecommit:us-east-1:123456789012:MyDemoRepo
AWS CodeDeploy
Syntax:
arn:aws:codedeploy:region:account-id:resource-type:resource-specifier
arn:aws:codedeploy:region:account-id:resource-type/resource-specifier
Version 1.0
59
Amazon Web Services General Reference
AWS CodePipeline
Example:
arn:aws:codedeploy:us-east-1:123456789012:application:WordPress_App
arn:aws:codedeploy:us-east-1:123456789012:instance/AssetTag*
AWS CodePipeline
Syntax:
arn:aws:codepipeline:region:account-id:resource-specifier
Example:
arn:aws:codepipeline:us-east-1:123456789012:MyDemoPipeline
Amazon DynamoDB
Syntax:
arn:aws:dynamodb:region:account-id:table/tablename
Example:
arn:aws:dynamodb:us-east-1:123456789012:table/books_table
Amazon EC2 Container Registry (Amazon ECR)
Syntax:
arn:aws:ecr:region:account-id:repository/repository-name
Examples:
arn:aws:ecr:us-east-1:123456789012:repository/my-repository
Amazon EC2 Container Service (Amazon ECS)
Syntax:
arn:aws:ecs:region:account-id:cluster/cluster-name
arn:aws:ecs:region:account-id:container-instance/container-instance-id
arn:aws:ecs:region:account-id:task-definition/task-definition-family-name:taskdefinition-revision-number
arn:aws:ecs:region:account-id:service/service-name
arn:aws:ecs:region:account-id:task/task-id
arn:aws:ecs:region:account-id:container/container-id
Examples:
Version 1.0
60
Amazon Web Services General Reference
Amazon Elastic Compute Cloud (Amazon EC2)
arn:aws:ecs:us-east-1:123456789012:cluster/my-cluster
arn:aws:ecs:us-east-1:123456789012:container-instance/403125b0-555c-4473-86b565982db28a6d
arn:aws:ecs:us-east-1:123456789012:task-definition/hello_world:8
arn:aws:ecs:us-east-1:123456789012:service/sample-webapp
arn:aws:ecs:us-east-1:123456789012:task/1abf0f6d-a411-4033-b8eb-a4eed3ad252a
arn:aws:ecs:us-east-1:123456789012:container/476e7c41-17f2-4c17-9d14-412566202c8a
Amazon Elastic Compute Cloud (Amazon EC2)
Syntax:
arn:aws:ec2:region:account-id:customer-gateway/cgw-id
arn:aws:ec2:region:account-id:dhcp-options/dhcp-options-id
arn:aws:ec2:region::image/image-id
arn:aws:ec2:region:account-id:instance/instance-id
arn:aws:iam::account:instance-profile/instance-profile-name
arn:aws:ec2:region:account-id:internet-gateway/igw-id
arn:aws:ec2:region:account-id:key-pair/key-pair-name
arn:aws:ec2:region:account-id:network-acl/nacl-id
arn:aws:ec2:region:account-id:network-interface/eni-id
arn:aws:ec2:region:account-id:placement-group/placement-group-name
arn:aws:ec2:region:account-id:route-table/route-table-id
arn:aws:ec2:region:account-id:security-group/security-group-id
arn:aws:ec2:region::snapshot/snapshot-id
arn:aws:ec2:region:account-id:subnet/subnet-id
arn:aws:ec2:region:account-id:volume/volume-id
arn:aws:ec2:region:account-id:vpc/vpc-id
arn:aws:ec2:region:account-id:vpc-peering-connection/vpc-peering-connection-id
Examples:
arn:aws:ec2:us-east-1::image/ami-1a2b3c4d
arn:aws:ec2:us-east-1:123456789012:instance/*
arn:aws:ec2:us-east-1:123456789012:volume/*
arn:aws:ec2:us-east-1:123456789012:volume/vol-1a2b3c4d
Dedicated Hosts
arn:aws:ec2:region:account_id:dedicated-host/host_id
Example:
arn:aws:ec2:us-east-1:123456789012:dedicated-host/h-12345678
AWS Elastic Beanstalk
Syntax:
arn:aws:elasticbeanstalk:region:account-id:application/applicationname
arn:aws:elasticbeanstalk:region:account-id:applicationversion/applicationname/ver
Version 1.0
61
Amazon Web Services General Reference
Elastic Load Balancing
sionlabel
arn:aws:elasticbeanstalk:region:account-id:environment/applicationname/environ
mentname
arn:aws:elasticbeanstalk:region::solutionstack/solutionstackname
arn:aws:elasticbeanstalk:region:account-id:template/applicationname/templatename
Examples:
arn:aws:elasticbeanstalk:us-east-1:123456789012:application/My App
arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/My App/My
Version
arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
arn:aws:elasticbeanstalk:us-east-1::solutionstack/32bit Amazon Linux running
Tomcat 7
arn:aws:elasticbeanstalk:us-east-1:123456789012:template/My App/My Template
Elastic Load Balancing
Syntax:
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/loadbalancername
Example:
arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/myloadbalancer
Amazon Elastic Transcoder
Syntax:
arn:aws:elastictranscoder:region:account-id:resource/id
Example:
arn:aws:elastictranscoder:us-east-1:123456789012:preset/*
Amazon ElastiCache
Syntax:
arn:aws:elasticache:region:account-id:resourcetype:resourcename
Examples:
arn:aws:elasticache:us-west-2:123456789012:cluster:myCluster
arn:aws:elasticache:us-west-2:123456789012:snapshot:mySnapshot
Version 1.0
62
Amazon Web Services General Reference
Amazon Elasticsearch Service
Amazon Elasticsearch Service
Syntax:
arn:aws:es:region:account-id:domain/domain-name
Example:
arn:aws:es:us-east-1:123456789012:domain/streaming-logs
Amazon Glacier
Syntax:
arn:aws:glacier:region:account-id:vaults/vaultname
Examples:
arn:aws:glacier:us-east-1:123456789012:vaults/examplevault
arn:aws:glacier:us-east-1:123456789012:vaults/example*
arn:aws:glacier:us-east-1:123456789012:vaults/*
AWS Identity and Access Management (IAM)
Syntax:
arn:aws:iam::account-id:root
arn:aws:iam::account-id:user/user-name
arn:aws:iam::account-id:group/group-name
arn:aws:iam::account-id:role/role-name
arn:aws:iam::account-id:policy/policy-name
arn:aws:iam::account-id:instance-profile/instance-profile-name
arn:aws:sts::account-id:federated-user/user-name
arn:aws:sts::account-id:assumed-role/role-name/role-session-name
arn:aws:iam::account-id:mfa/virtual-device-name
arn:aws:iam::account-id:server-certificate/certificate-name
arn:aws:iam::account-id:saml-provider/provider-name
arn:aws:iam::account-id:oidc-provider/provider-name
Examples:
arn:aws:iam::123456789012:root
arn:aws:iam::123456789012:user/Bob
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob
arn:aws:iam::123456789012:group/Developers
arn:aws:iam::123456789012:group/division_abc/subdivision_xyz/product_A/Developers
arn:aws:iam::123456789012:role/S3Access
arn:aws:iam::123456789012:role/application_abc/component_xyz/S3Access
arn:aws:iam::123456789012:policy/UsersManageOwnCredentials
arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCre
dentials
Version 1.0
63
Amazon Web Services General Reference
AWS Key Management Service (AWS KMS)
arn:aws:iam::123456789012:instance-profile/Webserver
arn:aws:sts::123456789012:federated-user/Bob
arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary
arn:aws:iam::123456789012:mfa/BobJonesMFA
arn:aws:iam::123456789012:server-certificate/ProdServerCert
arn:aws:iam::123456789012:server-certificate/division_abc/subdivision_xyz/Prod
ServerCert
arn:aws:iam::123456789012:saml-provider/ADFSProvider
arn:aws:iam::123456789012:oidc-provider/GoogleProvider
For more information about IAM ARNs, see IAM ARNs in IAM User Guide.
AWS Key Management Service (AWS KMS)
Syntax:
arn:aws:kms:region:account-id:key/key-id
arn:aws:kms:region:account-id:alias/alias
Examples:
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
arn:aws:kms:us-east-1:123456789012:alias/example-alias
Amazon Kinesis Firehose (Firehose)
Syntax:
arn:aws:firehose:region:account-id:deliverystream/delivery-stream-name
Example:
arn:aws:firehose:us-east-1:123456789012:deliverystream/example-stream-name
Amazon Kinesis Streams (Streams)
Syntax:
arn:aws:kinesis:region:account-id:stream/stream-name
Example:
arn:aws:kinesis:us-east-1:123456789012:stream/example-stream-name
Version 1.0
64
Amazon Web Services General Reference
AWS Lambda (Lambda)
AWS Lambda (Lambda)
Syntax:
arn:aws:lambda:region:account-id:function:function-name
Example:
arn:aws:lambda:us-east-1:123456789012:function:ProcessKinesisRecords
Amazon Machine Learning (Amazon ML)
Syntax:
arn:aws:machinelearning:region:account-id:datasource/datasourceID
arn:aws:machinelearning:region:account-id:mlmodel/mlmodelID
arn:aws:machinelearning:region:account-id:batchprediction/batchpredictionlID
arn:aws:machinelearning:region:account-id:evaluation/evaluationID
Examples:
arn:aws:machinelearning:us-east-1:123456789012:datasource/my-datasource-1
arn:aws:machinelearning:us-east-1:123456789012:mlmodel/my-mlmodel
arn:aws:machinelearning:us-east-1:123456789012:batchprediction/my-batchprediction
arn:aws:machinelearning:us-east-1:123456789012:evaluation/my-evaluation
Amazon Redshift
Syntax:
arn:aws:redshift:region:account-id:cluster:clustername
arn:aws:redshift:region:account-id:parametergroup:parametergroupname
arn:aws:redshift:region:account-id:securitygroup:securitygroupname
arn:aws:redshift:region:account-id:snapshot:clustername/snapshotname
arn:aws:redshift:region:account-id:subnetgroup:subnetgroupname
Examples:
arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster
arn:aws:redshift:us-east-1:123456789012:parametergroup:my-parameter-group
arn:aws:redshift:us-east-1:123456789012:securitygroup:my-public-group
arn:aws:redshift:us-east-1:123456789012:snapshot:my-cluster/my-snapshot20130807
arn:aws:redshift:us-east-1:123456789012:subnetgroup:my-subnet-10
Version 1.0
65
Amazon Web Services General Reference
Amazon Relational Database Service (Amazon RDS)
Amazon Relational Database Service (Amazon
RDS)
ARNs are used in Amazon RDS only with tags for DB instances. For more information, see Tagging a
DB Instance in the Amazon Relational Database Service User Guide.
Syntax:
arn:aws:service:region:account-id:db:databasename
arn:aws:service:region:account-id:snapshot:snapshotname
Examples:
arn:aws:rds:us-east-1:123456789012:db:mysql-db
arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot2
Amazon Route 53
Syntax:
arn:aws:route53:::hostedzone/zoneid
arn:aws:route53:::change/changeid
Note that Amazon Route 53 does not require an account number or region in ARNs.
Examples:
arn:aws:route53:::hostedzone/Z148QEXAMPLE8V
arn:aws:route53:::change/C2RDJ5EXAMPLE2
arn:aws:route53:::change/*
Amazon Simple Notification Service (Amazon SNS)
Syntax:
arn:aws:sns:region:account-id:topicname
arn:aws:sns:region:account-id:topicname:subscriptionid
Examples:
arn:aws:sns:*:123456789012:my_corporate_topic
arn:aws:sns:us-east-1:123456789012:my_corporate_topic:02034b43-fefa-4e07-a5eb3be56f8c54ce
Amazon Simple Queue Service (Amazon SQS)
Syntax:
Version 1.0
66
Amazon Web Services General Reference
Amazon Simple Storage Service (Amazon S3)
arn:aws:sqs:region:account-id:queuename
Example:
arn:aws:sqs:us-east-1:123456789012:queue1
Amazon Simple Storage Service (Amazon S3)
Syntax:
arn:aws:s3:::bucket_name
arn:aws:s3:::bucket_name/key_name
Note
Amazon S3 does not require an account number or region in ARNs. If you specify an ARN for
a policy, you can also use a wildcard "*" character in the relative-ID part of the ARN.
Examples:
arn:aws:s3:::my_corporate_bucket
arn:aws:s3:::my_corporate_bucket/exampleobject.png
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
For more information, see Specifying Resources in a Policy in the Amazon Simple Storage Service
Developer Guide.
Amazon Simple Workflow Service (Amazon SWF)
Syntax:
arn:aws:swf:region:account-id:/domain/domain_name
Examples:
arn:aws:swf:us-east-1:123456789012:/domain/department1
arn:aws:swf:*:123456789012:/domain/*
AWS Storage Gateway
Syntax:
arn:aws:storagegateway:region:account-id:gateway/gateway-id
arn:aws:storagegateway:region:account-id:gateway/gateway-id/volume/volume-id
arn:aws:storagegateway:region:account-id:tape/tapebarcode
arn:aws:storagegateway:region:account-id:gateway/gateway-id/target/iSCSItarget
arn:aws:storagegateway:region:account-id:gateway/gateway-id/device/vtldevice
Examples:
Version 1.0
67
Amazon Web Services General Reference
AWS Trusted Advisor
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/volume/vol1122AABB
arn:aws:storagegateway:us-east-1:123456789012:tape/AMZNC8A26D
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12A3456B/tar
get/iqn.1997-05.com.amazon:vol-1122AABB
arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw12A3456B/device/AMZN_SGW-FF22CCDD_TAPEDRIVE_00010
Note
For each AWS Storage Gateway resource, you can specify a wild card (*).
AWS Trusted Advisor
Syntax:
arn:aws:trustedadvisor:*:account-id:checks/categorycode/checkid
Example:
arn:aws:trustedadvisor:*:123456789012:checks/fault_tolerance/BueAdJ7NrP
AWS WAF
Syntax:
arn:aws:waf:region:account-id:resource-type/resource-id
Examples:
arn:aws:waf:us-east-1:123456789012:rule/41b5b052-1e4a-426b-8149-3595be6342c2
arn:aws:waf:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3
arn:aws:waf:us-east-1:123456789012:ipset/3f74bd8c-f046-4970-a1a7-41aa52e05480
arn:aws:waf:us-east-1:123456789012:bytematchset/d131bc0b-57be-4536-af1d4894fd28acc4
arn:aws:waf:us-east-1:123456789012:sqlinjectionset/2be79d6f-2f41-4c9b-8192d719676873f0
arn:aws:waf:us-east-1:123456789012:changetoken/03ba2197-fc98-4ac0-a67d5b839762b16b
Paths in ARNs
Some services let you specify a path for the resource name. For example, in Amazon S3, the resource
identifier is an object name that can include slashes (/) to form a path. Similarly, IAM user names and
group names can include paths.
In some circumstances, paths can include a wildcard character, namely an asterisk (*). For example, if
you are writing an IAM policy and in the Resource element you want to specify all IAM users that have
the path product_1234, you can use a wildcard like this:
Version 1.0
68
Amazon Web Services General Reference
AWS Service Namespaces
arn:aws:iam::123456789012:user/Development/product_1234/*
Similarly, in the Resource element of an IAM policy, at the end of the ARN you can specify user/* to
mean all users or group/* to mean all groups, as in the following examples:
"Resource":"arn:aws:iam::123456789012:user/*"
"Resource":"arn:aws:iam::123456789012:group/*"
Note
You cannot use a wildcard to specify all users in the Principal element in a resource-based
policy or a role trust policy. Groups are not supported as principals in any policy.
The following example shows ARNs for an Amazon S3 bucket in which the resource name includes a
path:
arn:aws:s3:::my_corporate_bucket/*
arn:aws:s3:::my_corporate_bucket/Development/*
You cannot use a wildcard in the portion of the ARN that specifies the resource type, such as the term
user in an IAM ARN.
The following is not allowed:
arn:aws:iam::123456789012:u*
AWS Service Namespaces
When you create AWS IAM policies or work with Amazon Resource Names (ARNs), you identify an AWS
service using a namespace. For example, the namespace for Amazon S3 is s3, and the namespace for
Amazon EC2 is ec2. You use namespaces when identifying actions and resources.
The following example shows an IAM policy where the value of the Action elements and the values in
the Resource and Condition elements use namespaces to identify the services for the actions and
resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:us-west-2:123456789012:customer-gateway/*",
"arn:aws:ec2:us-west-2:123456789012:dhcp-options/*",
"arn:aws:ec2:us-west-2::image/*",
"arn:aws:ec2:us-west-2:123456789012:instance/*",
"arn:aws:iam::123456789012:instance-profile/*",
"arn:aws:ec2:us-west-2:123456789012:internet-gateway/*",
"arn:aws:ec2:us-west-2:123456789012:key-pair/*",
"arn:aws:ec2:us-west-2:123456789012:network-acl/*",
"arn:aws:ec2:us-west-2:123456789012:network-interface/*",
"arn:aws:ec2:us-west-2:123456789012:placement-group/*",
Version 1.0
69
Amazon Web Services General Reference
AWS Service Namespaces
"arn:aws:ec2:us-west-2:123456789012:route-table/*",
"arn:aws:ec2:us-west-2:123456789012:security-group/*",
"arn:aws:ec2:us-west-2::snapshot/*",
"arn:aws:ec2:us-west-2:123456789012:subnet/*",
"arn:aws:ec2:us-west-2:123456789012:volume/*",
"arn:aws:ec2:us-west-2:123456789012:vpc/*",
"arn:aws:ec2:us-west-2:123456789012:vpc-peering-connection/*"
]
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example_bucket/marketing/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"StringLike": {"s3:prefix": "marketing/*"}}
}
]
}
The following table lists the AWS service namespaces.
Service
Namespace
API Gateway
apigateway
Amazon AppStream
appstream
Auto Scaling
autoscaling
Billing and Cost Management
aws-portal
AWS CloudFormation
cloudformation
CloudFront
cloudfront
Amazon CloudSearch
cloudsearch
CloudTrail
cloudtrail
CloudWatch
cloudwatch
CloudWatch Events
events
CloudWatch Logs
logs
AWS CodeCommit
codecommit
AWS CodeDeploy
codedeploy
AWS CodePipeline
codepipeline
Amazon Cognito
cognito-identity
Amazon Cognito Sync
cognito-sync
AWS Config
config
Version 1.0
70
Amazon Web Services General Reference
AWS Service Namespaces
Service
Namespace
AWS Data Pipeline
datapipeline
Device Farm
devicefarm
AWS Direct Connect
directconnect
AWS Directory Service
ds
DynamoDB
dynamodb
Elastic Beanstalk
elasticbeanstalk
Amazon EC2
ec2
Elastic Load Balancing
elasticloadbalancing
Amazon EMR
elasticmapreduce
Elastic Transcoder
elastictranscoder
ElastiCache
elasticache
Elasticsearch
es
Amazon GameLift
gamelift
Amazon Glacier
glacier
IAM
iam
AWS Import/Export
importexport
AWS KMS
kms
Amazon Kinesis
kinesis
Lambda
lambda
Amazon ML
machinelearning
AWS Marketplace
aws-marketplace
AWS Marketplace Management Portal
aws-marketplace-management
Mobile Analytics
mobileanalytics
AWS OpsWorks
opsworks
Amazon Redshift
redshift
Amazon RDS
rds
Amazon Route 53
route53
AWS STS
sts
AWS Service Catalog
servicecatalog
Amazon SES
ses
Amazon SNS
sns
Amazon SQS
sqs
Version 1.0
71
Amazon Web Services General Reference
AWS Service Namespaces
Service
Namespace
Amazon S3
s3
Amazon SWF
swf
Amazon SimpleDB
sdb
AWS Storage Gateway
storagegateway
AWS Support
support
Trusted Advisor
trustedadvisor
Amazon VPC
ec2
AWS WAF
waf
Amazon WorkSpaces
workspaces
Version 1.0
72
Amazon Web Services General Reference
When Do You Need to Sign Requests?
Signing AWS API Requests
Requests to AWS must be signed—that is, they must include information that AWS can use to authenticate
the requestor. Requests are signed using the access key ID and secret access key of an account or of
an IAM user. (There are a few cases where requests do not have to be signed using an access key, such
as anonymous requests to Amazon S3 and some APIs in AWS STS like AssumeRoleWithWebIdentity).
AWS currently supports two signature versions: signature version 2 and signature version 4, which are
covered in this section. Most services support version 4, and if a service supports version 4, we strongly
recommend that you use that version.
Topics
• When Do You Need to Sign Requests? (p. 73)
• Why Requests Are Signed (p. 74)
• Making and Signing Requests Using REST or the Query API (p. 74)
• Signature Version 4 Signing Process (p. 75)
• Signature Version 2 Signing Process (p. 106)
When Do You Need to Sign Requests?
If you are using one of the AWS SDKs, the AWS Command Line interface (CLI), or a service-specific
CLI, you do not need to worry about signing requests. All you need to do is configure the tools with one
or more access keys. These tools construct and send requests to AWS for you, and as part of that process,
they sign the requests using an access key that you provide. They take care of many of the connection
details, such as calculating signatures, handling request retries, and error handling. The SDKs also contain
sample code, tutorials, and other resources to help you get started writing applications that call AWS.
If you are programmatically constructing HTTP or HTTPS requests to AWS, you do have to include code
to sign the requests. You might do this for the following reasons:
• You are working with a programming language for which there is no AWS SDK. For example, currently
there is no AWS SDK for C.
• A feature that you want to work with is not supported by an AWS SDK or by the CLI. This is not common,
but one scenario is that there is a short period after a new service feature has been released before
all AWS SDKs support the feature.
• You want complete control over how a request is sent to AWS or over the response that is returned.
Version 1.0
73
Amazon Web Services General Reference
Why Requests Are Signed
Why Requests Are Signed
The signing process helps secure requests in the following ways:
• Verify the identity of the requester. Signing makes sure that the request has been issued by someone
who has a valid access key ID and secret access key. For information about getting access keys, see
How Do I Get Security Credentials? in the AWS General Reference.
Requests can also be signed using temporary security credentials that are obtained using a call to an
AWS STS API like AssumeRole or GetFederationToken. In that case, the request must include
security token that's part of the temporary security credentials. For more information, go to Creating
Temporary Security Credentials in the AWS Security Token Service documentation.
• Protect data in transit. In order to prevent tampering with a request while it is in transit, some of the
request elements are used to calculate a hash (digest) of the request, and the resulting hash value is
included as part of the request. When AWS receives the request, it calculates a hash based on the
same information and matches it against the hash value in the request that you include. If the hash
values don't match, AWS denies the request.
• Protect against potential replay attacks. A request must reach AWS within 5 minutes of the time
stamp in the request. Otherwise, AWS denies the request.
For additional security, you should transmit your requests using Secure Sockets Layer (SSL) by using
HTTPS. SSL encrypts the transmission, protecting your request or the response from being viewed in
transit.
Making and Signing Requests Using REST or
the Query API
AWS services support either REST protocol or a protocol that we refer to as Query API. For example,
Amazon S3 and Amazon Route 53 support a REST API. Others, like Amazon EC2 and IAM, support a
Query API. In both of these protocols, you make requests over HTTP or HTTPS using an HTTP verb
(such as GET or POST) and a parameter named Action or Operation that specifies the API you are
calling.
Note
Some AWS services formerly supported SOAP protocol for making requests to AWS. SOAP
has been deprecated for AWS.
To sign a request, you calculate a hash (digest) of the request, and then use the hash value, some other
values from the request, and a secret access key to create a signed hash—this is the signature.
You can add the signature to a request by using one of the following methods:
• HTTP Authorization header. You can add the signature to the request using the HTTP Authorization
header.
• Query string parameters. You can add the signature as a query string value to the request. Because
the request signature is part of the URL, this type of URL is referred to as a pre-signed URL.
Version 1.0
74
Amazon Web Services General Reference
Signature Version 4 Signing Process
Signature Version 4 Signing Process
The Signature Version 4 signing process describes how to add authentication information to AWS requests.
For security, most requests to AWS must be signed with an access key (access key ID and secret access
key). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs, those tools
automatically sign requests for you, based on credentials that you specify when you configure the tools.
However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
To sign a request, you calculate a signature using information such as the AWS service, region, action,
timestamp and your AWS access key. You then add the signature to the header of the request or as a
query string parameter.
When AWS receives the request, it performs the same steps that you completed to calculate the signature.
AWS then compares the calculated signature to the one you sent with the request. If the signatures match,
the request is processed. If the signatures don't match, the request is denied.
Important
The AWS SDKs support Signature Version 4. If you use one of the SDKs, you do not need to
follow this process to manually complete the signing process. For more information about how
to download and use the AWS SDKs, see Tools for Amazon Web Services.
For more information, see the following resources:
• To get started with the signing process, see Signing AWS Requests with Signature Version 4 (p. 76).
• For sample signed requests, see Examples of the Complete Version 4 Signing Process (Python) (p. 92).
• If you have questions about Signature Version 4, post your question in the AWS Identity and Access
Management discussion forum.
Supported Regions and Services
The following AWS services support the Signature Version 4 protocol in all regions. Other services and
regions may support Signature Version 2 (p. 106), an earlier version of the signing protocol. If a service
supports both versions, we recommend you use Signature Version 4.
•
•
•
•
•
•
Amazon API Gateway
Auto Scaling
AWS CloudFormation
AWS CloudHSM
Amazon CloudSearch
Amazon CloudWatch
• AWS CodeCommit
• AWS CodeDeploy
• AWS CodePipeline
• AWS Config
• AWS Data Pipeline
• Amazon DynamoDB
• AWS Elastic Beanstalk
• Amazon Elastic Compute Cloud (Amazon EC2)
• Amazon EC2 Container Registry (Amazon ECR)
• Amazon EC2 Container Service (Amazon ECS)
• Amazon Elastic File System (Amazon EFS)
• Elastic Load Balancing
Version 1.0
75
Amazon Web Services General Reference
Signing AWS Requests
• Amazon Elastic MapReduce (Amazon EMR)
• Amazon Elastic Transcoder
• Amazon Elasticsearch Service
• Amazon GameLift
• Amazon Glacier
• AWS Identity and Access Management (IAM)
• Amazon Kinesis
• AWS Key Management Service (AWS KMS)
• Amazon Machine Learning
• AWS OpsWorks
• Amazon Redshift
• Amazon Relational Database Service (Amazon RDS)
•
•
•
•
•
•
•
•
Amazon Route 53
Amazon Simple Email Service (Amazon SES)
Amazon Simple Notification Service (Amazon SNS)
Amazon Simple Queue Service (Amazon SQS)
Amazon Simple Storage Service (Amazon S3)
AWS Security Token Service (AWS STS)
AWS Support
AWS WAF
Signing AWS Requests with Signature Version 4
This section explains how to create a signature and add it to a request.
Topics
• What Signing Looks Like in a Request (p. 76)
• GET and POST Requests in the Query API (p. 78)
• Summary of Signing Steps (p. 78)
• Task 1: Create a Canonical Request for Signature Version 4 (p. 78)
• Task 2: Create a String to Sign for Signature Version 4 (p. 84)
• Task 3: Calculate the AWS Signature Version 4 (p. 85)
• Task 4: Add the Signing Information to the Request (p. 86)
What Signing Looks Like in a Request
The following example shows what an HTTPS request might look like as it is sent from your client to
AWS, without any signing information.
GET https://iam.cn-north-1.amazonaws.com.cn/?Action=ListUsers&Version=2010-0508 HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: iam.cn-north-1.amazonaws.com.cn
X-Amz-Date: 20150830T123600Z
After you complete the signing tasks, you add the authentication information to the request. You can add
the authentication information in two ways:
Version 1.0
76
Amazon Web Services General Reference
Signing AWS Requests
Authorization header
You can add the authentication information to the request with an Authorization header. Although the
HTTP header is named Authorization, the signing information is actually used for authentication to
establish who the request came from.
The Authorization header includes the following information:
• Algorithm you used for signing (AWS4-HMAC-SHA256)
• Credential scope (with your access key ID)
• List of signed headers
• Calculated signature. The signature is based on your request information, and you use your AWS
secret access key to produce the signature. The signature confirms your identity to AWS.
The following example shows what the preceding request might look like after you've created the signing
information and added it to the request in the Authorization header.
Note that in the actual request, the Authorization header would appear as a continuous line of text.
The version below has been formatted for readability.
POST https://iam.cn-north-1.amazonaws.com.cn/?Action=ListUsers&Version=2010-0508 HTTP/1.1
Authorization: AWS4-HMAC-SHA256
Credential=AKIDEXAMPLE/20150830/cn-north-1/iam/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=d37af66cc90dc26bb2e27d2a97316b729b82589b5e4648f1ae34cb83a3f546cd
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.cn-north-1.amazonaws.com.cn
x-amz-date: 20150830T123600Z
Query string
As an alternative to adding authentication information with an HTTP request header, you can include it
in the query string. The query string contains everything that is part of the request, including the name
and parameters for the action, the date, and the authentication information.
The following example shows how you might construct a GET request with the action and authentication
information in the query string.
(In the actual request, the query string would appear as a continuous line of text. The version below has
been formatted with line breaks for readability.)
GET https://iam.cn-north-1.amazonaws.com.cn?Action=ListUsers&Version=2010-0508
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fcn-north-1%2Fiam%2Faws4_request
&X-Amz-Date=20150830T123600Z
&X-Amz-Expires=60
&X-Amz-SignedHeaders=content-type%3Bhost
&X-Amz-Signature=bbb7890b2172f0cccc6d1d5cded4e690f3e1dac299599547f3d1ceb50567e83d
HTTP/1.1
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.cn-north-1.amazonaws.com.cn
Version 1.0
77
Amazon Web Services General Reference
Signing AWS Requests
GET and POST Requests in the Query API
The query API that many AWS services support lets you make requests using either HTTP GET or POST.
(In the query API, you can use GET even if you're making requests that change state; that is, the query
API is not inherently RESTful.) Because GET requests pass parameters on the query string, they are
limited to the maximum length of a URL. If a request includes a large payload (for example, you might
upload a large IAM policy or send many parameters in JSON format for a DynamoDB request), you
generally use a POST request.
The signing process is the same for both types of requests.
Summary of Signing Steps
To create a signed request, complete the following:
• Task 1: Create a Canonical Request for Signature Version 4 (p. 78)
Arrange the contents of your request (host, action, headers, etc.) into a standard (canonical) format.
The canonical request is one of the inputs used to create a string to sign.
• Task 2: Create a String to Sign for Signature Version 4 (p. 84)
Create a string to sign with the canonical request and extra information such as the algorithm, request
date, credential scope, and the digest (hash) of the canonical request.
• Task 3: Calculate the AWS Signature Version 4 (p. 85)
Derive a signing key by performing a succession of keyed hash operations (HMAC operations) on the
request date, region, and service, with your AWS secret access key as the key for the initial hashing
operation. After you derive the signing key, you then calculate the signature by performing a keyed
hash operation on the string to sign. Use the derived signing key as the hash key for this operation.
• Task 4: Add the Signing Information to the Request (p. 86)
After you calculate the signature, add it to an HTTP header or to the query string of the request.
Note
The AWS SDKs handle the signature calculation process for you, so you do not have to manually
complete the signing process. For more information, see Tools for Amazon Web Services.
The following additional resources illustrate aspects of the signing process:
• Examples of How to Derive a Version 4 Signing Key (p. 89). This page shows how to derive a signing
key using Java, C#, Python, Ruby, and JavaScript.
• Examples of the Complete Version 4 Signing Process (Python) (p. 92). This set of programs in Python
provide complete examples of the signing process. The examples show signing with a POST request,
with a GET request that has signing information in a request header, and with a GET request that has
signing information in the query string.
• Signature Version 4 Test Suite (p. 100). This downloadable package contains a collection of examples
that include signature information for various steps in the signing process.You can use these examples
to verify that your signing code is producing the correct results at each step of the process.
Task 1: Create a Canonical Request for Signature Version 4
To begin the signing process, create a string that includes information from your request in a standardized
(canonical) format. This ensures that when AWS receives the request, it can calculate the same signature
that you calculated.
Version 1.0
78
Amazon Web Services General Reference
Signing AWS Requests
Follow the steps here to create a canonical version of the request. Otherwise, your version and the version
calculated by AWS won't match, and the request will be denied.
The following example shows the pseudocode to create a canonical request.
Canonical request pseudocode
CanonicalRequest =
HTTPRequestMethod + '\n' +
CanonicalURI + '\n' +
CanonicalQueryString + '\n' +
CanonicalHeaders + '\n' +
SignedHeaders + '\n' +
HexEncode(Hash(RequestPayload))
In this pseudocode, Hash represents a function that produces a message digest, typically SHA-256.
(Later in the process, you specify which hashing algorithm you're using.) HexEncode represents a function
that returns the base-16 encoding of the digest in lowercase characters. For example, HexEncode("m")
returns the value 6d rather than 6D. Each input byte must be represented as exactly two hexadecimal
characters.
The following examples show how to construct the canonical form of a request to IAM. The original request
might look like this as it is sent from the client to AWS, except that this example does not include the
signing information yet.
Example request
GET https://iam.cn-north-1.amazonaws.com.cn/?Action=ListUsers&Version=2010-0508 HTTP/1.1
Host: iam.cn-north-1.amazonaws.com.cn/
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20150830T123600Z
The preceding example request is a GET request (method) that makes a ListUsers API (action) call
to AWS Identity and Access Management (host). This action takes the Version parameter.
To create a canonical request, concatenate the following components from each step into
a single string:
1.
Start with the HTTP request method (GET, PUT, POST, etc.), followed by a newline character.
Example request method
GET
2.
Add the canonical URI parameter, followed by a newline character. The canonical URI is the
URI-encoded version of the absolute path component of the URI, which is everything in the URI from
the HTTP host to the question mark character ("?") that begins the query string parameters (if any).
Normalize URI paths according to RFC 3986. Remove redundant and relative path components.
Each path segment must be URI-encoded.
Example canonical URI with encoding
/documents%20and%20settings
Version 1.0
79
Amazon Web Services General Reference
Signing AWS Requests
If the absolute path is empty, use a forward slash (/). In the example IAM request, nothing follows
the host in the URI, so the absolute path is empty.
Example canonical URI
/
3.
Add the canonical query string, followed by a newline character. If the request does not include a
query string, use an empty string (essentially, a blank line). The example request has the following
query string.
Example canonical query string
Action=ListUsers&Version=2010-05-08
To construct the canonical query string, complete the following steps:
a.
URI-encode each parameter name and value according to the following rules:
• Do not URI-encode any of the unreserved characters that RFC 3986 defines: A-Z, a-z, 0-9,
hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).
• Percent-encode all other characters with %XY, where X and Y are hexadecimal characters
(0-9 and uppercase A-F). For example, the space character must be encoded as %20 (not
using '+', as some encoding schemes do) and extended UTF-8 characters must be in the form
%XY%ZA%BC.
b.
c.
d.
e.
Sort the encoded parameter names by character code in ascending order (ASCII order). For
example, a parameter name that begins with the uppercase letter F (ASCII code 70) precedes
a parameter name that begins with a lowercase letter b (ASCII code 98).
Build the canonical query string by starting with the first parameter name in the sorted list.
For each parameter, append the URI-encoded parameter name, followed by the character '='
(ASCII code 61), followed by the URI-encoded parameter value. Use an empty string for
parameters that have no value.
Append the character '&' (ASCII code 38) after each parameter value, except for the last value
in the list.
One option for the query API is to put all request parameters in the query string. For example, you
can do this for Amazon S3 to create a pre-signed URL. In that case, the canonical query string must
include not only parameters for the request, but also the parameters used as part of the signing
process—the hashing algorithm, credential scope, date, and signed headers parameters.
The following example shows a query string that includes authentication information. The example
is formatted with line breaks for readability, but the canonical query string must be one continuous
line of text in your code.
Example authentication parameters in a query string
Action=ListUsers&
Version=2010-05-08&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fcn-north-1%2Fiam%2Faws4_request&
X-Amz-Date=20150830T123600Z&
X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-date
Version 1.0
80
Amazon Web Services General Reference
Signing AWS Requests
For more information about authentication parameters, see Task 2: Create a String to Sign for
Signature Version 4 (p. 84).
Note
You can use temporary security credentials provided by the AWS Security Token Service
(AWS STS) to sign a request. The process is the same as using long-term credentials, but
when you add signing information to the query string you must add an additional query
parameter for the security token. The parameter name is X-Amz-Security-Token, and
the parameter's value is the URI-encoded session token (the string you received from AWS
STS when you obtained temporary security credentials).
For some services, you must include the X-Amz-Security-Token query parameter in the
canonical (signed) query string. For other services, you add the X-Amz-Security-Token
parameter at the end, after you calculate the signature. For details, see the API reference
documentation for that service.
4.
Add the canonical headers, followed by a newline character. The canonical headers consist of a list
of all the HTTP headers that you are including with the signed request.
At a minimum, you must include the host header. Standard headers like content-type are optional.
Different services might require other headers.
Example canonical headers
content-type:application/x-www-form-urlencoded; charset=utf-8\n
host:iam.cn-north-1.amazonaws.com.cn\n
x-amz-date:20150830T123600Z\n
To create the canonical headers list, convert all header names to lowercase and remove leading
spaces and trailing spaces. Convert sequential spaces in the header value to a single space.
The following pseudocode describes how to construct the canonical list of headers:
CanonicalHeaders =
CanonicalHeadersEntry0 + CanonicalHeadersEntry1 + ... + CanonicalHeadersEntryN
CanonicalHeadersEntry =
Lowercase(HeaderName) + ':' + Trimall(HeaderValue) + '\n'
Lowercase represents a function that converts all characters to lowercase. The Trimall function
removes excess white space before and after values, and converts sequential spaces to a single
space.
Build the canonical headers list by sorting the (lowercase) headers by character code and then
iterating through the header names. Construct each header according to the following rules:
• Append the lowercase header name followed by a colon.
• Append a comma-separated list of values for that header. Do not sort the values in headers that
have multiple values.
• Append a new line ('\n').
The following examples compare a more complex set of headers with their canonical form:
Version 1.0
81
Amazon Web Services General Reference
Signing AWS Requests
Original headers
Host:iam.cn-north-1.amazonaws.comcn\n
Content-Type:application/x-www-form-urlencoded; charset=utf-8\n
My-header1:
a
b
c \n
X-Amz-Date:20150830T123600Z\n
My-Header2:
"a
b
c" \n
Canonical form
content-type:application/x-www-form-urlencoded; charset=utf-8\n
host:iam.cn-north-1.amazonaws.cn\n
my-header1:a b c\n
my-header2:"a b c"\n
x-amz-date:20150830T123600Z\n
Note
Each header is followed by a newline character, meaning the complete list ends with a
newline character.
In the canonical form, the following changes were made:
• The header names were converted to lowercase characters.
• The headers were sorted by character code.
• Leading and trailing spaces were removed from the my-header1 and my-header2 values.
• Sequential spaces in a b c were converted to a single space for the my-header1 and my-header2
values.
Note
You can use temporary security credentials provided by the AWS Security Token Service
(AWS STS) to sign a request. The process is the same as using long-term credentials, but
when you include signing information in the Authorization header you must add an
additional HTTP header for the security token. The header name is
X-Amz-Security-Token, and the header's value is the session token (the string you
received from AWS STS when you obtained temporary security credentials).
5.
Add the signed headers, followed by a newline character. This value is the list of headers that you
included in the canonical headers. By adding this list of headers, you tell AWS which headers in the
request are part of the signing process and which ones AWS can ignore (for example, any additional
headers added by a proxy) for purposes of validating the request.
The host header must be included as a signed header. If you include a date or x-amz-date header,
you must also include that header in the list of signed headers.
To create the signed headers list, convert all header names to lowercase, sort them by character
code, and use a semicolon to separate the header names. The following pseudocode describes how
to construct a list of signed headers. Lowercase represents a function that converts all characters
to lowercase.
SignedHeaders =
Lowercase(HeaderName0) + ';' + Lowercase(HeaderName1) + ";" + ... + Lower
case(HeaderNameN)
Version 1.0
82
Amazon Web Services General Reference
Signing AWS Requests
Build the signed headers list by iterating through the collection of header names, sorted by lowercase
character code. For each header name except the last, append a semicolon (';') to the header name
to separate it from the following header name.
Example signed headers
content-type;host;x-amz-date\n
6.
Use a hash (digest) function like SHA256 to create a hashed value from the payload in the body of
the HTTP or HTTPS request:
Structure of payload
HashedPayload = Lowercase(HexEncode(Hash(requestPayload)))
When you create the string to sign, you specify the signing algorithm that you used to hash the
payload. For example, if you used SHA256, you will specify AWS4-HMAC-SHA256 as the signing
algorithm. The hashed payload must be represented as a lowercase hexadecimal string.
If the payload is empty, use an empty string as the input to the hash function. In the IAM example,
the payload is empty.
Example hashed payload (empty string)
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
7.
To construct the finished canonical request, combine all the components from each step as a single
string. As noted, each component ends with a newline character. If you follow the canonical request
pseudocode explained earlier, the resulting canonical request is shown in the following example.
Example canonical request
GET
/
Action=ListUsers&Version=2010-05-08
content-type:application/x-www-form-urlencoded; charset=utf-8
host:iam.cn-north-1.amazonaws.com.cn
x-amz-date:20150830T123600Z
content-type;host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
8.
Create a digest (hash) of the canonical request with the same algorithm that you used to hash the
payload.
The hashed canonical request must be represented as a string of lowercase hexademical characters.
The following example shows the result of using SHA-256 to hash the example canonical request.
Example hashed canonical request
c0f52cbaae2f5c43042257a73d9eafc6d42e3306a4ebab6d9235f391dff4d990
Version 1.0
83
Amazon Web Services General Reference
Signing AWS Requests
You include the hashed canonical request as part of the string to sign in Task 2: Create a String to
Sign for Signature Version 4 (p. 84).
Task 2: Create a String to Sign for Signature Version 4
The string to sign includes meta information about your request and about the canonical request that you
created in Task 1: Create a Canonical Request for Signature Version 4 (p. 78). You will use the string to
sign and a derived signing key that you create later as inputs to calculate the request signature in Task
3: Calculate the AWS Signature Version 4 (p. 85).
To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the
canonical request, as shown in the following pseudocode:
Structure of string to sign
StringToSign =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +
HashedCanonicalRequest))
The following example shows how to construct the string to sign with the same request from Task 1:
Create A Canonical Request (p. 78).
Example HTTPS request
GET https://iam.cn-north-1.amazonaws.com.cn/?Action=ListUsers&Version=2010-0508 HTTP/1.1
Host: iam.cn-north-1.amazonaws.com.cn/
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20150830T123600Z
To create the string to sign
1.
Start with the algorithm designation, followed by a newline character. This value is the hashing
algorithm that you use to calculate the digests in the canonical request. For SHA256,
AWS4-HMAC-SHA256 is the algorithm.
AWS4-HMAC-SHA256\n
2.
Append the request date value, followed by a newline character. The date is specified with ISO8601
basic format in the x-amz-date header in the format YYYYMMDD'T'HHMMSS'Z'. This value must
match the value you used in any previous steps.
20150830T123600Z\n
3.
Append the credential scope value, followed by a newline character. This value is a string that includes
the date, the region you are targeting, the service you are requesting, and a termination string
("aws4_request") in lowercase characters. The region and service name strings must be UTF-8
encoded.
20150830/cn-north-1/iam/aws4_request\n
Version 1.0
84
Amazon Web Services General Reference
Signing AWS Requests
• The date must be in the YYYYMMDD format. Note that the date does not include a time value.
• Verify that the region you specify is the region that you are sending the request to. See AWS
Regions and Endpoints (p. 2).
4.
Append the hash of the canonical request that you created in Task 1: Create a Canonical Request
for Signature Version 4 (p. 78). This value is not followed by a newline character. The hashed
canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.
c0f52cbaae2f5c43042257a73d9eafc6d42e3306a4ebab6d9235f391dff4d990
The following string to sign is a request to IAM on August 30, 2015.
Example string to sign
AWS4-HMAC-SHA256
20150830T123600Z
20150830/cn-north-1/iam/aws4_request
c0f52cbaae2f5c43042257a73d9eafc6d42e3306a4ebab6d9235f391dff4d990
Task 3: Calculate the AWS Signature Version 4
Before you calculate a signature, you derive a signing key from your AWS secret access key. Because
the derived signing key is specific to date, service, and region, it offers a greater degree of protection.
You don't just use your secret access key to sign the request. You then use the signing key and the string
to sign that you created in Task 2: Create a String to Sign for Signature Version 4 (p. 84) as the inputs
to a keyed hash function. The hex-encoded result from the keyed hash function is the signature.
To calculate a signature
1.
Derive your signing key. To do this, use your secret access key to create a series of hash-based
message authentication codes (HMACs). This is shown in the following pseudocode, where
HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format. The
result of each hash function becomes input for the next one.
Pseudocode for deriving a signing key
kSecret = Your AWS Secret Access Key
kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")
Note that the date used in the hashing process is in the format YYYYMMDD (for example, 20150830),
and does not include the time.
Make sure you specify the HMAC parameters in the correct order for the programming language you
are using.This example shows the key as the first parameter and the content as the second parameter,
but the function that you use might specify the key and content in a different order.
Use the digest for the key derivation. Most languages have functions to compute either a binary
format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation
requires you use a digest.
Version 1.0
85
Amazon Web Services General Reference
Signing AWS Requests
The following example show the inputs to derive a signing key and the resulting output, where kSecret
= wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.
The example uses the same parameters from the request in Task 1 and Task 2 (a request to IAM in
the cn-north-1 region on August 30, 2015).
Example inputs
HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20150830"),"cn-north1"),"iam"),"aws4_request")
The following example shows the derived signing key that results from this sequence of HMAC hash
operations. This shows the integer representation of each byte in the binary derived signing key.
Example signing key
63 168 51 115 97 53 85 53 34 1 96 206 87 244 203 91 142 49 130 9 170 123
176 62 205 203 154 174 236 61 7 162
2.
Calculate the signature. To do this, use the signing key that you derived and the string to sign as
inputs to the keyed hash function. After you calculate the signature as a digest, convert the binary
value to a hexadecimal representation.
The following pseudocode shows how to calculate the signature.
signature = HexEncode(HMAC(derived-signing-key, string-to-sign))
The following example shows the resulting signature if you use the same signing key and the string
to sign from Task 2:
Example signature
d37af66cc90dc26bb2e27d2a97316b729b82589b5e4648f1ae34cb83a3f546cd
Note
For examples of how to derive a signing key using Java, C#, Python, Ruby, and JavaScript, see
Examples of How to Derive a Version 4 Signing Key (p. 89).
Task 4: Add the Signing Information to the Request
After you calculate the signature, you add it to the request. You can add the signing information to a
request in one of two ways:
• An HTTP header named Authorization
• The query string
You cannot pass signing information in both the Authorization header and the query string.
Note
You can use temporary security credentials provided by the AWS Security Token Service (AWS
STS) to sign a request. The process is the same as using long-term credentials, but requires an
additional HTTP header or query string parameter for the security token. The name of the header
Version 1.0
86
Amazon Web Services General Reference
Signing AWS Requests
or query string parameter is X-Amz-Security-Token, and the value is the session token (the
string you received from AWS STS when you obtained temporary security credentials).
When you add the X-Amz-Security-Token parameter to the query string, some services
require that you include this parameter in the canonical (signed) request. For other services, you
add this parameter at the end, after you calculate the signature. For details, see the API reference
documentation for that service.
Adding Signing Information to the Authorization Header
You can include signing information by adding it to an HTTP header named Authorization.The contents
of the header are created after you calculate the signature as described in the preceding steps, so the
Authorization header is not included in the list of signed headers. Although the header is named
Authorization, the signing information is actually used for authentication.
The following pseudocode shows the construction of the Authorization header.
Authorization: algorithm Credential=access key ID/credential scope, SignedHead
ers=SignedHeaders, Signature=signature
The following example shows a finished Authorization header.
Note that in the actual request, the authorization header would appear as a continuous line of text. The
version below has been formatted for readability.
Authorization: AWS4-HMAC-SHA256
Credential=AKIDEXAMPLE/20150830/cn-north-1/iam/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=d37af66cc90dc26bb2e27d2a97316b729b82589b5e4648f1ae34cb83a3f546cd
Note the following:
• There is no comma between the algorithm and Credential. However, the SignedHeaders and
Signature are separated from the preceding values with a comma.
• The Credential value starts with the access key ID, which is followed by a forward slash (/), which
is followed by the credential scope that you calculated in Task 2: Create a String to Sign for Signature
Version 4 (p. 84). The secret access key is used to derive the signing key for the signature, but is not
included in the signing information sent in the request.
Adding Signing Information to the Query String
You can make requests and pass all request values in the query string, including signing information.
This is sometimes referred to as a pre-signed URL, because it produces a single URL with everything
required in order to make a successful call to AWS. It's commonly used in Amazon S3. For more
information, see Authenticating Requests by Using Query Parameters (AWS Signature Version 4) in the
Amazon Simple Storage Service API Reference.
Important
If you make a request in which all parameters are included in the query string, the resulting URL
represents an AWS action that is already authenticated. Therefore, treat the resulting URL with
as much caution as you would treat your actual credentials. We recommend you specify a short
expiration time for the request with the X-Amz-Expires parameter.
When you use this approach, all the query string values (except the signature) are included in the canonical
query string that is part of the canonical query that you construct in the first part of the signing
process (p. 78).
Version 1.0
87
Amazon Web Services General Reference
Handling Dates
The following pseudocode shows the construction of a query string that contains all request parameters.
querystring
querystring
querystring
tial_scope)
querystring
querystring
querystring
= Action=action
+= &X-Amz-Algorithm=algorithm
+= &X-Amz-Credential= urlencode(access_key_ID + '/' + creden
+= &X-Amz-Date=date
+= &X-Amz-Expires=timeout interval
+= &X-Amz-SignedHeaders=signed_headers
After the signature is calculated (which uses the other query string values as part of the calculation), you
add the signature to the query string as the X-Amz-Signature parameter:
querystring += &X-Amz-Signature=signature
The following example shows what a request might look like when all the request parameters and the
signing information are included in query string parameters.
Note that in the actual request, the authorization header would appear as a continuous line of text. The
version below has been formatted for readability.
https://iam.cn-north-1.amazonaws.com.cn?Action=ListUsers&Version=2010-05-08
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fcn-north-1%2Fiam%2Faws4_request
&X-Amz-Date=20150830T123600Z
&X-Amz-Expires=60
&X-Amz-SignedHeaders=content-type%3Bhost
&X-Amz-Signature=bbb7890b2172f0cccc6d1d5cded4e690f3e1dac299599547f3d1ceb50567e83d
Note the following:
• For the signature calculation, query string parameters must be sorted in ASCII order and their values
must be URI-encoded. See the step about creating a canonical query string in Task 1: Create a Canonical
Request for Signature Version 4 (p. 78).
• Set the timeout interval (X-Amz-Expires) to the minimal viable time for the operation you're requesting.
Handling Dates in Signature Version 4
The date that you use as part of your credential scope must match the date of your request. You can
include the date as part of your request in several different ways. For requests like the example POST
request in Examples of the Complete Version 4 Signing Process (Python) (p. 92), you can use either a
date header or an x-amz-date header. For requests like the example GET request in Examples of the
Complete Version 4 Signing Process (Python) (p. 92), you can use either a date header or include
x-amz-date as a query parameter.
For both types of requests, AWS looks first for the x-amz-date header or parameter. If AWS cannot find
a value for x-amz-date, it uses the date header.
The date header looks for a time stamp and the credential scope looks for an eight-digit string representing
the year (YYYY), month (MM), and day (DD) of the request. Requests are rejected if the two dates do
not match. For example, if the date header contains the value 20111015T080000Z and the date
component of the credential scope is 20111015, AWS allows the authentication process to proceed.
Version 1.0
88
Amazon Web Services General Reference
Key Derivation Examples
If the dates do not match, AWS rejects the request, even if the time stamp is only seconds away from
matching the date component of the credential scope. For example, AWS will reject a request that has
a date header value of 20111014T235959Z and a credential scope that includes the date 20111015.
Examples of How to Derive a Version 4 Signing
Key
This page shows examples in several programming languages of how to derive a signing key with Signature
Version 4.
Note
If you are using one of the AWS SDKs (including the AWS SDK for Java, .NET, Python, Ruby,
and JavaScript), you do not have to manually perform the steps of deriving a signing key and
adding authentication information to a request. The SDKs perform this work for you. You need
to manually sign requests only if you are directly making HTTP or HTTPS requests.
Topics
• Deriving the Signing Key with Java (p. 89)
• Deriving the Signing Key with .NET (C#) (p. 89)
• Deriving the Signing Key with Python (p. 90)
• Deriving the Signing Key with Ruby (p. 90)
• Deriving the Signing Key with JavaScript (p. 90)
• Deriving the Signing Key with Other Languages (p. 91)
• Common Coding Mistakes (p. 91)
Deriving the Signing Key with Java
static byte[] HmacSHA256(String data, byte[] key) throws Exception
String algorithm="HmacSHA256";
Mac mac = Mac.getInstance(algorithm);
mac.init(new SecretKeySpec(key, algorithm));
return mac.doFinal(data.getBytes("UTF8"));
}
{
static byte[] getSignatureKey(String key, String dateStamp, String regionName,
String serviceName) throws Exception {
byte[] kSecret = ("AWS4" + key).getBytes("UTF8");
byte[] kDate
= HmacSHA256(dateStamp, kSecret);
byte[] kRegion = HmacSHA256(regionName, kDate);
byte[] kService = HmacSHA256(serviceName, kRegion);
byte[] kSigning = HmacSHA256("aws4_request", kService);
return kSigning;
}
Deriving the Signing Key with .NET (C#)
static byte[] HmacSHA256(String data, byte[] key)
{
String algorithm = "HmacSHA256";
KeyedHashAlgorithm kha = KeyedHashAlgorithm.Create(algorithm);
kha.Key = key;
Version 1.0
89
Amazon Web Services General Reference
Key Derivation Examples
return kha.ComputeHash(Encoding.UTF8.GetBytes(data));
}
static byte[] getSignatureKey(String key, String dateStamp, String regionName,
String serviceName)
{
byte[] kSecret = Encoding.UTF8.GetBytes(("AWS4" + key).ToCharArray());
byte[] kDate = HmacSHA256(dateStamp, kSecret);
byte[] kRegion = HmacSHA256(regionName, kDate);
byte[] kService = HmacSHA256(serviceName, kRegion);
byte[] kSigning = HmacSHA256("aws4_request", kService);
return kSigning;
}
Deriving the Signing Key with Python
def sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = sign(("AWS4" + key).encode("utf-8"), dateStamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, "aws4_request")
return kSigning
Deriving the Signing Key with Ruby
def getSignatureKey key, dateStamp, regionName, serviceName
kDate
= OpenSSL::HMAC.digest('sha256', "AWS4" + key, dateStamp)
kRegion = OpenSSL::HMAC.digest('sha256', kDate, regionName)
kService = OpenSSL::HMAC.digest('sha256', kRegion, serviceName)
kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
kSigning
end
Deriving the Signing Key with JavaScript
For more information about Crypto-JS and HMAC, see http://code.google.com/p/crypto-js/#HMAC.
function getSignatureKey(key, dateStamp, regionName, serviceName) {
var kDate= Crypto.HMAC(Crypto.SHA256, dateStamp, "AWS4" + key, { asBytes:
true})
var kRegion= Crypto.HMAC(Crypto.SHA256, regionName, kDate, { asBytes: true
});
var kService=Crypto.HMAC(Crypto.SHA256, serviceName, kRegion, { asBytes:
true });
var kSigning= Crypto.HMAC(Crypto.SHA256, "aws4_request", kService, { asBytes:
true });
Version 1.0
90
Amazon Web Services General Reference
Key Derivation Examples
return kSigning;
}
Important
Use the asBytes option when calling Crypto.HMAC in JScript or JavaScript. Otherwise, the
HMAC implementation will perform an additional encoding by default.
Deriving the Signing Key with Other Languages
If you need to implement this logic in a different programming language, we recommend testing the
intermediary steps of the key derivation algorithm against the values in this section. The following example
in Ruby prints the results using the hexEncode function after each step in the algorithm.
def hexEncode bindata
result=""
data=bindata.unpack("C*")
data.each {|b| result+= "%02x" % b}
result
end
Given the following test input:
key = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
dateStamp = '20120215'
regionName = 'cn-north-1'
serviceName = 'iam'
Your program should generate the following values for the values in getSignatureKey. Note that these
are hex-encoded representations of the binary data; the key itself and the intermediate values should be
in binary format.
kSecret =
'41575334774a616c725855746e46454d492f4b374d44454e472b62507852666943594558414d504c454b4559'
kDate
= '969fbb94feb542b71ede6f87fe4d5fa29c789342b0f407474670f0c2489e0a0d'
kRegion = 'f5e672e58cf132b0a7ac38224ed20013b5f068e4e4de6ebc05d87f724508595e'
kService = 'e2569e3d090ed691c9ef28c5fb6afbea3f759699099ad1f884a589aad97bf4ca'
kSigning = '2f93fd817068852310c6054f85a5ffe1a23da3e1587e39ba922f1fac469088da'
Common Coding Mistakes
To simplify your task, avoid the following common coding errors.
Tip
Examine the request that you're sending to AWS with a tool that shows you what your raw
requests look like. This can help you spot issues that aren't evident from your code.
• Including an extra newline character or forgetting one where it's required.
• Formatting the date incorrectly such as using a time stamp instead of YYYYMMDD in the credential
scope.
• Not matching the headers in the canonical headers to the signed headers list.
• Inadvertently swapping the key and the data when calculating intermediary keys. The result of the
previous step's computation is the key, not the data. Check the documentation for your cryptographic
primitives carefully to ensure that you place the parameters in the proper order.
Version 1.0
91
Amazon Web Services General Reference
Signing Examples (Python)
• Forgetting to add the string "AWS" in front of the key for the first step. If you implement the key derivation
using a for loop or iterator, don't forget to special-case the first iteration, so that it includes the "AWS"
string.
• If you're using JavaScript, forgetting to use the asBytes option for the JavaScript HMAC.Crypto
function. If you don't use the asBytes option, the HMAC implementation will perform an additional hex
encoding by default.
For more information about possible errors, see Troubleshooting AWS Signature Version 4 Errors (p. 102).
Examples of the Complete Version 4 Signing
Process (Python)
This section shows example programs written in Python that illustrate how to work with Signature Version
4 in AWS. We deliberately wrote these example programs to be simple (to use few Python-specific
features) to make it easier to understand the overall process of signing AWS requests.
In order to work with these example programs, you need the following:
• Python 2.x installed on your computer, which you can get from the Python site. These programs were
tested using Python 2.7.
• The Python requests library, which is used in the example script to make web requests. A convenient
way to install Python packages is to use pip, which gets packages from the Python package index
site. You can then install requests by running pip install requests at the command line.
• An access key (access key ID and secret access key) in environment variables named
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Alternatively, you can keep these values in a
credentials file and read them from them. As a best practice, we recommend that you do not embed
credentials in code. For more information, see Best Practices for Managing AWS Access Keys in the
Amazon Web Services General Reference.
Topics
• Using GET with an Authorization Header (Python) (p. 92)
• Using POST (Python) (p. 95)
• Using GET with Authentication Information in the Query String (Python) (p. 97)
Using GET with an Authorization Header (Python)
The following example shows how to make a request using the Amazon EC2 query API. The request
makes a GET request and passes authentication information to AWS using the Authorization header.
# AWS Version 4 signing example
# EC2 API (DescribeRegions)
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
# This version makes a GET request and passes the signature
# in the Authorization header.
import sys, os, base64, datetime, hashlib, hmac
import requests # pip install requests
# ************* REQUEST VALUES *************
method = 'GET'
service = 'ec2'
Version 1.0
92
Amazon Web Services General Reference
Signing Examples (Python)
host = 'ec2.amazonaws.com'
region = 'us-east-1'
endpoint = 'https://ec2.amazonaws.com'
request_parameters = 'Action=DescribeRegions&Version=2013-10-15'
# Key derivation functions. See:
# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#sig
nature-v4-examples-python
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
def getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, 'aws4_request')
return kSigning
# Read AWS access key from env. variables or configuration file. Best practice
is NOT
# to embed credentials in code.
access_key = os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
if access_key is None or secret_key is None:
print 'No access key is available.'
sys.exit()
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope
# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-re
quest.html
# Step 1 is to define the verb (GET, POST, etc.)--already done.
# Step 2: Create canonical URI--the part of the URI from domain to query
# string (use '/' if no path)
canonical_uri = '/'
#
#
#
#
Step 3: Create the canonical query string. In this example (a GET request),
request parameters are in the query string. Query string values must
be URL-encoded (space=%20). The parameters must be sorted by name.
For this example, the query string is pre-formatted in the request_parameters
variable.
canonical_querystring = request_parameters
# Step 4: Create the canonical headers and signed headers. Header names
# and value must be trimmed and lowercase, and sorted in ASCII order.
# Note that there is a trailing \n.
canonical_headers = 'host:' + host + '\n' + 'x-amz-date:' + amzdate + '\n'
# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
Version 1.0
93
Amazon Web Services General Reference
Signing Examples (Python)
# signed_headers lists those that you want to be included in the
# hash of the request. "Host" and "x-amz-date" are always required.
signed_headers = 'host;x-amz-date'
# Step 6: Create payload hash (hash of the request body content). For GET
# requests, the payload is an empty string ("").
payload_hash = hashlib.sha256('').hexdigest()
# Step 7: Combine elements to create create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring
+ '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
# ************* TASK 2: CREATE THE STRING TO SIGN*************
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_re
quest'
string_to_sign = algorithm + '\n' + amzdate + '\n' + credential_scope + '\n'
+ hashlib.sha256(canonical_request).hexdigest()
# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, datestamp, region, service)
# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hash
lib.sha256).hexdigest()
# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# The signing information can be either in a query string value or in
# a header named Authorization. This code shows how to use a header.
# Create authorization header and add to request headers
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' +
credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signa
ture=' + signature
#
#
#
#
#
The request can include any headers, but MUST include "host", "x-amz-date",
and (for this scenario) "Authorization". "host" and "x-amz-date" must
be included in the canonical_headers and signed_headers, as noted
earlier. Order here is not significant.
Python note: The 'host' header is added automatically by the Python 'requests'
library.
headers = {'x-amz-date':amzdate, 'Authorization':authorization_header}
# ************* SEND THE REQUEST *************
request_url = endpoint + '?' + canonical_querystring
print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++'
print 'Request URL = ' + request_url
r = requests.get(request_url, headers=headers)
print '\nRESPONSE++++++++++++++++++++++++++++++++++++'
Version 1.0
94
Amazon Web Services General Reference
Signing Examples (Python)
print 'Response code: %d\n' % r.status_code
print r.text
Using POST (Python)
The following example shows how to make a request using the Amazon DynamoDB query API. The
request makes a POST request and passes values to AWS in the body of the request. Authentication
information is passed using the Authorization request header.
# AWS Version 4 signing example
# DynamoDB API (CreateTable)
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
# This version makes a POST request and passes request parameters
# in the body (payload) of the request. Auth information is passed in
# an Authorization header.
import sys, os, base64, datetime, hashlib, hmac
import requests # pip install requests
# ************* REQUEST VALUES *************
method = 'POST'
service = 'dynamodb'
host = 'dynamodb.us-west-2.amazonaws.com'
region = 'us-west-2'
endpoint = 'https://dynamodb.us-west-2.amazonaws.com/'
# POST requests use a content type header. For DynamoDB,
# the content is JSON.
content_type = 'application/x-amz-json-1.0'
# DynamoDB requires an x-amz-target header that has this format:
#
DynamoDB_<API version>.<operationName>
amz_target = 'DynamoDB_20120810.CreateTable'
# Request parameters for CreateTable--passed in a JSON block.
request_parameters = '{'
request_parameters += '"KeySchema": [{"KeyType": "HASH","AttributeName":
"Id"}],'
request_parameters += '"TableName": "TestTable","AttributeDefinitions":
[{"AttributeName": "Id","AttributeType": "S"}],'
request_parameters += '"ProvisionedThroughput": {"WriteCapacityUnits":
5,"ReadCapacityUnits": 5}'
request_parameters += '}'
# Key derivation functions. See:
# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#sig
nature-v4-examples-python
def sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def getSignatureKey(key, date_stamp, regionName, serviceName):
kDate = sign(('AWS4' + key).encode('utf-8'), date_stamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, 'aws4_request')
return kSigning
Version 1.0
95
Amazon Web Services General Reference
Signing Examples (Python)
# Read AWS access key from env. variables or configuration file. Best practice
is NOT
# to embed credentials in code.
access_key = os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
if access_key is None or secret_key is None:
print 'No access key is available.'
sys.exit()
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
amz_date = t.strftime('%Y%m%dT%H%M%SZ')
date_stamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope
# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-re
quest.html
# Step 1 is to define the verb (GET, POST, etc.)--already done.
# Step 2: Create canonical URI--the part of the URI from domain to query
# string (use '/' if no path)
canonical_uri = '/'
## Step 3: Create the canonical query string. In this example, request
# parameters are passed in the body of the request and the query string
# is blank.
canonical_querystring = ''
# Step 4: Create the canonical headers. Header names and values
# must be trimmed and lowercase, and sorted in ASCII order.
# Note that there is a trailing \n.
canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host +
'\n' + 'x-amz-date:' + amz_date + '\n' + 'x-amz-target:' + amz_target + '\n'
# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
# signed_headers include those that you want to be included in the
# hash of the request. "Host" and "x-amz-date" are always required.
# For DynamoDB, content-type and x-amz-target are also required.
signed_headers = 'content-type;host;x-amz-date;x-amz-target'
# Step 6: Create payload hash. In this example, the payload (body of
# the request) contains the request parameters.
payload_hash = hashlib.sha256(request_parameters).hexdigest()
# Step 7: Combine elements to create create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring
+ '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
# ************* TASK 2: CREATE THE STRING TO SIGN*************
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_re
Version 1.0
96
Amazon Web Services General Reference
Signing Examples (Python)
quest'
string_to_sign = algorithm + '\n' + amz_date + '\n' +
+ hashlib.sha256(canonical_request).hexdigest()
credential_scope + '\n'
# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, date_stamp, region, service)
# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hash
lib.sha256).hexdigest()
# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# Put the signature information in a header named Authorization.
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' +
credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signa
ture=' + signature
# For DynamoDB, the request can include any headers, but MUST include "host",
"x-amz-date",
# "x-amz-target", "content-type", and "Authorization". Except for the authoriz
ation
# header, the headers must be included in the canonical_headers and
signed_headers values, as
# noted earlier. Order here is not significant.
# # Python note: The 'host' header is added automatically by the Python 're
quests' library.
headers = {'Content-Type':content_type,
'X-Amz-Date':amz_date,
'X-Amz-Target':amz_target,
'Authorization':authorization_header}
# ************* SEND THE REQUEST *************
print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++'
print 'Request URL = ' + endpoint
r = requests.post(endpoint, data=request_parameters, headers=headers)
print '\nRESPONSE++++++++++++++++++++++++++++++++++++'
print 'Response code: %d\n' % r.status_code
print r.text
Using GET with Authentication Information in the Query
String (Python)
The following example shows how to make a request using the IAM query API. The request makes a
GET request and passes parameters and signing information using the query string.
# AWS Version 4 signing example
# IAM API (CreateUser)
# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Version 1.0
97
Amazon Web Services General Reference
Signing Examples (Python)
# This version makes a GET request and passes request parameters
# and authorization information in the query string
import sys, os, base64, datetime, hashlib, hmac, urllib
import requests # pip install requests
# ************* REQUEST VALUES *************
method = 'GET'
service = 'iam'
host = 'iam.amazonaws.com'
region = 'us-east-1'
endpoint = 'https://iam.amazonaws.com'
# Key derivation functions. See:
# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#sig
nature-v4-examples-python
def sign(key, msg):
return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
def getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
kRegion = sign(kDate, regionName)
kService = sign(kRegion, serviceName)
kSigning = sign(kService, 'aws4_request')
return kSigning
# Read AWS access key from env. variables or configuration file. Best practice
is NOT
# to embed credentials in code.
access_key = os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY')
if access_key is None or secret_key is None:
print 'No access key is available.'
sys.exit()
# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
amz_date = t.strftime('%Y%m%dT%H%M%SZ') # Format date as YYYYMMDD'T'HHMMSS'Z'
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope
# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-re
quest.html
# Because almost all information is being passed in the query string,
# the order of these steps is slightly different than examples that
# use an authorization header.
# Step 1: Define the verb (GET, POST, etc.)--already done.
# Step 2: Create canonical URI--the part of the URI from domain to query
# string (use '/' if no path)
canonical_uri = '/'
#
#
#
#
Step 3: Create the canonical headers and signed headers. Header names
and value must be trimmed and lowercase, and sorted in ASCII order.
Note trailing \n in canonical_headers.
signed_headers is the list of headers that are being included
Version 1.0
98
Amazon Web Services General Reference
Signing Examples (Python)
# as part of the signing process. For requests that use query strings,
# only "host" is included in the signed headers.
canonical_headers = 'host:' + host + '\n'
signed_headers = 'host'
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_re
quest'
# Step 4: Create the canonical query string. In this example, request
# parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
canonical_querystring = 'Action=CreateUser&UserName=NewUser&Version=2010-05-08'
canonical_querystring += '&X-Amz-Algorithm=AWS4-HMAC-SHA256'
canonical_querystring += '&X-Amz-Credential=' + urllib.quote_plus(access_key +
'/' + credential_scope)
canonical_querystring += '&X-Amz-Date=' + amz_date
canonical_querystring += '&X-Amz-Expires=30'
canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers
# Step 5: Create payload hash. For GET requests, the payload is an
# empty string ("").
payload_hash = hashlib.sha256('').hexdigest()
# Step 6: Combine elements to create create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring
+ '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
# ************* TASK 2: CREATE THE STRING TO SIGN*************
string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n'
+ hashlib.sha256(canonical_request).hexdigest()
# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key
signing_key = getSignatureKey(secret_key, datestamp, region, service)
# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode("utf-8"), hash
lib.sha256).hexdigest()
# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# The auth information can be either in a query string
# value or in a header named Authorization. This code shows how to put
# everything into a query string.
canonical_querystring += '&X-Amz-Signature=' + signature
# ************* SEND THE REQUEST *************
# The 'host' header is added automatically by the Python 'request' lib. But it
# must exist as a header in the request.
request_url = endpoint + "?" + canonical_querystring
print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++'
Version 1.0
99
Amazon Web Services General Reference
Test Suite
print 'Request URL = ' + request_url
r = requests.get(request_url)
print '\nRESPONSE++++++++++++++++++++++++++++++++++++'
print 'Response code: %d\n' % r.status_code
print r.text
Signature Version 4 Test Suite
To assist you in the development of an AWS client that supports Signature Version 4, you can use the
files in the test suite to ensure your code is performing each step of the signing process correctly.
Use the following link to download the test suite:
aws4_testsuite.zip
Topics
• Credential Scope and Secret Key (p. 100)
• Example—A Simple GET Request with Parameters (p. 100)
Each test group contains five files that you can use to validate each of the tasks described in Signature
Version 4 Signing Process (p. 75). The following list describes the contents of each file.
• <file-name>.req—the web request to be signed.
• <file-name>.creq—the resulting canonical request.
• <file-name>.sts—the resulting string to sign.
• <file-name>.authz—the Authorization header.
• <file-name>.sreq— the signed request.
Note
The test suite examples use the us-east-1 region.
Credential Scope and Secret Key
The examples in the test suite use the following credential scope:
AKIDEXAMPLE/20150830/us-east-1/service/aws4_request
The example secret key used for signing is:
wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY
Example—A Simple GET Request with Parameters
The following example shows the web request to be signed from the
get-vanilla-query-order-key-case.req file. This is the original request.
GET /?Param2=value2&Param1=value1 HTTP/1.1
Host:example.amazonaws.com
X-Amz-Date:20150830T123600Z
Version 1.0
100
Amazon Web Services General Reference
Test Suite
Task 1: Create a Canonical Request
In the steps outlined in Task 1: Create a Canonical Request for Signature Version 4 (p. 78), change the
request in the get-vanilla-query-order-key-case.req file.
GET /?Param2=value2&Param1=value1 HTTP/1.1
Host:example.amazonaws.com
X-Amz-Date:20150830T123600Z
This creates the canonical request in the get-vanilla-query-order-key-case.creq file.
GET
/
Param1=value1&Param2=value2
host:example.amazonaws.com
x-amz-date:20150830T123600Z
host;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Notes
• The parameters are sorted alphabetically (by character code).
• The header names are lowercase.
• There is a line break between the x-amz-date header and the signed headers.
• The hash of the payload is the hash of the empty string.
Task 2: Create a String to Sign
The hash of the canonical request returns the following value:
816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0
In the steps outlined in Task 2: Create a String to Sign for Signature Version 4 (p. 84), add the algorithm,
request date, credential scope, and the canonical request hash to create the string to sign.
The result is the get-vanilla-query-order-key-case.sts file.
AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/service/aws4_request
816cd5b414d056048ba4f7c5386d6e0533120fb1fcfa93762cf0fc39e2cf19e0
Notes
• The date on the second line matches the x-amz-date header, as well as the first element in the
credential scope.
• The last line is the hex-encoded value for the hash of the canonical request.
Version 1.0
101
Amazon Web Services General Reference
Troubleshooting
Task 3: Calculate the Signature
In the steps outlined in Task 3: Calculate the AWS Signature Version 4 (p. 85), create a signature with
your signing key and the string to sign from the get-vanilla-query-order-key-case.sts file.
The result generates the contents in the get-vanilla-query-order-key-case.authz file.
AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/service/aws4_request,
SignedHeaders=host;x-amz-date, Signa
ture=b97d918cfa904a5beff61c982a1b6f458b799221646efd99d3219ec94cdf2500
Task 4: Add the Signing Information to the Request
In the steps outlined in Task 4: Add the Signing Information to the Request (p. 86), add the signing
information generated in task 3 to the original request. For example, take the contents in the
get-vanilla-query-order-key-case.authz, add it to the Authorization header, and then add
the result to the get-vanilla-query-order-key-case.req.
This creates the signed request in the get-vanilla-query-order-key-case.sreq file.
GET /?Param2=value2&Param1=value1 HTTP/1.1
Host:example.amazonaws.com
X-Amz-Date:20150830T123600Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/ser
vice/aws4_request, SignedHeaders=host;x-amz-date, Signa
ture=b97d918cfa904a5beff61c982a1b6f458b799221646efd99d3219ec94cdf2500
Troubleshooting AWS Signature Version 4 Errors
Topics
• Troubleshooting AWS Signature Version 4 Canonicalization Errors (p. 102)
• Troubleshooting AWS Signature Version 4 Credential Scope Errors (p. 104)
• Troubleshooting AWS Signature Version 4 Key Signing Errors (p. 105)
When you develop code that implements Signature Version 4, you might receive errors from AWS products
that you test against. The errors typically come from an error in the canonicalization of the request, the
incorrect derivation or use of the signing key, or a validation failure of signature-specific parameters sent
along with the request.
Troubleshooting AWS Signature Version 4 Canonicalization
Errors
Consider the following request:
https://iam.cn-north-1.amazonaws.com.cn/?MaxItems=100
&Action=ListGroupsForUser
&UserName=Test
&Version=2010-05-08
&X-Amz-Date=20120223T063000Z
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE/20120223/cn-north-1/iam/aws4_request
Version 1.0
102
Amazon Web Services General Reference
Troubleshooting
&X-Amz-SignedHeaders=host
&X-Amz-Signature=<calculated value>
If you incorrectly calculate the canonical request or the string to sign, the signature verification step
performed by the service fails. The following example is a typical error response, which includes the
canonical string and the string to sign as computed by the service. You can troubleshoot your calculation
error by comparing the returned strings with the canonical string and your calculated string to sign.
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature
you provided. Check your AWS Secret Access Key and signing method. Consult the
service documentation for details.
The canonical string for this request should have been 'GET / Action=List
GroupsForUser&MaxItems=100&UserName=Test&Version=2010-05-08&X-Amz-Algorithm=AWS4HMAC-SHA256&X-Amz-Credential
=AKIAIOSFODNN7EXAMPLE%2F20120223%2Fus-east-1%2Fiam%2Faws4_request&X-AmzDate=20120223T063000Z&X-Amz-SignedHeaders=host
host:iam.amazonaws.com
host
<hashed-value>'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20120223T063000Z
20120223/us-east-1/iam/aws4_request
<hashed-value>'
</Message>
</Error>
<RequestId>4ced6e96-5de8-11e1-aa78-a56908bdf8eb</RequestId>
</ErrorResponse>
<ErrorResponse xmlns="https://iam.cn-north-1.amazonaws.com.cn/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature
you provided. Check your AWS Secret Access Key and signing method. Consult the
service documentation for details.
The canonical string for this request should have been 'GET / Action=List
GroupsForUser&MaxItems=100&UserName=Test&Version=2010-05-08&X-Amz-Algorithm=AWS4HMAC-SHA256&X-Amz-Credential
=AKIAIOSFODNN7EXAMPLE%2F20120223%2Fcn-north-1%2Fiam%2Faws4_request&X-AmzDate=20120223T063000Z&X-Amz-SignedHeaders=host
host:iam.cn-north-1.amazonaws.com.cn
host
<hashed-value>'
The String-to-Sign should have been
Version 1.0
103
Amazon Web Services General Reference
Troubleshooting
'AWS4-HMAC-SHA256
20120223T063000Z
20120223/cn-north-1/iam/aws4_request
<hashed-value>'
</Message>
</Error>
<RequestId>4ced6e96-5de8-11e1-aa78-a56908bdf8eb</RequestId>
</ErrorResponse>
For testing with an SDK, we recommend troubleshooting by verifying each derivation step against known
values. For more information, see Signature Version 4 Test Suite (p. 100).
Troubleshooting AWS Signature Version 4 Credential Scope
Errors
AWS products validate credentials for proper scope; the credential parameter must specify the correct
service, region, and date. For example, the following credential references the Amazon RDS service:
Credential=AKIAIOSFODNN7EXAMPLE/20120224/cn-north-1/rds/aws4_request
If you use the same credentials to submit a request to IAM, you'll receive the following error response:
<ErrorResponse xmlns="https://iam.cn-north-1.amazonaws.com.cn/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to correct service: 'iam'. </Message>
</Error>
<RequestId>aa0da9de-5f2b-11e1-a2c0-c1dc98b6c575</RequestId>
The credential must also specify the correct region. For example, the following credential for an IAM
request incorrectly specifies the US West (N. California) region.
Credential=AKIAIOSFODNN7EXAMPLE/20120224/us-west-1/iam/aws4_request
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to a valid region, not 'us-east-1'.
</Message>
</Error>
<RequestId>8e229682-5f27-11e1-88f2-4b1b00f424ae</RequestId>
</ErrorResponse>
You'll receive the same type of invalid region response from AWS products that are available in multiple
regions if you submit requests to a region that differs from the region specified in your credential scope.
The credential must also specify the correct region for the service and action in your request.
Version 1.0
104
Amazon Web Services General Reference
Troubleshooting
The date that you use as part of the credential must match the date value in the x-amz-date header.
For example, the following x-amz-date header value does not match the date value used in the
Credential parameter that follows it.
x-amz-date:"20120224T213559Z"
Credential=AKIAIOSFODNN7EXAMPLE/20120225/cn-north-1/iam/aws4_request
If you use this pairing of x-amz-date header and credential, you'll receive the following error response:
<ErrorResponse xmlns="https://iam.cn-north-1.amazonaws.com.cn/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Date in Credential scope does not match YYYYMMDD from ISO-8601
version of date from HTTP: '20120225' != '20120224', from '20120
224T213559Z'.</Message>
</Error>
<RequestId>9d6ddd2b-5f2f-11e1-b901-a702cd369eb8</RequestId>
</ErrorResponse>
An expired signature can also generate an error response. For example, the following error response
was generated due to an expired signature.
<ErrorResponse xmlns="https://iam.cn-north-1.amazonaws.com.cn/doc/2010-05-08/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Signature expired: 20120306T074514Z is now earlier than
20120306T074556Z (20120306T080056Z - 15 min.)</Message>
</Error>
<RequestId>fcc88440-5dec-11e1-b901-a702cd369eb8</RequestId>
</ErrorResponse>
Troubleshooting AWS Signature Version 4 Key Signing
Errors
Errors that are caused by an incorrect derivation of the signing key or improper use of cryptography are
more difficult to troubleshoot. The error response will tell you that the signature does not match. If you
verified that the canonical string and the string to sign are correct, the cause of the signature mismatch
is most likely one of the two following issues:
• The secret access key does not match the access key ID that you specified in the Credential
parameter.
• There is a problem with your key derivation code.
To check whether the secret key matches the access key ID, you can use your secret key and access
key ID with a known working implementation. One way is to use one of the AWS SDKs to write a program
that makes a simple request to AWS using the access key ID and secret access key that you want to
use.
To check whether your key derivation code is correct, you can compare it to our example derivation code.
For more information, see Examples of How to Derive a Version 4 Signing Key (p. 89).
Version 1.0
105
Amazon Web Services General Reference
Signature Version 2 Signing Process
Signature Version 2 Signing Process
You can use Signature Version 2 to sign AWS Query API requests.
Supported Regions and Services
The following regions do not support Signature Version 2, regardless of which service you're using:
• China (Beijing)
• EU (Frankfurt)
For these regions, you must use Signature Version 4 to sign AWS Query API requests.
The following services currently support Signature Version 2 in all other regions.
AWS services that support Signature Version 2
Auto Scaling
Auto Scaling API Reference
AWS CloudFormation
AWS CloudFormation API Reference
Amazon CloudWatch
Amazon CloudWatch API Reference
AWS Elastic Beanstalk
Elastic Beanstalk API Reference
Amazon Elastic Compute Cloud
Amazon EC2 API Reference
Elastic Load Balancing
Elastic Load Balancing API Reference
Amazon Elastic MapReduce
Amazon Elastic MapReduce API Reference
Amazon ElastiCache
Amazon ElastiCache API Reference
AWS Identity and Access Management
IAM API Reference
AWS Import/Export
AWS Import/Export API Reference
Amazon Relational Database Service
Amazon Relational Database Service API Reference
Amazon Simple Notification Service
Amazon Simple Notification Service API Reference
Amazon Simple Queue Service
Amazon Simple Queue Service API Reference
Amazon SimpleDB
Amazon SimpleDB API Reference
Components of a Query Request for Signature
Version 2
AWS requires that each HTTP or HTTPS Query request formatted for Signature Version 2 contains the
following:
Version 1.0
106
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
Endpoint
Also known as the host part of an HTTP request. This is the DNS name of the computer where you
send the Query request. This is different for each AWS region. For the list of endpoints for each
service, see AWS Regions and Endpoints (p. 2).
Action
The action you want a web service to perform. This value determines the parameters used in the
request.
AWSAccessKeyId
A value distributed by AWS when you sign up for an AWS account.
SignatureMethod
The hash-based protocol used to calculate the signature. This can be either HMAC-SHA1 or
HMAC-SHA256 for Signature Version 2.
SignatureVersion
The version of the AWS signature protocol.
Timestamp
The time at which you make the request. Include this in the Query request to help prevent third parties
from intercepting your request.
Required and optional parameters
Each action has a set of required and optional parameters that define the API call.
Signature
The calculated value that ensures the signature is valid and has not been tampered.
The following is an example Amazon Elastic MapReduce Query request formatted as an HTTPS GET
request.
• The endpoint, elasticmapreduce.amazonaws.com, is the default endpoint and maps to the region
us-east-1.
• The action is DescribeJobFlows, which requests information about one or more job flows.
Note
In the actual Query request, there are no spaces or newline characters. The request is a
continuous line of text. The version below is formatted for human readability.
https://elasticmapreduce.amazonaws.com?
&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
&Action=DescribeJobFlows
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2011-10-03T15%3A19%3A30
&Version=2009-03-31
&Signature=calculated value
How to Generate a Signature Version 2 for a Query
Request
Web service requests are sent across the Internet and are vulnerable to tampering. To check that the
request has not been altered, AWS calculates the signature to determine if any of the parameters or
parameter values were changed en route. AWS requires a signature as part of every request.
Version 1.0
107
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
Note
Be sure to URI encode the request. For example, blank spaces in your request should be encoded
as %20. Although an unencoded space is normally allowed by the HTTP protocol specification,
unencoded characters create an invalid signature in your Query request. Do not encode spaces
as a plus sign (+) as this will cause errors.
The following topics describe the steps needed to calculate a signature using AWS Signature Version 2.
Task 1: Format the Query Request
Before you can sign the Query request, format the request in a standardized (canonical) format in ASCII
order. This is needed because the different ways to format a Query request will result in different HMAC
signatures. Format the request in a canonical format before signing. This ensures your application and
AWS will calculate the same signature for a request.
To create the string to sign, you concatenate the Query request components. The following example
generates the string to sign for the following call to the Amazon Elastic MapReduce API.
https://elasticmapreduce.amazonaws.com?
Action=DescribeJobFlows
&Version=2009-03-31
&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
&SignatureVersion=2
&SignatureMethod=HmacSHA256
&Timestamp=2011-10-03T15:19:30
Note
In the preceding request, the last four parameters (AWSAccessKeyID through Timestamp) are
called authentication parameters. They're required in every Signature Version 2 request. AWS
uses them to identify who is sending the request and whether to grant the requested access.
To create the string to sign (Signature Version 2)
1.
Start with the request method (either GET or POST), followed by a newline character. For human
readability, the newline character is represented as \n.
GET\n
2.
Add the HTTP host header (endpoint) in lowercase, followed by a newline character. The port
information is omitted if it is the standard port for the protocol (port 80 for HTTP and port 443 for
HTTPS), but included if it is a nonstandard port.
elasticmapreduce.amazonaws.com\n
3.
Add the URL-encoded version of each path segment of the URI, which is everything between the
HTTP host header to the question mark character (?) that begins the query string parameters, followed
by a newline character. Don't encode the forward slash (/) that delimits each path segment.
In this example, if the absolute path is empty, use a forward slash (/).
/\n
Version 1.0
108
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
4.
a.
b.
Add the query string components, as UTF-8 characters which are URL encoded (hexadecimal
characters must be uppercase). You do not encode the initial question mark character (?) in the
request. For more information, see RFC 3986.
Sort the query string components by byte order. Byte ordering is case sensitive. AWS sorts
these components based on the raw bytes.
For example, this is the original order for the query string components.
Action=DescribeJobFlows
Version=2009-03-31
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
SignatureVersion=2
SignatureMethod=HmacSHA256
Timestamp=2011-10-03T15%3A19%3A30
The query string components would be reorganized as the following:
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE
Action=DescribeJobFlows
SignatureMethod=HmacSHA256
SignatureVersion=2
Timestamp=2011-10-03T15%3A19%3A30
Version=2009-03-31
c.
Separate parameter names from their values with the equal sign character (=) (ASCII character
61), even if the value is empty. Separate parameter and value pairs with the ampersand character
(&) (ASCII code 38). Concatenate the parameters and their values to make one long string with
no spaces. Spaces within a parameter value are allowed, but must be URL encoded as %20.
In the concatenated string, period characters (.) are not escaped. RFC 3986 considers the period
character an unreserved character, so it is not URL encoded.
Note
RFC 3986 does not specify what happens with ASCII control characters, extended
UTF-8 characters, and other characters reserved by RFC 1738. Since any values may
be passed into a string value, these other characters should be percent encoded as
%XY where X and Y are uppercase hex characters. Extended UTF-8 characters take
the form %XY%ZA... (this handles multibytes).
The following example shows the query string components, with the parameters concatenated with
the ampersand character (&), and sorted by byte order.
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMeth
od=HmacSHA256&SignatureVersion=2&Timestamp=2011-10-03T15%3A19%3A30&Ver
sion=2009-03-3
5.
To construct the finished canonical request, combine all the components from each step. As shown,
each component ends with a newline character.
GET\n
elasticmapreduce.amazonaws.com\n
/\n
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMeth
od=HmacSHA256&SignatureVersion=2&Timestamp=2011-10-03T15%3A19%3A30&Ver
Version 1.0
109
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
sion=2009-03-31
Task 2: Calculate the Signature
After you've created the canonical string as described in Task 1: Format the Query Request (p. 108),
calculate the signature by creating a hash-based message authentication code (HMAC) that uses either
the HMAC-SHA1 or HMAC-SHA256 protocols. The HMAC-SHA256 is preferred.
In this example, the signature is calculated with the following canonical string and secret key as inputs
to a keyed hash function:
• Canonical query string:
GET\n
elasticmapreduce.amazonaws.com\n
/\n
AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Action=DescribeJobFlows&SignatureMeth
od=HmacSHA256&SignatureVersion=2&Timestamp=2011-10-03T15%3A19%3A30&Ver
sion=2009-03-31
• Sample secret key:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The resulting signature must be base-64 encoded and then URI encoded.
i91nKc4PWAt0JJIdXwz9HxZCJDdiy6cf%2FMj6vPxyYIs%3D
Add the resulting value to the query request as a Signature parameter.You can use the signed request
in an HTTP or HTTPS call.
https://elasticmapreduce.amazonaws.com?AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Ac
tion=DescribeJobFlows&SignatureMethod=HmacSHA256&SignatureVer
sion=2&Timestamp=2011-10-03T15%3A19%3A30&Version=2009-03-31&Signa
ture=i91nKc4PWAt0JJIdXwz9HxZCJDdiy6cf%2FMj6vPxyYIs%3D
Note
You can use temporary security credentials provided by AWS Security Token Service (AWS
STS) to sign a request. The process is the same as using long-term credentials, but requests
require an additional parameter for the security token.
The following request uses a temporary access key ID and the SecurityToken parameter.
Version 1.0
110
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
Example request with temporary security credentials
https://sdb.amazonaws.com/
?Action=GetAttributes
&AWSAccessKeyId=access-key-from-AWS Security Token Service
&DomainName=MyDomain
&ItemName=MyItem
&SignatureVersion=2
&SignatureMethod=HmacSHA256
&Timestamp=2010-01-25T15%3A03%3A07-07%3A00
&Version=2009-04-15
&Signature=signature-calculated-using-the-temporary-access-key
&SecurityToken=session-token
For more information, see the following resources:
• The Amazon Elastic MapReduce Developer Guide has information about Amazon Elastic MapReduce
API calls.
• The API documentation for each service has information about requirements and specific parameters
for an action.
• The AWS SDKs offer functions to generate Query request signatures. To see an example using the
AWS SDK for Java, see Using the Java SDK to Sign a Query Request (p. 112).
Troubleshooting Request Signatures Version 2
This section describes some error codes you might see when you are initially developing code to generate
the signature to sign Query requests.
SignatureDoesNotMatch Signing Error in a web service
The following error response is returned when a web service attempts to validate the request signature
by recalculating the signature value and generates a value that does not match the signature you appended
to the request. This can occur because the request was altered between the time you sent it and the time
it reached a web service endpoint (which is what the signature is designed to detect) or because the
signature was calculated improperly. A common cause of the following error message is not properly
creating the string to sign, such as forgetting to URL-encode characters such as the colon (:) and the
forward slash (/) in Amazon S3 bucket names.
<ErrorResponse xmlns="http://elasticmapreduce.amazonaws.com/doc/2009-03-31">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature
you provided.
Check your AWS Secret Access Key and signing method.
Consult the service documentation for details.</Message>
</Error>
<RequestId>7589637b-e4b0-11e0-95d9-639f87241c66</RequestId>
</ErrorResponse>
IncompleteSignature Signing Error in a web service
The following error indicates that signature is missing information or has been improperly formed.
Version 1.0
111
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
<ErrorResponse xmlns="http://elasticmapreduce.amazonaws.com/doc/2009-03-31">
<Error>
<Type>Sender</Type>
<Code>IncompleteSignature</Code>
<Message>Request must contain a signature that conforms to AWS standards</Mes
sage>
</Error>
<RequestId>7146d0dd-e48e-11e0-a276-bd10ea0cbb74</RequestId>
</ErrorResponse>
Using the Java SDK to Sign a Query Request
The following example uses the amazon.webservices.common package of the AWS SDK for Java to
generate an AWS Signature Version 2 Query request signature.To do so, it creates an RFC 2104-compliant
HMAC signature. For more information about HMAC, see HMAC: Keyed-Hashing for Message
Authentication.
Note
Java is used as an example implementation. You can use the programming language of your
choice to implement the HMAC algorithm to sign Query requests.
import
import
import
import
java.security.SignatureException;
javax.crypto.Mac;
javax.crypto.spec.SecretKeySpec;
com.amazonaws.util.*;
/**
* This class defines common routines for generating
* authentication signatures for AWS Platform requests.
*/
public class Signature {
private static final String HMAC_SHA256_ALGORITHM = "HmacSHA256";
/**
* Computes RFC 2104-compliant HMAC signature.
* * @param data
* The signed data.
* @param key
* The signing key.
* @return
* The Base64-encoded RFC 2104-compliant HMAC signature.
* @throws
* java.security.SignatureException when signature generation fails
*/
public static String calculateRFC2104HMAC(String data, String key)
throws java.security.SignatureException
{
String result;
try {
// Get an hmac_sha256 key from the raw key bytes.
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes("UTF8"),
HMAC_SHA256_ALGORITHM);
// Get an hmac_sha256 Mac instance and initialize with the signing
Version 1.0
112
Amazon Web Services General Reference
How to Generate a Signature Version 2 for a Query
Request
key.
Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
mac.init(signingKey);
// Compute the hmac on input data bytes.
byte[] rawHmac = mac.doFinal(data.getBytes("UTF8"));
// Base64-encode the hmac by using the utility in the SDK
result = BinaryUtils.toBase64(rawHmac);
} catch (Exception e) {
throw new SignatureException("Failed to generate HMAC : " + e.get
Message());
}
return result;
}
}
Version 1.0
113
Amazon Web Services General Reference
AWS Service Limits
The following tables provide the default limits for AWS services for an AWS account. Unless otherwise
noted, each limit is region specific. Many services contain limits that cannot be changed. For more
information about the limits for a specific service, see the documentation for that service.
If your support plan includes Trusted Advisor, you can use it to display your usage and limits for each
service in a specific region. For more information, see Trusted Advisor.
You can take the following steps to request an increase for limits. These increases are not granted
immediately, so it may take a couple of days for your increase to become effective.
To request a limit increase
1.
2.
3.
Open the AWS Support Center page, sign in, if necessary, and then choose Create Case.
Under Regarding, choose Service Limit Increase.
Under Limit Type, choose the type of limit to increase, fill in the necessary fields in the form, and
then choose your preferred method of contact.
Default Limits
• Amazon API Gateway Limits (p. 115)
• Amazon AppStream Limits (p. 116)
• Auto Scaling Limits (p. 116)
• AWS Certificate Manager Limits (p. 116)
• AWS CloudFormation Limits (p. 117)
• Amazon CloudFront Limits (p. 117)
• AWS CloudHSM Limits (p. 117)
• Amazon CloudSearch Limits (p. 118)
• AWS CodeCommit Limits (p. 118)
• AWS CodeDeploy Limits (p. 118)
• AWS CodePipeline Limits (p. 118)
• AWS Database Migration Service Limits (p. 119)
• AWS Device Farm Limits (p. 119)
• AWS Directory Service Limits (p. 120)
• Amazon DynamoDB Limits (p. 120)
• Amazon EC2 Container Registry (Amazon ECR) Limits (p. 120)
Version 1.0
114
Amazon Web Services General Reference
Amazon API Gateway Limits
• Amazon EC2 Container Service (Amazon ECS) Limits (p. 121)
• AWS Elastic Beanstalk Limits (p. 121)
• Amazon Elastic Block Store (Amazon EBS) Limits (p. 121)
• Amazon Elastic Compute Cloud (Amazon EC2) Limits (p. 122)
• Amazon EC2 Simple Systems Manager Limits (p. 122)
• Amazon ElastiCache Limits (p. 123)
• Elastic Load Balancing Limits (p. 123)
• Amazon Elastic Transcoder Limits (p. 123)
• Amazon Elasticsearch Service Limits (p. 124)
• Amazon GameLift Limits (p. 124)
• AWS Identity and Access Management (IAM) Limits (p. 125)
• AWS IoT Limits (p. 125)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AWS Snowball (Snowball) Limits (p. 129)
AWS Key Management Service (AWS KMS) Limits (p. 129)
Amazon Kinesis Firehose Limits (p. 130)
Amazon Kinesis Streams Limits (p. 130)
AWS Lambda Limits (p. 130)
Amazon Machine Learning (Amazon ML) Limits (p. 130)
AWS OpsWorks Limits (p. 131)
Amazon Redshift Limits (p. 131)
Amazon Relational Database Service (Amazon RDS) Limits (p. 132)
Amazon Route 53 Limits (p. 132)
AWS Service Catalog Limits (p. 133)
Amazon Simple Email Service (Amazon SES) Limits (p. 133)
Amazon Simple Notification Service (Amazon SNS) Limits (p. 134)
Amazon Simple Storage Service (Amazon S3) Limits (p. 134)
Amazon Simple Workflow Service (Amazon SWF) Limits (p. 134)
Amazon SimpleDB Limits (p. 134)
Amazon Virtual Private Cloud (Amazon VPC) Limits (p. 135)
AWS WAF Limits (p. 137)
Amazon WorkSpaces Limits (p. 138)
Amazon API Gateway Limits
Resource
Default Limit
APIs per account
60
API keys per account
10,000
Client certificates per account
60
Resources per API
300
Stages per API
10
Timeout for both AWS Lambda and HTTP integrations;
this limit cannot be increased currently
10
Version 1.0
115
Amazon Web Services General Reference
Amazon AppStream Limits
Resource
Default Limit
Sustained API requests per account
500
Throttled API requests per account
1000
Payload size; this limit cannot be increased currently
10 MB
For information about additional documented limits, see Limits in Amazon API Gateway in the API Gateway
Developer Guide.
Amazon AppStream Limits
An Amazon AppStream account has a service limit of up to five concurrent streaming sessions:
• Up to two concurrent streaming application deployments using the interactive wizard.
• Up to three streaming applications in the Building, Active, or Error states.
For more information, see Amazon AppStream Application Lifecycle in the Amazon AppStream Developer
Guide.
Auto Scaling Limits
Resource
Default Limit
Launch configurations
100
Auto Scaling groups
20
Lifecycle hooks per Auto Scaling group
50
Load balancers per Auto Scaling group
50
Step adjustments per scaling policy
20
For information about additional documented limits, see Auto Scaling Limits in the Auto Scaling Developer
Guide.
AWS Certificate Manager Limits
Object
Limit
Certificates (in Pending and Issued states)
20
Names per Certificate
10
Certificates issued per year
20
Version 1.0
116
Amazon Web Services General Reference
AWS CloudFormation Limits
For information about additional documented limits, see Limits in the AWS Certificate Manager User
Guide.
AWS CloudFormation Limits
Resource
Default Limit
Stacks
200
For information about additional documented limits, see AWS CloudFormation Limits in the AWS
CloudFormation User Guide.
Amazon CloudFront Limits
Resource
Default Limit
Data transfer rate per distribution
10 Gbps
Requests per second per distribution
15,000
Web distributions per account
200
RTMP distributions per account
100
Alternate domain names (CNAMEs) per distribution
100
Origins per distribution
25
Cache behaviors per distribution
25
Whitelisted headers per cache behavior
10
Whitelisted cookies per cache behavior
10
SSL certificates per account when serving HTTPS requests using dedicated
IP addresses (no limit when serving HTTPS requests using SNI)
2
Custom headers that you can have Amazon CloudFront forward to the origin
10 name/value pairs
For information about additional documented limits, see Limits in the Amazon CloudFront Developer
Guide.
AWS CloudHSM Limits
Resource
Default Limit
HSM appliances
3
High-availability partition groups
20
Clients
800
Version 1.0
117
Amazon Web Services General Reference
Amazon CloudSearch Limits
Amazon CloudSearch Limits
Resource
Default Limit
Partitions
10
Search instances
50
For information about additional documented limits, see Understanding Amazon CloudSearch Limits in
the Amazon CloudSearch Developer Guide.
AWS CodeCommit Limits
Resource
Default Limit
Number of repositories
1,000 per AWS account
For information about additional documented limits, see Limits in AWS CodeCommit in the AWS
CodeCommit User Guide.
AWS CodeDeploy Limits
Resource
Default Limit
Number of applications under an account in a single region
40
Number of concurrent deployments under an account
10
Number of hours until a deployment fails if not completed
8
Number of hours until an individual deployment lifecycle event fails 1
if not completed
Number of deployment groups associated with a single application 50
Number of instances in a single deployment
50
For information about additional documented limits, see Limits in AWS CodeDeploy in the AWS CodeDeploy
User Guide.
AWS CodePipeline Limits
Resource
Default Limit
Number of pipelines
20
Number of stages
Minimum of 2, maximum of 10
Version 1.0
118
Amazon Web Services General Reference
AWS Database Migration Service Limits
Resource
Default Limit
Number of actions
Minimum of 1, maximum of 20
Maximum number of revisions running across all pipelines
20
Maximum size of source artifacts
500 megabytes (MB)
Maximum number of times an action can be run per month
1,000 per calendar
month
For information about additional documented limits, see Limits in AWS CodePipeline in the AWS
CodePipeline User Guide.
AWS Database Migration Service Limits
Resource
Default Limit
Replication instances
20
Total amount of storage
6 TB
Event subscriptions
100
Replication subnet groups
20
Subnets per replication subnet group
20
Endpoints
100
Tasks
100
Endpoints per instance
100
AWS Device Farm Limits
Resource
Default Limit
App file size you can upload
4 GB
Number of devices AWS Device Farm can test during a run
5
Number of devices you can include in a test run
None
Number of runs you can schedule
None
Duration of a remote access session
60 minutes
Version 1.0
119
Comments
This limit can be
increased to 100
upon request.
Amazon Web Services General Reference
AWS Directory Service Limits
AWS Directory Service Limits
Resource
Default Limit
Simple AD directories
10
AD Connector directories
10
Manual snapshots
5 per Simple AD
Amazon DynamoDB Limits
Resource
Default Limit
US East (N. Virginia) Region:
40,000 read capacity units and
40,000 write capacity units
Maximum capacity units per table or global secondary index
US East (N. Virginia) Region:
80,000 read capacity units and
80,000 write capacity units
Maximum capacity units per account
All other Regions:
10,000 read capacity units and
10,000 write capacity units
Maximum capacity units per table or global secondary index
All other Regions:
20,000 read capacity units and
20,000 write capacity units
Maximum capacity units per account
Maximum number of tables
256
For information about additional documented limits, see Limits in Amazon DynamoDB in the Amazon
DynamoDB Developer Guide.
Amazon EC2 Container Registry (Amazon ECR)
Limits
Resource
Default Limit
Maximum number of repositories per account
1,000
Maximum number of images per repository
1,000
For information about additional documented limits, see Amazon ECR Service Limits in the Amazon EC2
Container Registry User Guide.
Version 1.0
120
Amazon Web Services General Reference
Amazon EC2 Container Service (Amazon ECS) Limits
Amazon EC2 Container Service (Amazon ECS)
Limits
Resource
Default Limit
Number of clusters per region, per account
1000
Number of container instances per cluster
1000
Number of services per cluster
500
For information about additional documented limits, see Amazon ECS Service Limits in the Amazon EC2
Container Service Developer Guide.
AWS Elastic Beanstalk Limits
Resource
Default Limit
Applications
25
Versions
500
Environments
200
Amazon Elastic Block Store (Amazon EBS)
Limits
Resource
Default Limit
Number of EBS volumes
5,000
Number of EBS snapshots
10,000
Total volume storage of General Purpose SSD (gp2) volumes
20 TiB
Total volume storage of Provisioned IOPS SSD (io1) volumes
20 TiB
Total volume storage of Throughput Optimized HDD (st1)
20 TiB
Total volume storage of Cold HDD (sc1)
20 TiB
Total volume storage of Magnetic volumes
20 TiB
Total provisioned IOPS
40,000
For information about additional documented limits, see Amazon EC2 Service Limits in the Amazon EC2
User Guide for Linux Instances.
Version 1.0
121
Amazon Web Services General Reference
Amazon Elastic Compute Cloud (Amazon EC2) Limits
Amazon Elastic Compute Cloud (Amazon EC2)
Limits
Resource
Default Limit
Elastic IP addresses for EC2-Classic
5
Security groups for EC2-Classic per instance
500
Rules per security group for EC2-Classic
100
Key pairs
5,000
Throttle on the emails that can be sent from your Amazon EC2 ac- Throttle applied
count
On-demand instances
Limits vary depending on instance
type. For more information, see
How many instances can I run in
Amazon EC2.
Spot Instances
Limits vary depending on instance
type, region, and account. For
more information, see Spot Instance Limits.
Reserved Instances
20 instance reservations per
Availability Zone, per month
AMI Copies
Destination regions are limited to
50 concurrent AMI copies at a
time, with no more than 25 of
those coming from a single source
region.
For information about related limits for EC2-VPC, see Amazon Virtual Private Cloud (Amazon VPC)
Limits (p. 135).
For information about viewing your current limits, see Amazon EC2 Service Limits in the Amazon EC2
User Guide for Linux Instances.
Amazon EC2 Simple Systems Manager Limits
Resource
Default Limit
Number of documents per account
200
Number of associations per account
10,000
Version 1.0
122
Amazon Web Services General Reference
Amazon ElastiCache Limits
Amazon ElastiCache Limits
Resource
Default Limit
Nodes per region
50
Nodes per cluster (Memcached)
20
Nodes per cluster (Redis)
1
Read replicas per replication group (Redis)
5
Clusters per replication group (Redis)
6
Parameter Groups per region
20
Security Groups per region
50
Subnet Groups per region
50
Subnets per Subnet Group
20
These limits are global limits per customer account. If you need to exceed these limits, make your request
using the Amazon ElastiCache Cache Node request form.
Elastic Load Balancing Limits
Resource
Default Limit
Comments
Load balancers per region
20
This limit can be increased upon request
Listeners per load balancer
100
This limit cannot be increased
Security groups per load balancer
5
This limit cannot be increased
Subnets per Availability Zone per load
balancer
1
This limit cannot be increased
For information about additional documented limits, see Elastic Load Balancing Limits in the Elastic Load
Balancing Developer Guide.
Amazon Elastic Transcoder Limits
Resource
Default Limit
Pipelines per region
4
User-defined presets
50
Version 1.0
123
Amazon Web Services General Reference
Amazon Elasticsearch Service Limits
Resource
Default Limit
Maximum number of jobs processed simultaneously US East (N. Virginia) region – 20
by each pipeline
US West (N. California) region – 12
US West (Oregon) region – 20
EU (Ireland) region – 20
Asia Pacific (Singapore) region – 12
Asia Pacific (Tokyo) region – 12
For information about additional documented limits, see Amazon Elastic Transcoder limits in the Amazon
Elastic Transcoder Developer Guide.
Amazon Elasticsearch Service Limits
Resource
Default Limit
Maximum number of Elasticsearch instances per
cluster
10
Amazon GameLift Limits
Resource
Default Limit
Aliases
20
Fleets
20
Builds
1000
Total size of builds
100 GB
Log upload size per game session
200 MB
On-demand instances
Limits vary depending on instance type;
20 instances per account, regardless of instance
type
Player sessions per game session
200
For information about additional documented limits, see Scaling Amazon Elastic Compute Cloud (Amazon
EC2) Instances in the Amazon GameLift Developer Guide.
Version 1.0
124
Amazon Web Services General Reference
AWS Identity and Access Management (IAM) Limits
AWS Identity and Access Management (IAM)
Limits
Resource
Default Limit
Groups per account
100
Instance profiles
100
Roles
250
Server certificates
20
Users
5000
For information about additional documented limits, see Limitations on IAM Entities and Objects in the
IAM User Guide.
AWS IoT Limits
The following limits apply to the message broker:
Topic length limit
The topic passed to the message broker when
publishing a message cannot exceed 256 bytes
encoded in UTF-8.
Restricted topic prefix
Topics beginning with '$' are considered reserved
and are not supported for publishing and subscribing except when working with the Thing Shadows
service.
Maximum number of slashes in topic and topic filter A topic provided while publishing a message or a
topic filter provided while subscribing can have no
more than eight forward slashes (/).
Client ID size limit
128 bytes encoded in UTF-8.
Restricted client ID prefix
'$' is reserved for internally generated client IDs.
Message size limit
The payload for every publish message is limited
to 128 KB. The AWS IoT service will reject messages larger than this size.
Throughput per connection
AWS IoT limits the ingress and egress rate on each
client connection to 512 KB/s. Data sent or received
at a higher rate will be throttled to this throughput.
Maximum subscriptions per subscribe call
A single subscribe call is limited to request a maximum of eight subscriptions.
Version 1.0
125
Amazon Web Services General Reference
AWS IoT Limits
Subscriptions per session
The message broker limits each client session to
subscribe to up to 50 subscriptions. A subscribe
request that pushes the total number of subscriptions past 50 will result in the connection being
disconnected.
Connection inactivity (keep-alive) limits
By default, an MQTT client connection is disconnected after 30 minutes of inactivity. When the client
sends a PUBLISH, SUBSCRIBE, PING, or PUBACK message, the inactivity timer is reset.
A client can request a shorter keep-alive interval
by specifying a keep-alive value between 5-1,200
seconds in the MQTT CONNECT message sent
to the server. If a keep-alive value is specified, the
server will disconnect the client if it does not receive
a PUBLISH, SUBSCRIBE, PINGREQ, or PUBACK
message within a period 1.5 times the requested
interval. The keep-alive timer starts after the sender
sends a CONNACK.
If a client sends a keep-alive value of zero, the default keep-alive behavior will remain in place.
If a client request a keep-alive shorter than 5
seconds, the server will treat the client as though
it requested a keep-alive interval of 5 seconds.
The keep-alive timer begins immediately after the
server returns a CONNACK to the client. There
may be a brief delay between the client's sending
of a CONNECT message and the start of keepalive behavior.
Maximum inbound unacknowledged messages
The message broker allows 100 in-flight unacknowledged messages (limit is across all messages requiring ACK). When this limit is reached, no new
messages will be accepted until an ACK is returned
by the server.
Maximum outbound unacknowledged messages
The message broker only allows 100 in-flight unacknowledged messages (limit is across all messages
requiring ACK). When this limit is reached, no new
messages will be sent to the client until the client
acknowledges the in-flight messages.
Maximum retry interval for delivering QoS 1 messages
If a connected client is unable to receive an ACK
on a QoS 1 message for one hour, the message
broker will drop the message. The client may be
unable to receive the message if it has 100 in-flight
messages, it is being throttled due to large payloads, or other errors.
Version 1.0
126
Amazon Web Services General Reference
AWS IoT Limits
WebSocket connection duration
WebSocket connections are limited to 24 hours. If
the limit is exceeded, the WebSocket connection
will automatically be closed when an attempt is
made to send a message by the client or server. If
you need to maintain an active WebSocket connection for longer than 5 minutes, simply close and reopen the WebSocket connection from the client
side before the 5 minutes elapses."?>
The following limits apply to thing shadows:
Maximum size of a JSON state document
The maximum size of a JSON state document is 8
KB.
Maximum number of JSON objects per AWS account
There is no limit on the number of JSON objects
per AWS account.
Shadow lifetime
A thing shadow is deleted by AWS IoT if it has not
been updated or retrieved in more than 1 year.
Maximum number of in-flight, unacknowledged
messages
The Thing Shadows service supports up to 10 inflight unacknowledged messages. When this limit
is reached, all new shadow requests will be rejected
with a 429 error code.
Maximum depth of JSON device state documents The maximum number of levels in the "desired" or
"reported" section of the JSON device state document is 5. For example:
"desired": {
"one": {
"two": {
"three": {
"four": {
"five":{
}
}
}
}
}
}
The following limits apply to security and identity:
• You can attach up to 10 policies to an AWS IoT certificate.
• You can keep up to 5 versions of a named policy.
• Policy document size is limited to 2048 characters (excluding white space).
Version 1.0
127
Amazon Web Services General Reference
Throttling Limits
Throttling Limits
The following table lists the throttling limits for AWS IoT API:
API
Transaction per Second
AcceptCertificateTransfer
10
AttachThingPrincipal
15
CancelCertificateTransfer
10
CreateCertificateFromCsr
15
CreatePolicy
10
CreatePolicyVersion
10
CreateThing
15
DeleteCertificate
10
DeleteCACertificate
10
DeletePolicy
10
DeletePolicyVersion
10
DeleteThing
10
DescribeCertificate
10
DescribeCACertificate
10
DescribeThing
10
DetachThingPrincipal
10
DetachPrincipalPolicy
15
DeleteRegistrationCode
10
GetPolicy
10
GetPolicyVersion
15
GetRegistrationCode
10
ListCertificates
10
ListCertificatesByCA
10
ListPolicies
10
ListPolicyVersions
10
ListPrincipalPolicies
15
ListPrincipalThings
10
ListThings
10
ListThingPrincipals
10
Version 1.0
128
Amazon Web Services General Reference
AWS IoT Rules Engine Limits
API
Transaction per Second
RegisterCertificate
10
RegisterCACertificate
10
RejectCertificateTransfer
10
SetDefaultPolicyVersion
10
TransferCertificate
10
UpdateCertificate
10
UpdateCACertificate
10
UpdateThing
10
AWS IoT Rules Engine Limits
The following limit applies to the AWS IoT rules engine
• There is a limit of 1000 rules per AWS account.
AWS Snowball (Snowball) Limits
Resource
Default
limit
Comments
Snowball
1
If you need to increase this limit, contact
AWS Support.
AWS Key Management Service (AWS KMS)
Limits
Resource
Default Limit
Customer Master Keys (CMKs)
1000
Aliases
1100
Grants per CMK
250
Grants for a given principal per CMK
30
Requests per second
Varies by API operation; see Limits in the AWS Key Management
Service Developer Guide.
All limits in the preceding table apply per region and per AWS account.
Version 1.0
129
Amazon Web Services General Reference
Amazon Kinesis Firehose Limits
For information about additional documented limits, see Limits in the AWS Key Management Service
Developer Guide.
Amazon Kinesis Firehose Limits
Resource
Default Limit
Delivery streams per region
20
For information about additional documented limits, see Amazon Kinesis Firehose Limits in the Amazon
Kinesis Firehose Developer Guide.
Amazon Kinesis Streams Limits
Resource
Default Limit
Shards per region
US East (N. Virginia) region – 50
US West (Oregon) region – 50
EU (Ireland) region – 50
All other supported regions – 25
For information about additional documented limits, see Amazon Kinesis Streams Limits in the Amazon
Kinesis Streams Developer Guide.
AWS Lambda Limits
Resource
Limit
Concurrent requests safety throttle per account
100
For information about additional documented limits, see AWS Lambda Limits in the AWS Lambda Developer
Guide.
Amazon Machine Learning (Amazon ML) Limits
Resource
Default Limit
Data file size*
100 GB
Batch prediction input size
1 TB
Batch prediction input (number of records)
100 million
Number of variables in a data file (schema)
1,000
Version 1.0
130
Amazon Web Services General Reference
AWS OpsWorks Limits
Resource
Default Limit
Recipe complexity (number of processed output variables)
10,000
Transactions Per Second for each real-time prediction endpoint
200
Total Transactions Per Second for all real-time prediction endpoints 10,000
Total RAM for all real-time prediction endpoints
10 GB
Number of simultaneous jobs
5
Longest run time for any job
7 days
Number of classes for multiclass ML models
100
ML model size
2 GB
Note
The size of your data files is limited to ensure that jobs finish in a timely manner. Jobs that have
been running for more than seven days will be automatically terminated, resulting in a FAILED
status.
For information about additional documented limits, see Amazon ML Limits in the Amazon Machine
Learning Developer Guide.
AWS OpsWorks Limits
Resource
Default Limit
Stacks
40
Layers per stack
40
Instances per stack
40
Apps per stack
40
Amazon Redshift Limits
Resource
Default Limit
Nodes per cluster
101
Nodes
200
Reserved Nodes
200
Snapshots
20
Parameter Groups
20
Security Groups
20
Subnet Groups
20
Version 1.0
131
Amazon Web Services General Reference
Amazon Relational Database Service (Amazon RDS)
Limits
Resource
Default Limit
Subnets per Subnet Group
20
Event Subscriptions
20
For information about additional documented limits, see Limits in Amazon Redshift in the Amazon Redshift
Cluster Management Guide.
Amazon Relational Database Service (Amazon
RDS) Limits
Resource
Default Limit
Instances
40
Reserved Instances
40
Total storage for all DB instances
100 TB
Manual Snapshots
50
Parameter Groups
50
Security Groups
25
VPC Security Groups
5
Subnet Groups
20
Subnets per Subnet Group
20
Option Groups
20
Event Subscriptions
20
Read Replicas per Master
5
Amazon Route 53 Limits
Resource
Default Limit
Hosted zones
500
Domains
50
Resource record sets per hosted zone
10,000
Reusable delegation sets
100
Hosted zones that can use the same reusable delegation set
100
Amazon VPCs that you can associate with a private hosted zone
100
Health checks
50
Version 1.0
132
Amazon Web Services General Reference
AWS Service Catalog Limits
Resource
Default Limit
Traffic policies
50
Policy records
5
For information about additional documented limits, see Amazon Route 53 Limits in the Amazon Route 53
Developer Guide.
AWS Service Catalog Limits
Resource
Default Limit
Portfolios
25
Users, groups, and roles
25 per portfolio
Products
25 per portfolio, 25 total
Product versions
10 per product
Constraints
25 per product per portfolio
Tags
3 per product, 3 per portfolio, 10
per stack
Stacks
200 (AWS CloudFormation limit)
Amazon Simple Email Service (Amazon SES)
Limits
The following are the default limits for Amazon SES in the sandbox environment.
Resource
Default Limit
Daily sending quota
200 messages per 24 hour period.
Maximum send rate
1 email per second.
Note
The rate at which
Amazon SES accepts
your messages might be
less than the maximum
send rate.
Recipient address verification
All recipient addresses must be
verified.
For information about additional documented limits, see Limits in Amazon SES in the Amazon Simple
Email Service Developer Guide.
Version 1.0
133
Amazon Web Services General Reference
Amazon Simple Notification Service (Amazon SNS)
Limits
Amazon Simple Notification Service (Amazon
SNS) Limits
Resource
Default Limit
Topics per AWS account
100,000
Amazon Simple Storage Service (Amazon S3)
Limits
Resource
Default Limit
Buckets
100 per account
For information about additional documented limits, see Amazon S3 limits in the Amazon Simple Storage
Service Developer Guide.
Amazon Simple Workflow Service (Amazon SWF)
Limits
For information about additional documented limits, see Amazon SWF Service Limits in the Amazon
Simple Workflow Service Developer Guide.
Amazon SimpleDB Limits
Resource
Default Limit
Domains
250
For information about additional documented limits, see Amazon SimpleDB Limits in the Amazon SimpleDB
Developer Guide.
Version 1.0
134
Amazon Web Services General Reference
Amazon Virtual Private Cloud (Amazon VPC) Limits
Amazon Virtual Private Cloud (Amazon VPC)
Limits
Resource
Default
limit
Comments
VPCs per region
5
The limit for Internet gateways per region is
directly correlated to this one. Increasing this
limit will increase the limit on Internet gateways per region by the same amount. If you
need to increase this limit, submit a request.
Subnets per VPC
200
If you need to increase this limit, submit a
request.
Internet gateways per region
5
This limit is directly correlated with the limit
on VPCs per region. You cannot increase
this limit individually; the only way to increase
this limit is to increase the limit on VPCs per
region. Only one Internet gateway can be
attached to a VPC at a time.
Virtual private gateways per region
5
If you need to increase this limit, contact
AWS Support; however, only one virtual
private gateway can be attached to a VPC
at a time.
Customer gateways per region
50
If you need to increase this limit, contact
AWS Support.
VPN connections per region
50
If you need to increase this limit, submit a
request.
VPN connections per VPC (per virtual private 10
gateway)
If you need to increase this limit, submit a
request.
Route tables per VPC
200
Including the main route table.You can associate one route table to one or more subnets
in a VPC.
Routes per route table (non-propagated
routes)
50
This is the limit for the number of nonpropagated entries per route table. You can
submit a request for an increase of up to a
maximum of 100; however, network performance may be impacted.
BGP advertised routes per route table
(propagated routes)
100
You can have up to 100 propagated routes
per route table; however, the total number
of propagated and non-propagated entries
per route table cannot exceed 100. For example, if you have 50 non-propagated entries
(the default limit for this type of entry), you
can only have 50 propagated entries. This
limit cannot be increased. If you require more
than 100 prefixes, advertise a default route.
Version 1.0
135
Amazon Web Services General Reference
Amazon Virtual Private Cloud (Amazon VPC) Limits
Resource
Default
limit
Comments
Elastic IP addresses per region for each
AWS account
5
This is the limit for the number of VPC
Elastic IP addresses you can allocate within
a region. This is a separate limit from the
Amazon EC2 Elastic IP address limit. If you
need to increase this limit, submit a request.
Security groups per VPC
500
If you need to increase this limit, you can
submit a request.
Inbound or outbound rules per security group 50
You can have 50 inbound and 50 outbound
rules per security group (giving a total of 100
combined inbound and outbound rules). If
you need to increase or decrease this limit,
you can contact AWS Support — a limit
change applies to both inbound and outbound rules. However, the multiple of the
limit for inbound or outbound rules per security group and the limit for security groups per
network interface cannot exceed 250. For
example, if you want 100 inbound and 100
outbound rules per security group, we decrease your number of security groups per
network interface to 2.
Security groups per network interface
5
If you need to increase or decrease this limit,
you can contact AWS Support. The maximum is 16. The multiple of the limit for security
groups per network interface and the limit for
rules per security group cannot exceed 250.
For example, if you want 10 security groups
per network interface, we decrease your
number of rules per security group to 25.
Network interfaces per instance
-
This limit varies by instance type. For more
information, see Private IP Addresses Per
ENI Per Instance Type.
Network interfaces per region
350
This limit is the greater of either the default
limit (350) or your On-Demand instance limit
multiplied by 5. The default limit for On-Demand instances is 20. If your On-Demand
instance limit is below 70, the default limit of
350 applies. You can increase the number
of network interfaces per region by contacting
AWS Support, or by increasing your On-Demand instance limit.
Network ACLs per VPC
200
You can associate one network ACL to one
or more subnets in a VPC. This limit is not
the same as the number of rules per network
ACL.
Version 1.0
136
Amazon Web Services General Reference
AWS WAF Limits
Resource
Default
limit
Comments
Rules per network ACL
20
This is the one-way limit for a single network
ACL, where the limit for ingress rules is 20,
and the limit for egress rules is 20. This limit
can be increased upon request up to a
maximum if 40; however, network performance may be impacted due to the increased
workload to process the additional rules.
Active VPC peering connections per VPC
50
If you need to increase this limit, contact
AWS Support . The maximum limit is 125
peering connections per VPC. The number
of entries per route table should be increased
accordingly; however, network performance
may be impacted.
Outstanding VPC peering connection requests
25
This is the limit for the number of outstanding
VPC peering connection requests that you've
requested from your account. If you need to
increase this limit, contact AWS Support.
Expiry time for an unaccepted VPC peering 1 week
connection request
(168
hours)
If you need to increase this limit, contact
AWS Support.
VPC endpoints per region
If you need to increase this limit, contact
AWS Support; up to a maximum of 255 endpoints per VPC.
20
Flow logs per single network interface, single 2
subnet, or single VPC in a region
You can effectively have 6 flow logs per
network interface if you create 2 flow logs for
the subnet, and 2 flow logs for the VPC in
which your network interface resides. This
limit cannot be increased.
NAT gateways per Availability Zone
If you need to increase this limit, submit a
request. A NAT gateway in the pending,
active, or deleting state counts against
your limit.
5
For information about additional documented limits, see Amazon VPC Limits in the Amazon VPC User
Guide.
AWS WAF Limits
Resource
Default Limit
Web ACLs per account
10
Rules per account
50
Conditions per account
50
Version 1.0
137
Amazon Web Services General Reference
Amazon WorkSpaces Limits
For information about additional documented limits, see AWS WAF Limits in the AWS WAF Developer
Guide.
Amazon WorkSpaces Limits
Resource
Default
Limit
Comments
WorkSpaces
5
To prevent denial of service attacks, accounts
new to the Amazon WorkSpaces service are
limited to five WorkSpaces.
For information about additional documented limits, see Amazon WorkSpaces Limits in the Amazon
WorkSpaces Administration Guide.
Version 1.0
138
Amazon Web Services General Reference
Download
AWS IP Address Ranges
Amazon Web Services (AWS) publishes its current IP address ranges in JSON format. To view the current
ranges, download the .json file. To maintain history, save successive versions of the .json file on your
system. To determine whether there have been changes since the last time that you saved the file, check
the publication time in the current file and compare it to the publication time in the last file that you saved.
Contents
• Download (p. 139)
• Syntax (p. 139)
• Filtering the JSON File (p. 140)
• AWS IP Address Ranges Notifications (p. 142)
Download
Download ip-ranges.json
If you access this file programmatically, it is your responsibility to ensure that the application downloads
the file only after successfully verifying the TLS certificate presented by the server.
Syntax
The syntax of ip-ranges.json is as follows.
{
"syncToken": "0123456789",
"createDate": "yyyy-mm-dd-hh-mm-ss",
"prefixes": [
{
"ip_prefix": "cidr",
"region": "region",
"service": "subset"
}
]
}
Version 1.0
139
Amazon Web Services General Reference
Filtering the JSON File
syncToken
The publication time, in Unix epoch time format.
Type: String
Example: "syncToken": "1416435608"
createDate
The publication date and time.
Type: String
Example: "createDate": "2014-11-19-23-29-02"
prefixes
The IP prefixes.
Type: Array
ip_prefix
The public IP address range, in CIDR notation. AWS may advertise a prefix in more specific ranges.
For example, prefix 96.127.0.0/17 in the file may be advertised as 96.127.0.0/21, 96.127.8.0/21,
96.127.32.0/19, and 96.127.64.0/18.
Type: String
Example: "ip_prefix": "198.51.100.2/24"
region
The AWS region or GLOBAL for edge locations. Note that the CLOUDFRONT and ROUTE53 ranges are
GLOBAL.
Type: String
Valid values: ap-northeast-1 | ap-southeast-1 | ap-southeast-2 | cn-north-1 |
eu-central-1 | eu-west-1 | sa-east-1 | us-east-1 | us-gov-west-1 | us-west-1 |
us-west-2 | GLOBAL
Example: "region": "us-east-1"
service
The subset of IP address ranges. Specify AMAZON to get all IP address ranges (for example, the
ranges in the EC2 subset are also in the AMAZON subset). Note that some IP address ranges are only
in the AMAZON subset.
Type: String
Valid values: AMAZON | EC2 | CLOUDFRONT | ROUTE53 | ROUTE53_HEALTHCHECKS
Example: "service": "AMAZON"
Filtering the JSON File
You can download a command line tool to help you filter the information to just what you are looking for.
Windows
The AWS Tools for Windows PowerShell includes a cmdlet, Get-AWSPublicIpAddressRange, to parse
this JSON file. The following examples demonstrate its use. For more information, see Querying the
Public IP Address Ranges for AWS.
Example 1. Get the creation date
PS C:\> Get-AWSPublicIpAddressRange -OutputPublicationDate
Thursday, February 18, 2016 5:22:15 PM
Version 1.0
140
Amazon Web Services General Reference
Linux
Example 2. Get the information for a specific region
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1
IpPrefix
-------23.20.0.0/14
50.16.0.0/15
50.19.0.0/16
...
Region
-----us-east-1
us-east-1
us-east-1
Service
------AMAZON
AMAZON
AMAZON
Example 3. Get all IP addresses
PS C:\> (Get-AWSPublicIpAddressRange).IpPrefix
23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...
Linux
The following example commands use the jq tool to parse a local copy of the JSON file.
Example 1. Get the creation date
$ jq .createDate < ipranges.json
"2016-02-18-17-22-15"
Example 2. Get the information for a specific region
$ jq
'.prefixes[] | select(.region=="us-east-1")' < ipranges.json
{
"ip_prefix": "23.20.0.0/14",
"region": "us-east-1",
"service": "AMAZON"
},
{
"ip_prefix": "50.16.0.0/15",
"region": "us-east-1",
"service": "AMAZON"
},
{
"ip_prefix": "50.19.0.0/16",
"region": "us-east-1",
"service": "AMAZON"
},
...
Version 1.0
141
Amazon Web Services General Reference
AWS IP Address Ranges Notifications
Example 3. Get all IP addresses
$ jq -r '.prefixes | .[].ip_prefix' < ipranges.json
23.20.0.0/14
27.0.0.0/22
43.250.192.0/24
...
AWS IP Address Ranges Notifications
Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the
AmazonIpSpaceChanged topic. The payload contains information in the following format:
{
"create-time":"yyyy-mm-ddThh:mm:ss+00:00",
"synctoken":"0123456789",
"md5":"6a45316e8bc9463c9e926d5d37836d33",
"url":"https://ip-ranges.amazonaws.com/ip-ranges.json"
}
create-time
The creation date and time.
Notifications could be delivered out of order. Therefore, we recommend that you check the timestamps
to ensure the correct order.
synctoken
The publication time, in Unix epoch time format.
md5
The cryptographic hash value of the ip-ranges.json file. You can use this value to check whether
the downloaded file is corrupted.
url
The location of the ip-ranges.json file.
If you want to be notified whenever there is a change to the AWS IP address ranges, you can subscribe
as follows to receive notifications using Amazon SNS.
To subscribe to AWS IP address range notifications
1.
Open the Amazon SNS console at https://console.amazonaws.cn/sns/.
2.
In the navigation bar, change the region to US East (N. Virginia), if necessary. You must select this
region because the SNS notifications that you are subscribing to were created in this region.
3.
4.
5.
In the navigation pane, choose Subscriptions.
Choose Create Subscription.
In the Create Subscription dialog box, do the following:
a.
In TopicARN, enter the following Amazon Resource Name (ARN):
arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged
b.
In Protocol, select the protocol that you want. For example, select Email.
Version 1.0
142
Amazon Web Services General Reference
AWS IP Address Ranges Notifications
c.
d.
6.
In Endpoint, enter the endpoint to receive the notification. For example, enter an email address.
Choose Subscribe.
You'll be contacted on the endpoint that you specified and asked to confirm your subscription. For
example, if you specified an email address, you'll receive an email message with the subject line
AWS Notification - Subscription Confirmation. Follow the directions to confirm your
subscription.
Notifications are subject to the availability of the endpoint. Therefore, you might want to check the JSON
file periodically to ensure that you've got the latest ranges. For more information about Amazon SNS
reliability, see http://www.amazonaws.cn/sns/faqs/#Reliability.
If you no longer want to receive these notifications, use the following procedure to unsubscribe.
To unsubscribe from AWS IP address ranges notifications
1.
2.
3.
Open the Amazon SNS console at https://console.amazonaws.cn/sns/.
In the navigation pane, choose Subscriptions.
Select the subscription and then choose Delete Subscriptions. When prompted for confirmation,
choose Yes, Delete.
For more information about Amazon SNS, see the Amazon Simple Notification Service Developer Guide.
Version 1.0
143
Amazon Web Services General Reference
Error Retries and Exponential
Backoff in AWS
Numerous components on a network, such as DNS servers, switches, load balancers, and others can
generate errors anywhere in the life of a given request. The usual technique for dealing with these error
responses in a networked environment is to implement retries in the client application. This technique
increases the reliability of the application and reduces operational costs for the developer.
Each AWS SDK implements automatic retry logic. The AWS SDK for Java automatically retries requests,
and you can configure the retry settings using the ClientConfiguration class. For example, in some
cases, such as a web page making a request with minimal latency and no retries, you might want to turn
off the retry logic. Use the ClientConfiguration class and provide a maxErrorRetry value of 0 to
turn off the retries.
If you're not using an AWS SDK, you should retry original requests that receive server (5xx) or throttling
errors. However, client errors (4xx) indicate you need to revise the request itself to correct the problem
before trying again.
In addition to simple retries, we recommend using an exponential backoff algorithm for better flow control.
The idea behind exponential backoff is to use progressively longer waits between retries for consecutive
error responses. You should implement a maximum delay interval, as well as a maximum number of
retries. The maximum delay interval and maximum number of retries are not necessarily fixed values,
and should be set based on the operation being performed, as well as other local factors, such as network
latency.
Most exponential backoff algorithms use jitter (randomized delay) to prevent successive collisions. Because
you aren't trying to avoid such collisions in these cases, you do not need to use this random number.
However, if you use concurrent clients, jitter can help your requests succeed faster. For more information,
see the blog post for Exponential Backoff and Jitter.
The following pseudo code shows one way to poll for a status using an incremental delay.
Do some asynchronous operation.
retries = 0
DO
wait for (2^retries * 100) milliseconds
Version 1.0
144
Amazon Web Services General Reference
status = Get the result of the asynchronous operation.
IF status = SUCCESS
retry = false
ELSE IF status = NOT_READY
retry = true
ELSE IF status = THROTTLED
retry = true
ELSE
Some other error occurred, so stop calling the API.
retry = false
END IF
retries = retries + 1
WHILE (retry AND (retries < MAX_RETRIES))
The following code demonstrates how to implement this incremental delay in Java.
public enum Results {
SUCCESS,
NOT_READY,
THROTTLED,
SERVER_ERROR
}
/*
* Performs an asynchronous operation, then polls for the result of the
* operation using an incremental delay.
*/
public static void doOperationAndWaitForResult() {
try {
// Do some asynchronous operation.
long token = asyncOperation();
int retries = 0;
boolean retry = false;
do {
long waitTime = Math.min(getWaitTimeExp(retries), MAX_WAIT_INTERVAL);
System.out.print(waitTime + "\n");
// Wait for the result.
Thread.sleep(waitTime);
// Get the result of the asynchronous operation.
Results result = getAsyncOperationResult(token);
if (Results.SUCCESS == result) {
retry = false;
} else if (Results.NOT_READY == result) {
retry = true;
} else if (Results.THROTTLED == result) {
retry = true;
Version 1.0
145
Amazon Web Services General Reference
} else if (Results.SERVER_ERROR == result) {
retry = true;
}
else {
// Some other error occurred, so stop calling the API.
retry = false;
}
} while (retry && (retries++ < MAX_RETRIES));
}
catch (Exception ex) {
}
}
/*
* Returns the next wait interval, in milliseconds, using an exponential
* backoff algorithm.
*/
public static long getWaitTimeExp(int retryCount) {
long waitTime = ((long) Math.pow(2, retryCount) * 100L);
return waitTime;
}
Version 1.0
146
Amazon Web Services General Reference
AWS Command Line Interface (AWS CLI)
AWS Command Line Tools
AWS Command Line Interface (AWS CLI)
Amazon Web Services (AWS) offers the AWS Command Line Interface (AWS CLI), a single tool for
controlling and managing multiple AWS services. To download the AWS CLI or to view the list of supported
services, see AWS Command Line Interface.
AWS also offers the AWS Tools for Windows PowerShell for those who script in the PowerShell
environment.
Previous AWS Command Line Interface Tools
The prior AWS CLI tools are still available. If you need the prior AWS CLI tools, see the following table,
which provides links to the command line tools and their documentation.
Product
Download
Documentation
Auto Scaling
Download Page: Auto Scaling Command Line Tools
Auto Scaling Command Line Tools
Quick Reference
Card
AWS CloudForma- Download Page: AWS CloudFormation Command Line Tools AWS CloudFormation
tion Command Line
Tools Reference
AWS CloudFormation Command Line
Tools Quick Reference Card
Version 1.0
147
Amazon Web Services General Reference
Previous AWS Command Line Interface Tools
Product
Download
Documentation
Amazon CloudSearch
Download Page: Amazon CloudSearch Command Line Tools Amazon Cloudfor Windows
Search Developer
Guide
Download Page: Amazon CloudSearch Command Line Tools
for Mac OS/Linux
AWS Elastic Bean- Download Page: AWS Elastic Beanstalk Command Line Tools AWS Elastic Beanstalk
stalk Command
Line Tools Reference
Amazon Elastic
Compute Cloud
Download Page: Amazon EC2 API Command Line Tools
Download Page: Amazon EC2 AMI Command Line Tools
Amazon EC2
Command Line
Tools Reference
Amazon EC2
Command Line
Tools Quick Reference Card
Elastic Load Balan- Download Page: Elastic Load Balancing Command Line Tools Elastic Load Balancing
cing Command
Line Tools Quick
Reference Card
Amazon Elastic
MapReduce
Download Page: Amazon EMR Command Line Tools
Amazon EMR
Command Line
Tools Quick Reference Card
Amazon ElastiCache
Download Page: Amazon ElastiCache Command Line Tools
Amazon ElastiCache Command
Line Tools Reference
AWS Identity and
Access Management
The IAM command line tools package is deprecated. To per- AWS CLI User
form IAM actions at the command line, use the AWS ComGuide
mand Line Interface.
AWS Identity and
Access Management from the
AWS Command
Line Interface
IAM reference in
the AWS CLI
AWS Import/Export Download Page: Download the AWS Import/Export Disk Web What Is AWS ImDisk
Service Tool
port/Export Disk?
Amazon Redshift
Download Page: AWS Command Line Interface
Version 1.0
148
Amazon Redshift
reference in the
AWS CLI
Amazon Web Services General Reference
Previous AWS Command Line Interface Tools
Product
Download
Documentation
Amazon Relational Download Page: Amazon RDS Command Line Tools
Database Service
Amazon RDS
Command Line
Tools Reference
Amazon RDS
Command Line
Tools Quick Reference Card
Amazon Simple
Email Service
Download Page: Amazon SES Command Line Tools
Amazon SES
Command Line
Tools Documentation
Amazon Simple
Download Page: Amazon SNS Command Line Tools
Notification Service
Amazon SNS
Command Line
Tools Reference
Amazon Virtual
Private Cloud
Amazon EC2
Command Line
Tools Reference
Download Page: Amazon EC2 Command Line Tools
Amazon VPC
Command Line
Tools Quick Reference Card
Version 1.0
149
Amazon Web Services General Reference
Typographical Conventions
Document Conventions
This section lists the common typographical conventions for AWS technical publications.
Typographical Conventions
This section describes common typographical conventions.
Convention
Description/Example
A visual reference to further discussion elsewhere
java -version
Inline code (including commands, constants, XML elements, logical values,
operations, parameters, and regular expressions)
Blocks of sample code
# ls -l
/var/www/html/in
dex.html
-rw-rw-r-- 1
root root 1872
Jun 21 09:33
/var/www/html/in
dex.html
# date
Wed Jun 21
09:33:42 EDT 2006
(start | stride |
edge)
Mutually exclusive options separated by vertical bars
Version 1.0
150
Amazon Web Services General Reference
Typographical Conventions
Convention
[-n, -quiet]
Description/Example
Optional parameters
-or-
<Custom
erId>[ID]</Custom
erId>
XML replaceable text
Amazon Machine Image (AMI)
Important words or phrases
-or-
Amazon EC2 User
Guide for Linux Instances
Technical publications
MyPassword
Text that the user types
On the File menu,
choose Properties.
Console pages, menus, sections, or fields
For more information, Link to other content
see Document Conventions.
your-s3-bucket
Placeholder text for a required value
% ec2-register
<your-s3-buck
et>/image.mani
fest
<your-S3-bucket>
CTRL + ENTER
Key names and key sequences
Version 1.0
151
Amazon Web Services General Reference
Documentation History
This guide was last updated on 29 April 2016.
The following table describes the important changes since the last release of the Amazon Web Services
General Reference.
Change
Description
Release Date
Asia Pacific
(Seoul) region
The AWS Regions and Endpoints (p. 2) topic has been updated to
include information for the Asia Pacific (Seoul) region.
6 January 2016
EU (Frankfurt) The AWS Regions and Endpoints (p. 2) topic has been updated to
region
include information for the EU (Frankfurt) region.
23 October
2014
South America The AWS Regions and Endpoints (p. 2) topic has been updated to
(São Paulo)
include information for the South America (São Paulo) region.
region
14 December
2011
US West (N.
California) region
The AWS Regions and Endpoints (p. 2) topic has been updated to
include information for the US West (N. California) region.
8 November
2011
AWS Command Line
Tools
The AWS Command Line Tools (p. 147) topic has been added to
26 July 2011
provide links to the command line tools and their documentation for
AWS products.
First release
This is the first release of the Amazon Web Services General Refer- 2 March 2011
ence.
Version 1.0
152
Amazon Web Services General Reference
AWS Glossary
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
Numbers and Symbols
100-continue
A method that enables a client to see if a server can accept a request before
actually sending it. For large PUT requests, this method can save both time and
bandwidth charges.
A
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
AAD
See additional authenticated data.
access control list (ACL)
A document that defines who can access a particular bucket or object. Each
bucket and object in Amazon S3 has an ACL. The document defines what each
type of user can do, such as write and read permissions.
access identifiers
See credentials.
access key
The combination of an access key ID (p. 153) (like AKIAIOSFODNN7EXAMPLE)
and a secret access key (p. 187) (like
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). You use access keys to
sign API requests that you make to AWS.
access key ID
A unique identifier that's associated with a secret access key (p. 187); the access
key ID and secret access key are used together to sign programmatic AWS
requests cryptographically.
access key rotation
A method to increase security by changing the AWS access key ID. This method
enables you to retire an old key at your discretion.
access policy language
A language for writing documents (that is, policies (p. 182)) that specify who can
access a particular AWS resource and under what conditions.
account
A formal relationship with AWS that is associated with (1) the owner email address
and password, (2) the control of resources created under its umbrella, and (3)
Version 1.0
153
Amazon Web Services General Reference
payment for the AWS activity related to those resources. The AWS account has
permission to do anything and everything with all the AWS account resources.
This is in contrast to a user (p. 193), which is an entity contained within the account.
account activity
A web page showing your month-to-date AWS usage and costs. The account
activity page is located at http://www.amazonaws.cn/account-activity/.
ACL
See access control list (ACL).
ACM
See AWS Certificate Manager (ACM).
action
An API function. Also called operation or call. The activity the principal (p. 182)
has permission to perform. The action is B in the statement "A has permission to
do B to C where D applies." For example, Jane sends a request to Amazon SQS
with Action=ReceiveMessage.
Amazon CloudWatch (p. 155): The response initiated by the change in an alarm's
state: for example, from OK to ALARM. The state change may be triggered by a
metric reaching the alarm threshold, or by a SetAlarmState request. Each alarm
can have one or more actions assigned to each state. Actions are performed once
each time the alarm changes to a state that has an action assigned, such as an
Amazon Simple Notification Service notification, an Auto Scaling policy execution
or an Amazon EC2 instance stop/terminate action.
active trusted signers
A list showing each of the trusted signers you've specified and the IDs of the
corresponding active key pairs that CloudFront is aware of. To be able to create
working signed URLs, a trusted signer must appear in this list with at least one
key pair ID.
additional authenticated data
Information that is checked for integrity but not encrypted, such as headers or
other contextual metadata.
administrative suspension
Auto Scaling might suspend processes for Auto Scaling group (p. 159) that
repeatedly fail to launch instances. Auto Scaling groups that most commonly
experience administrative suspension have zero running instances, have been
trying to launch instances for more than 24 hours, and have not succeeded in
that time.
alarm
An item that watches a single metric over a specified time period, and triggers an
Amazon SNS topic (p. 192) or an Auto Scaling policy (p. 182) if the value of the
metric crosses a threshold value over a predetermined number of time periods.
allow
One of two possible outcomes (the other is deny (p. 169)) when an IAM access
policy (p. 182) is evaluated. When a user makes a request to AWS, AWS evaluates
the request based on all permissions that apply to the user and then returns either
allow or deny.
Amazon API Gateway
A fully managed service that makes it easy for developers to create, publish,
maintain, monitor, and secure APIs at any scale.
See Also http://www.amazonaws.cn/api-gateway.
Amazon AppStream
A web service for streaming existing Windows applications from the cloud to any
device.
See Also http://www.amazonaws.cn/appstream/.
Amazon CloudFront
An AWS content delivery service that helps you improve the performance,
reliability, and availability of your websites and applications.
See Also http://www.amazonaws.cn/cloudfront.
Version 1.0
154
Amazon Web Services General Reference
Amazon CloudSearch
A fully managed service in the AWS cloud that makes it easy to set up, manage,
and scale a search solution for your website or application.
Amazon CloudWatch
A web service that enables you to monitor and manage various metrics, and
configure alarm actions based on data from those metrics.
See Also http://www.amazonaws.cn/cloudwatch.
Amazon CloudWatch Events
A web service that enables you to deliver a timely stream of system events that
describe changes in AWS resources to AWS Lambda functions, streams in
Amazon Kinesis Streams, Amazon Simple Notification Service topics, or built-in
targets.
See Also http://www.amazonaws.cn/cloudwatch.
Amazon CloudWatch Logs
A web service for monitoring and troubleshooting your systems and applications
from your existing system, application, and custom log files. You can send your
existing log files to CloudWatch Logs and monitor these logs in near real-time.
See Also http://www.amazonaws.cn/cloudwatch.
Amazon Cognito
A web service that makes it easy to save mobile user data, such as app
preferences or game state, in the AWS cloud without writing any back-end code
or managing any infrastructure. Amazon Cognito offers mobile identity
management and data synchronization across devices.
See Also http://www.amazonaws.cn/cognito/.
Amazon DevPay
An easy-to-use online billing and account management service that makes it easy
for you to sell an Amazon EC2 AMI or an application built on Amazon S3.
See Also http://www.amazonaws.cn/devpay.
Amazon DynamoDB
A fully managed, fast and flexible NoSQL database service for all applications
that need consistent, single-digit millisecond latency at any scale. DynamoDB is
a cloud database that supports both document and key-value store models.
See Also http://www.amazonaws.cn/dynamodb/.
Amazon Elastic Block Store
(Amazon EBS)
A service that provides block level storage volumes for use with EC2 instances.
See Also http://www.amazonaws.cn/ebs.
Amazon EBS-backed AMI
Instances launched from this type of AMI use an Amazon EBS volume as their
root device. Compare this with instances launched from instance store-backed
AMIs, which use the instance store as the root device.
Amazon EC2 Container
Registry (Amazon ECR)
A fully managed Docker container registry that makes it easy for developers to
store, manage, and deploy Docker container images. Amazon ECR is integrated
with Amazon EC2 Container Service (Amazon ECS) (p. 155) and AWS Identity
and Access Management (IAM) (p. 161) (IAM).
See Also http://www.amazonaws.cn/ecr.
Amazon EC2 Container Service
(Amazon ECS)
A highly scalable, fast, container (p. 166) management service that makes it easy
to run, stop, and manage Docker containers on a cluster (p. 165) of EC2
instance (p. 170)s.
See Also http://www.amazonaws.cn/ecs.
Amazon ECS service
Allows you to run and maintain a specified number of task (p. 192)s (instantiations
of a task definition (p. 192)) simultaneously.
Amazon EC2 VM Import
Connector
See http://www.amazonaws.cn/ec2/vm-import.
Amazon Elastic Compute Cloud
(Amazon EC2)
Amazon Elastic Compute Cloud. A web service that enables you to launch and
manage Linux/UNIX and Windows server instances in Amazon's data centers.
See Also http://www.amazonaws.cn/ec2.
Version 1.0
155
Amazon Web Services General Reference
Amazon Elastic File System
(Amazon EFS)
A file storage service for EC2 (p. 155) instances. Amazon EFS is easy to use and
provides a simple interface with which you can create and configure file systems.
Amazon EFS storage capacity grows and shrinks automatically as you add and
remove files.
See Also http://www.amazonaws.cn/efs/.
Amazon Elastic MapReduce
(Amazon EMR)
A web service that makes it easy to process large amounts of data efficiently.
Amazon EMR uses Hadoop processing combined with several AWS products to
do such tasks as web indexing, data mining, log file analysis, machine learning,
scientific simulation, and data warehousing.
See Also http://www.amazonaws.cn/elasticmapreduce.
Amazon Elastic Transcoder
A cloud-based media transcoding service. Elastic Transcoder is a highly scalable
tool for converting (or transcoding) media files from their source format into
versions that will play on devices like smartphones, tablets, and PCs.
See Also http://www.amazonaws.cn/elastictranscoder/.
Amazon ElastiCache
A web service that simplifies deploying, operating, and scaling an in-memory
cache in the cloud. The service improves the performance of web applications
by providing information retrieval from fast, managed, in-memory caches, instead
of relying entirely on slower disk-based databases.
See Also http://www.amazonaws.cn/elasticache/.
Amazon Elasticsearch Service
(Amazon ES)
A managed service for deploying, operating, and scaling Elasticsearch, an
open-source search and analytics engine.
See Also http://www.amazonaws.cn/elasticsearch-service.
Amazon GameLift
A managed service for deploying, operating, and scaling session-based multiplayer
games.
See Also http://www.amazonaws.cn/gamelift/.
Amazon Glacier
A secure, durable, and low-cost storage service for data archiving and long-term
backup.You can reliably store large or small amounts of data for significantly less
than on-premises solutions. Amazon Glacier is optimized for infrequently accessed
data, where a retrieval time of several hours is suitable.
See Also http://www.amazonaws.cn/glacier/.
Amazon Inspector
An automated security assessment service that helps improve the security and
compliance of applications deployed on AWS. Amazon Inspector automatically
assesses applications for vulnerabilities or deviations from best practices. After
performing an assessment, Amazon Inspector produces a detailed report with
prioritized steps for remediation.
See Also http://www.amazonaws.cn/inspector.
Amazon Kinesis
A platform for streaming data on AWS. Amazon Kinesis offers services that simplify
the loading and analysis of streaming data.
See Also http://www.amazonaws.cn/kinesis/.
Amazon Kinesis Firehose
A fully managed service for loading streaming data into AWS. Firehose can capture
and automatically load streaming data into Amazon S3 and Amazon Redshift,
enabling near real-time analytics with existing business intelligence tools and
dashboards. Firehose automatically scales to match the throughput of your data
and requires no ongoing administration. It can also batch, compress, and encrypt
the data before loading it.
See Also http://www.amazonaws.cn/kinesis/firehose/.
Amazon Kinesis Streams
A web service for building custom applications that process or analyze streaming
data for specialized needs. Amazon Kinesis Streams can continuously capture
and store terabytes of data per hour from hundreds of thousands of sources.
Version 1.0
156
Amazon Web Services General Reference
See Also http://www.amazonaws.cn/kinesis/streams/.
Amazon Lumberyard
A cross-platform, 3D game engine for creating high-quality games. You can
connect games to the compute and storage of the AWS cloud and engage fans
on Twitch.
See Also http://www.amazonaws.cn/lumberyard/.
Amazon Machine Image (AMI)
An encrypted machine image stored in Amazon Elastic Block Store (Amazon
EBS) (p. 155) or Amazon Simple Storage Service. AMIs are like a template of a
computer's root drive. They contain the operating system and can also include
software and layers of your application, such as database servers, middleware,
web servers, and so on.
Amazon Mobile Analytics
A service for collecting, visualizing, understanding, and extracting mobile app
usage data at scale.
See Also http://www.amazonaws.cn/mobileanalytics.
Amazon Redshift
A fully managed, petabyte-scale data warehouse service in the cloud.With Amazon
Redshift you can analyze your data using your existing business intelligence tools.
See Also http://www.amazonaws.cn/redshift/.
Amazon Relational Database
Service (Amazon RDS)
A web service that makes it easier to set up, operate, and scale a relational
database in the cloud. It provides cost-efficient, resizable capacity for an
industry-standard relational database and manages common database
administration tasks.
See Also http://www.amazonaws.cn/rds.
Amazon Resource Name (ARN)
A standardized way to refer to an AWS resource. For example:
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob.
Amazon Route 53
A web service you can use to create a new DNS service or to migrate your existing
DNS service to the cloud.
See Also http://www.amazonaws.cn/route53.
Amazon S3
See Amazon Simple Storage Service (Amazon S3).
Amazon S3-Backed AMI
See instance store-backed AMI.
Amazon Silk
A next-generation web browser available only on Fire OS tablets and phones.
Built on a split architecture that divides processing between the client and the
AWS cloud, Amazon Silk is designed to create a faster, more responsive mobile
browsing experience.
Amazon Simple Email Service
(Amazon SES)
An easy-to-use, cost-effective email solution for applications.
See Also http://www.amazonaws.cn/ses.
Amazon Simple Notification
Service (Amazon SNS)
A web service that enables applications, end-users, and devices to instantly send
and receive notifications from the cloud.
See Also http://www.amazonaws.cn/sns.
Amazon Simple Queue Service
(Amazon SQS)
Reliable and scalable hosted queues for storing messages as they travel between
computers.
See Also http://www.amazonaws.cn/sqs.
Amazon Simple Storage
Service (Amazon S3)
Storage for the internet. You can use it to store and retrieve any amount of data
at any time, from anywhere on the web.
See Also http://www.amazonaws.cn/s3.
Version 1.0
157
Amazon Web Services General Reference
Amazon Simple Workflow
Service (Amazon SWF)
A fully managed service that helps developers build, run, and scale background
jobs that have parallel or sequential steps. Amazon SWF is like a state tracker
and task coordinator in the cloud.
See Also http://www.amazonaws.cn/swf/.
Amazon Simple Workflow
Service (Amazon SWF)
A fully managed service that helps developers build, run, and scale background
jobs that have parallel or sequential steps. Amazon SWF is like a state tracker
and task coordinator in the cloud.
See Also http://www.amazonaws.cn/swf/.
Amazon SimpleDB
A highly-available, scalable, and flexible non-relational data store that enables
you to store and query data items using web service requests.
See Also http://www.amazonaws.cn/simpledb.
Amazon Virtual Private Cloud
(Amazon VPC)
A web service for provisioning a logically isolated section of the AWS cloud where
you can launch AWS resources in a virtual network that you define. You control
your virtual networking environment, including selection of your own IP address
range, creation of subnets, and configuration of route tables and network gateways.
See Also http://www.amazonaws.cn/vpc.
Amazon VPC
See Amazon Virtual Private Cloud (Amazon VPC).
Amazon Web Services (AWS)
An infrastructure web services platform in the cloud for companies of all sizes.
See Also http://www.amazonaws.cn/what-is-cloud-computing/.
Amazon WorkDocs
A managed, secure enterprise document storage and sharing service with
administrative controls and feedback capabilities.
See Also http://www.amazonaws.cn/workdocs/.
Amazon WorkMail
A managed, secure business email and calendar service with support for existing
desktop and mobile email clients.
See Also http://www.amazonaws.cn/workmail/.
Amazon WorkSpaces
A managed, secure desktop computing service for provisioning cloud-based
desktops and providing users access to documents, applications, and resources
from supported devices.
See Also http://www.amazonaws.cn/workspaces/.
Amazon WorkSpaces
Application Manager (Amazon
WAM)
A web service for deploying and managing applications for Amazon WorkSpaces.
Amazon WAM accelerates software deployment, upgrades, patching, and
retirement by packaging Microsoft Windows desktop applications into virtualized
application containers.
See Also http://www.amazonaws.cn/workspaces/applicationmanager.
AMI
See Amazon Machine Image (AMI).
analysis scheme
Amazon CloudSearch (p. 155): Language-specific text analysis options that are
applied to a text field to control stemming and configure stopwords and synonyms.
application
A logical collection of Elastic Beanstalk components, including environments,
versions, and environment configurations. An application is conceptually similar
to a folder.
In AWS CodeDeploy, a name that uniquely identifies the application to be
deployed. AWS CodeDeploy uses this name to ensure the correct combination
of revision, deployment configuration, and deployment group are referenced
during a deployment.
Application Billing
The location where your customers manage the Amazon DevPay products they've
purchased. This is the URL http://www.amazon.com/dp-applications.
Version 1.0
158
Amazon Web Services General Reference
application revision
In AWS CodeDeploy, an archive file containing source content—such as source
code, web pages, executable files, and deployment scripts—along with an
application specification file (p. 159). Revisions are stored in Amazon S3 buckets
or GitHub repositories. For Amazon S3, a revision is uniquely identified by its
Amazon S3 object key and its ETag, version, or both. For GitHub, a revision is
uniquely identified by its commit ID.
application specification file
Unique to AWS CodeDeploy, a YAML-formatted file used to map the source files
in an application revision to destinations on the instance; specify custom
permissions for deployed files; and specify scripts to be run on each instance at
various stages of the deployment process.
application version
A specific, labeled iteration of an application that represents a functionally
consistent set of deployable application code. A version points to an Amazon S3
object (a JAVA WAR file) that contains the application code.
AppSpec file
See application specification file.
ARN
See Amazon Resource Name (ARN).
artifact
In AWS CodePipeline, a copy of the files or changes that will be worked upon by
the pipeline.
asymmetric encryption
Encryption (p. 171) that uses both a public key and a private key.
asynchronous bounce
A type of bounce (p. 164) that occurs when a receiver (p. 184) initially accepts an
email message for delivery and then subsequently fails to deliver it.
attribute
Similar to a column on a spreadsheet, an attribute represents a data category. In
Amazon SimpleDB, an attribute has a name (such as color), which has a value
(such as blue) when applied to a data item.
authenticated encryption
Encryption (p. 171) that provides confidentiality, data integrity, and authenticity
assurances of the encrypted data.
authentication
The process of proving your identity to a system.
Auto Scaling
A web service designed to launch or terminate instance (p. 175)s automatically
based on user-defined policies, schedules, and health checks.
See Also http://www.amazonaws.cn//autoscaling.
Auto Scaling group
A representation of multiple Amazon Elastic Compute Cloud (Amazon EC2) (p. 155)
instance (p. 175)s that share similar characteristics, and that are treated as a logical
grouping for the purposes of instance scaling and management.
Availability Zone
A distinct location within a region (p. 185) that is insulated from failures in other
Availability Zones, and provides inexpensive, low-latency network connectivity to
other Availability Zones in the same region.
AWS
See Amazon Web Services (AWS).
AWS Billing and Cost
Management
The AWS cloud computing model in which you pay for services on demand and
use as much or as little at any given time as you need. While resources are active
under your account, you pay for the cost of allocating those resources and for
any incidental usage associated with those resources, such as data transfer or
allocated storage.
See Also http://www.amazonaws.cn/billing/new-user-faqs/.
AWS Certificate Manager
(ACM)
A web service for provisioning, managing, and deploying Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services.
Version 1.0
159
Amazon Web Services General Reference
See Also http://www.amazonaws.cn/certificate-manager/.
AWS CloudFormation
A service for writing or changing templates that create and delete related AWS
resources together as a unit.
See Also http://www.amazonaws.cn/cloudformation.
AWS CloudHSM
A web service that helps you meet corporate, contractual, and regulatory
compliance requirements for data security by using dedicated hardware security
module (HSM) appliances within the AWS cloud.
See Also http://www.amazonaws.cn/cloudhsm/.
AWS CloudTrail
A web service that records AWS API calls for your account and delivers log files
to you. The recorded information includes the identity of the API caller, the time
of the API call, the source IP address of the API caller, the request parameters,
and the response elements returned by the AWS service.
See Also http://www.amazonaws.cn/cloudtrail/.
AWS CodeCommit
A fully managed source control service that makes it easy for companies to host
secure and highly scalable private Git repositories.
See Also http://www.amazonaws.cn/codecommit.
AWS CodeDeploy
A service that automates code deployments to any instance, including Amazon
EC2 instances and instances running on-premises.
See Also http://www.amazonaws.cn/codedeploy.
AWS CodeDeploy agent
A software package that, when installed and configured on an instance, enables
that instance to be used in AWS CodeDeploy deployments.
AWS CodePipeline
A continuous delivery service for fast and reliable application updates.
See Also http://www.amazonaws.cn/codepipeline.
AWS Command Line Interface
(AWS CLI)
A unified downloadable and configurable tool for managing AWS services. Control
multiple AWS services from the command line and automate them through scripts.
See Also http://www.amazonaws.cn/cli/.
AWS Config
A fully managed service that provides an AWS resource inventory, configuration
history, and configuration change notifications for better security and governance.
You can create rules that automatically check the configuration of AWS resources
that AWS Config records.
See Also http://www.amazonaws.cn/config/.
AWS Database Migration
Service
A web service that can help you migrate data to and from many widely used
commercial and open-source databases.
See Also http://www.amazonaws.cn/dms.
AWS Data Pipeline
A web service for processing and moving data between different AWS compute
and storage services, as well as on-premises data sources, at specified intervals.
See Also http://www.amazonaws.cn/datapipeline.
AWS Device Farm
An app testing service that allows developers to test Android, iOS, and Fire OS
devices on real, physical phones and tablets that are hosted by AWS.
See Also http://www.amazonaws.cn/device-farm.
AWS Direct Connect
A web service that simplifies establishing a dedicated network connection from
your premises to AWS. Using AWS Direct Connect, you can establish private
connectivity between AWS and your data center, office, or colocation environment.
See Also http://www.amazonaws.cn/directconnect.
Version 1.0
160
Amazon Web Services General Reference
AWS Directory Service
A managed service for connecting your AWS resources to an existing on-premises
Microsoft Active Directory or to set up and operate a new, standalone directory
in the AWS cloud.
See Also http://www.amazonaws.cn/directoryservice.
AWS Elastic Beanstalk
A web service for deploying and managing applications in the AWS cloud without
worrying about the infrastructure that runs those applications.
See Also http://www.amazonaws.cn/elasticbeanstalk.
AWS Identity and Access
Management (IAM)
A web service that enables Amazon Web Services (AWS) (p. 158) customers to
manage users and user permissions within AWS.
See Also http://www.amazonaws.cn/iam.
AWS Import/Export
A service for transferring large amounts of data between AWS and portable
storage devices.
See Also http://www.amazonaws.cn/importexport.
AWS IoT
A managed cloud platform that lets connected devices easily and securely interact
with cloud applications and other devices.
See Also http://www.amazonaws.cn/iot.
AWS Key Management Service
(AWS KMS)
A managed service that simplifies the creation and control of encryption (p. 171)
keys that are used to encrypt data.
See Also http://www.amazonaws.cn/kms.
AWS managed key
One of two types of customer master key (CMK) (p. 167)s in AWS Key Management
Service (AWS KMS) (p. 161).
AWS managed policy
An IAM (p. 161) managed policy (p. 178) that is created and managed by AWS.
AWS Lambda
A web service that lets you run code without provisioning or managing servers.
You can run code for virtually any type of application or back-end service with
zero administration. You can set up your code to automatically trigger from other
AWS services or call it directly from any web or mobile app.
See Also http://www.amazonaws.cn/lambda/.
AWS Management Console
A graphical interface to manage compute, storage, and other cloud resources.
See Also http://www.amazonaws.cn/console.
AWS Management Portal for
vCenter
A web service for managing your AWS resources using VMware vCenter. You
install the portal as a vCenter plug-in within your existing vCenter environment.
Once installed, you can migrate VMware VMs to Amazon EC2 and manage AWS
resources from within vCenter.
See Also http://www.amazonaws.cn/ec2/vcenter-portal/.
AWS Marketplace
A web portal where qualified partners to market and sell their software to AWS
customers. AWS Marketplace is an online software store that helps customers
find, buy, and immediately start using the software and services that run on AWS.
See Also http://www.amazonaws.cn/partners/aws-marketplace/.
AWS Mobile Hub
An integrated console that for building, testing, and monitoring mobile apps.
See Also http://www.amazonaws.cn/mobile.
AWS Mobile SDK
A software development kit whose libraries, code samples, and documentation
help you build high quality mobile apps for the iOS, Android, Fire OS, Unity, and
Xamarin platforms.
See Also http://www.amazonaws.cn/mobile/sdk.
AWS OpsWorks
A configuration management service that helps you use Chef to configure and
operate groups of instances and applications. You can define the application’s
Version 1.0
161
Amazon Web Services General Reference
architecture and the specification of each component including package installation,
software configuration, and resources such as storage. You can automate tasks
based on time, load, lifecycle events, and more.
See Also http://www.amazonaws.cn/opsworks/.
AWS SDK for Go
A software development kit for integrating your Go application with the full suite
of AWS services.
See Also http://www.amazonaws.cn/sdk-for-go/.
AWS SDK for Java
A software development kit that provides Java APIs for many AWS services
including Amazon S3, Amazon EC2, Amazon DynamoDB, and more. The single,
downloadable package includes the AWS Java library, code samples, and
documentation.
See Also ="http://www.amazonaws.cn/sdkforjava/.
AWS SDK for JavaScript in the
Browser
A software development kit for accessing AWS services from JavaScript code
running in the browser. Authenticate users through Facebook, Google, or Login
with Amazon using web identity federation. Store application data in Amazon
DynamoDB, and save user files to Amazon S3.
See Also http://www.amazonaws.cn/sdk-for-browser/.
AWS SDK for JavaScript in
Node.js
A software development kit for accessing AWS services from JavaScript in Node.js.
The SDK provides JavaScript objects for AWS services, including Amazon S3
Amazon EC2, Amazon DynamoDB, and Amazon Simple Workflow Service
(Amazon SWF) . The single, downloadable package includes the AWS JavaScript
library and documentation.
See Also http://www.amazonaws.cn/sdk-for-node-js/.
AWS SDK for .NET
A software development kit that provides .NET API actions for AWS services
including including Amazon S3 Amazon EC2, Amazon DynamoDB, and more.
You can download the SDK as multiple service-specific packages on NuGet.
See Also http://www.amazonaws.cn/sdkfornet/.
AWS SDK for PHP
A software development kit and open-source PHP library for integrating your PHP
application with AWS services like Amazon S3 Amazon Glacier and DynamoDB..
See Also http://www.amazonaws.cn/sdkforphp/.
AWS SDK for Python (Boto)
A software development kit for using Python to access AWS services like Amazon
EC2 Amazon Elastic MapReduce Auto Scaling, Amazon Kinesis, AWS Lambda,
and more.
See Also http://boto.readthedocs.org/en/latest/.
AWS SDK for Ruby
A software development kit for accessing AWS services from Ruby. The SDK
provides Ruby classes for many AWS services including Amazon S3 Amazon
EC2, DynamoDB. and more. The single, downloadable package includes the
AWS Ruby Library and documentation.
See Also http://www.amazonaws.cn/sdkforruby/.
AWS Security Token Service
(AWS STS)
A web service for requesting temporary, limited-privilege credentials for AWS
Identity and Access Management (IAM) (p. 161) users or for users that you
authenticate (federated users (p. 172)).
See Also http://www.amazonaws.cn/iam/.
AWS Service Catalog
A web service that helps organizations create and manage catalogs of IT services
that are approved for use on AWS. These IT services can include everything from
virtual machine images, servers, software, and databases to complete multitier
application architectures.
See Also http://www.amazonaws.cn/servicecatalog/.
Version 1.0
162
Amazon Web Services General Reference
AWS Storage Gateway
A web service that connects an on-premises software appliance with cloud-based
storage to provide seamless and secure integration between an organization’s
on-premises IT environment and AWS’s storage infrastructure.
See Also http://www.amazonaws.cn/storagegateway/.
AWS Toolkit for Eclipse
An open Source plug-in for the Eclipse Java IDE that makes it easier for developers
to develop, debug, and deploy Java applications using Amazon Web Services.
See Also http://www.amazonaws.cn/eclipse/.
AWS Toolkit for Visual Studio
An extension for Microsoft Visual Studio that helps developers develop, debug,
and deploy .NET applications using Amazon Web Services.
See Also http://www.amazonaws.cn/visualstudio/.
AWS Tools for Windows
PowerShell
A set of PowerShell cmdlets to help developers and administrators manage their
AWS services from the Windows PowerShell scripting environment.
See Also http://www.amazonaws.cn/powershell/.
AWS Trusted Advisor
A web service that inspects your AWS environment and makes recommendations
for saving money, improving system availability and performance, and helping to
close security gaps.
See Also http://www.amazonaws.cn/support/trustedadvisor/.
AWS VPN CloudHub
Enables secure communication between branch offices using a simple
hub-and-spoke model, with or without a VPC.
AWS WAF
A web application firewall service that controls access to content by allowing or
blocking web requests based on criteria that you specify, such as header values
or the IP addresses that the requests originate from. AWS WAF helps protect
web applications from common web exploits that could affect application
availability, compromise security, or consume excessive resources.
See Also http://www.amazonaws.cn/waf/.
B
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
basic monitoring
Monitoring of AWS-provided metrics derived at a 5-minute frequency.
batch
See document batch.
BGP ASN
Border Gateway Protocol Autonomous System Number. A unique identifier for a
network, for use in BGP routing. Amazon EC2 supports all 2-byte ASN numbers
in the range of 1 - 65334, with the exception of 7224, which is reserved.
billing
See AWS Billing and Cost Management.
blacklist
A list of IP addresses, email addresses, or domains that an Internet Service
Provider (p. 175) suspects to be the source of spam (p. 189). The ISP blocks
incoming emails from these addresses or domains.
block
A data set. Amazon EMR breaks large amounts of data into subsets. Each subset
is called a data block. Amazon EMR assigns an ID to each block and uses a hash
table to keep track of block processing.
block device
A storage device that supports reading and (optionally) writing data in fixed-size
blocks, sectors, or clusters.
Version 1.0
163
Amazon Web Services General Reference
block device mapping
A mapping structure for every AMI and instance that specifies the block devices
attached to the instance.
bootstrap action
A user-specified default or custom action that runs a script or an application on
all nodes of a job flow before Hadoop starts.
Border Gateway Protocol
Autonomous System Number
See BGP ASN.
bounce
A failed email delivery attempt.
breach
The condition in which a user-set threshold (upper or lower boundary) is passed.
If the duration of the breach is significant, as set by a breach duration parameter,
it can possibly start a scaling activity (p. 187).
bucket
A container for objects stored in Amazon S3. Every object is contained in a bucket.
For example, if the object named photos/puppy.jpg is stored in the johnsmith
bucket, then authorized users can access the object with the URL
http://johnsmith.s3.amazonaws.com/photos/puppy.jpg.
bucket owner
Just as Amazon is the only owner of the domain name Amazon.com, only one
person or organization can own a bucket in Amazon S3.
bundling
A commonly used term for creating an Amazon Machine Image (AMI) (p. 157). It
specifically refers to creating instance store-backed AMIs.
C
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
cache cluster
A logical cache distributed over multiple cache node (p. 164)s. A cache cluster
can be set up with a specific number of cache nodes.
cache cluster identifier
Customer-supplied identifier for the cache cluster that must be unique for that
customer in an AWS region.
cache engine version
The version of the Memcached service that is running on the cache node.
cache node
A fixed-size chunk of secure, network-attached RAM. Each cache node runs an
instance of the Memcached service, and has its own DNS name and port. Multiple
types of cache nodes are supported, each with varying amounts of associated
memory.
cache node type
EC2 instance type used to run the cache node.
cache parameter group
A container for cache engine parameter values that can be applied to one or more
cache clusters.
cache security group
A group maintained by ElastiCache that combines ingress authorizations to cache
nodes for hosts belonging to Amazon EC2 security groups specified through the
console or the API or command line tools.
canned access policy
A standard access control policy that you can apply to a bucket or object. Options
include: private, public-read, public-read-write, and authenticated-read.
canonicalization
The process of converting data into a standard format that a service such as
Amazon S3 can recognize.
Version 1.0
164
Amazon Web Services General Reference
capacity
Each Auto Scaling group (p. 159) is defined with a minimum and maximum compute
size. The amount of available compute size at any time is the current capacity.
A scaling activity (p. 187) increases or decreases the capacity—within the defined
minimum and maximum values.
Cascading
Cascading is an open-source Java library that provides a query API, a query
planner, and a job scheduler for creating and running Hadoop MapReduce
applications. Applications developed with Cascading are compiled and packaged
into standard Hadoop-compatible JAR files similar to other native Hadoop
applications.
certificate
A credential that some AWS products use to authenticate AWS account (p. 153)s
and users. Also known as an X.509 certificate (p. 195) . The certificate is paired
with a private key.
chargeable resources
Features or services whose use incurs fees. Although some AWS products are
free, others include charges. For example, in an AWS CloudFormation
stack (p. 190), AWS resources that have been created incur charges. The amount
charged depends on the usage load. Use the Amazon Web Services Simple
Monthly Calculator at http://calculator.s3.amazonaws.com/calc5.html to estimate
your cost prior to creating instances, stacks, or other resources.
CIDR block
Classless Inter-Domain Routing. An Internet protocol address allocation and route
aggregation methodology.
See Also http://en.wikipedia.org/wiki/CIDR_notation.
ciphertext
Information that has been encrypted (p. 171), as opposed to plaintext (p. 182), which
is information that has not.
ClassicLink
A feature that allows you to link an EC2-Classic instance to a VPC, allowing your
EC2-Classic instance to communicate with VPC instances using private IP
addresses.
See Also link to VPC, unlink from VPC.
CloudHub
See AWS VPN CloudHub.
CLI
See AWS Command Line Interface (AWS CLI).
cluster
A logical grouping of container instance (p. 166)s that you can place task (p. 192)s
on.
cluster compute instance
A type of instance (p. 175) that provides a great amount of CPU power coupled
with increased networking performance, making it well suited for High Performance
Compute (HPC) applications and other demanding network-bound applications.
cluster placement group
A logical cluster compute instance (p. 165) grouping to provide lower latency and
high-bandwidth connectivity between the instances.
cluster status
Amazon Elasticsearch Service (Amazon ES) (p. 156): An indicator of the health
of a cluster. A status can be green, yellow, or red. At the shard level, green means
that all shards are allocated to nodes in a cluster, yellow means that the primary
shard is allocated but the replica shards are not, and red means that the primary
and replica shards of at least one index are not allocated. The shard status
determines the index status, and the index status determines the cluster status.
CMK
See customer master key (CMK).
CNAME
Canonical Name Record. A type of resource record in the Domain Name System
(DNS) that specifies that the domain name is an alias of another, canonical domain
Version 1.0
165
Amazon Web Services General Reference
name. More simply, it is an entry in a DNS table that lets you alias one fully
qualified domain name to another.
complaint
The event in which a recipient (p. 184) who does not want to receive an email
message clicks "Mark as Spam" within the email client, and the Internet Service
Provider (p. 175) sends a notification to Amazon SES.
compound query
Amazon CloudSearch (p. 155): A search request that specifies multiple search
criteria using the Amazon CloudSearch structured search syntax.
condition
Any restriction or detail about a permission. The condition is D in the statement
"A has permission to do B to C where D applies."
AWS WAF (p. 163): A set of attributes that AWS WAF searches for in web requests
to AWS resources such as Amazon CloudFront distributions. Conditions can
include values such as the IP addresses that web requests originate from or
values in request headers. Based on the specified conditions, you can configure
AWS WAF to allow or block web requests to AWS resources such as Amazon
CloudFront distributions.
conditional parameter
See mapping.
configuration API
Amazon CloudSearch (p. 155): The API call that you use to create, configure, and
manage search domains.
configuration template
A series of key–value pairs that define parameters for various AWS products so
that Elastic Beanstalk can provision them for an environment.
consistency model
The method a service uses to achieve high availability. For example, it could
involve replicating data across multiple servers in a data center.
See Also eventual consistency.
consistent read
When data is written or updated successfully, all copies of the data are updated
in all AWS regions. However, it takes time for the data to propagate to all storage
locations. A consistent read returns a result that reflects any writes that received
a successful response before the read request—regardless of the region. By
contrast, an eventually consistent read returns data from only one region and
might not show the most recent write information.
See Also eventual consistency.
console
See AWS Management Console.
consolidated billing
A feature of the AWS Billing and Cost Management (p. 159) service for
consolidating payment for multiple AWS accounts within your company by
designating a single paying account. You can see a combined view of AWS costs
incurred by all accounts, as well as obtain a detailed cost report for each of the
individual AWS accounts associated with your paying account. Consolidated
billing is offered at no additional charge.
container
A Linux container that was created from a Docker image as part of a task (p. 192).
container definition
Specifies which Docker image (p. 169) to use for a container (p. 166), how much
CPU and memory the container is allocated, and more options. The container
definition is included as part of a task definition (p. 192).
container instance
An EC2 instance (p. 170) that is running the Amazon EC2 Container Service
(Amazon ECS) (p. 155) agent and has been registered into a cluster (p. 165).
Amazon ECS task (p. 192)s are placed on active container instances.
container registry
Stores, manages, and deploys Docker image (p. 169)s.
Version 1.0
166
Amazon Web Services General Reference
continuous delivery
A software development practice in which code changes are automatically built,
tested, and prepared for a release to production.
See Also http://www.amazonaws.cn/devops/continuous-delivery/.
continuous integration
A software development practice in which developers regularly merge code
changes into a central repository, after which automated builds and tests are run.
See Also http://www.amazonaws.cn/devops/continuous-integration/.
cooldown period
Amount of time during which Auto Scaling does not allow the desired size of the
Auto Scaling group (p. 159) to be changed by any other notification from a
CloudWatch alarm (p. 154).
core node
An EC2 instance (p. 170) that runs Hadoop map and reduce tasks and stores data
using the Hadoop Distributed File System (HDFS). Core nodes are managed by
the master node (p. 179), which assigns Hadoop tasks to nodes and monitors their
status. The EC2 instances you assign as core nodes are capacity that must be
allotted for the entire job flow run. Because core nodes store data, you can't
remove them from a job flow. However, you can add more core nodes to a running
job flow.
Core nodes run both the DataNodes and TaskTracker Hadoop daemons.
corpus
Amazon CloudSearch (p. 155): A collection of data that you want to search.
credential helper
In AWS CodeCommit, a program that stores credentials for repositories and
supplies them to Git when making connections to those repositories. The AWS
CLI includes a credential helper you can use with Git when connecting to AWS
CodeCommit repositories.
credentials
Also called access credentials or security credentials. In authentication and
authorization, a system uses credentials to identify who is making a call and
whether to allow the requested access. In AWS, these credentials are typically
the access key ID (p. 153) and the secret access key (p. 187).
cross-account access
The process of permitting limited, controlled use of resources in one AWS
account (p. 153) by a user in another AWS account. For example, in AWS
CodeCommit (p. 160) and AWS CodeDeploy (p. 160) you can configure
cross-account access so that a user in AWS account A can access an AWS
CodeCommit repository created by account B. Or a pipeline in AWS CodePipeline
created by account A can use AWS CodeDeploy resources created by account
B. In IAM (p. 161) you use a role (p. 186) to delegate (p. 169) temporary access to
a user (p. 193) in one account to resources in another.
customer gateway
A router or software application on your side of a VPN tunnel that is managed by
Amazon VPC. The internal interfaces of the customer gateway are attached to
one or more devices in your home network. The external interface is attached to
the VPG (p. 194) across the VPN tunnel.
customer managed policy
An IAM (p. 161) managed policy (p. 178) that you create and manage in your AWS
account (p. 153).
customer master key (CMK)
The fundamental resource that AWS Key Management Service (AWS KMS) (p. 161)
manages. CMKs can be either customer-managed keys or AWS-managed keys.
Use CMKs inside AWS KMS to encrypt (p. 171) or decrypt up to 4 kilobytes of data
directly or to encrypt generated data keys, which are then used to encrypt or
decrypt larger amounts of data outside of the service.
Version 1.0
167
Amazon Web Services General Reference
D
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
dashboard
See service health dashboard.
data source
The database, file, or repository that provides information required by an
application or database. For example, in AWS OpsWorks, valid data sources
include an instance for a stack’s MySQL layer or a stack’s Amazon RDS (p. 157)
(Amazon RDS) service layer. In Amazon Redshift, valid data sources include text
files in an Amazon Simple Storage Service (Amazon S3) (p. 157) (Amazon S3)
bucket, in an Amazon Elastic MapReduce (Amazon EMR) (p. 156) (Amazon EMR)
cluster, or on a remote host that a cluster can access through an SSH connection.
See Also datasource.
database engine
The database software and version running on the DB instance (p. 168).
database name
The name of a database hosted in a DB instance (p. 168). A DB instance can host
multiple databases, but databases hosted by the same DB instance must each
have a unique name within that instance.
datasource
In Amazon Machine Learning (Amazon ML) , an object that contains metadata
about the input data. Amazon ML reads the input data, computes descriptive
statistics on its attributes, and stores the statistics—along with a schema and
other information—as part of the datasource object. Amazon ML uses datasources
to train and evaluate a machine learning model and generate batch predictions.
See Also data source.
DB compute class
Size of the database compute platform used to run the instance.
DB instance
An isolated database environment running in the cloud. A DB instance can contain
multiple user-created databases.
DB instance identifier
User-supplied identifier for the DB instance. The identifier must be unique for that
user in an AWS region (p. 185).
DB parameter group
A container for database engine parameter values that apply to one or more DB
instance (p. 168)s.
DB security group
A method that controls access to the DB instance (p. 168). By default, network
access is turned off to DB instances. After ingress is configured for a security
group, the same rules apply to all DB instances associated with that group.
DB snapshot
A user-initiated point backup of a DB instance.
Dedicated Host
a physical server with EC2 instance capacity fully dedicated to a user.
Dedicated Instance
An instance that is physically isolated at the host hardware level and launched
within a VPC.
dedicated master node
Amazon Elasticsearch Service (Amazon ES) (p. 156): A node that performs cluster
management tasks, but does not hold data or respond to data upload requests.
Dedicated Reserved Instance
An option you purchase to guarantee that sufficient capacity will be available to
launch Dedicated Instances into a VPC.
Version 1.0
168
Amazon Web Services General Reference
delegation
Within a single AWS account (p. 153): Giving AWS user (p. 193)s access to
resources in your AWS account.
Between two AWS accounts: Setting up a trust between the account that owns
the resource (the trusting account), and the account that contains the users that
need to access the resource (the trusted account).
See Also trust policy.
delete marker
An object with a key and version ID, but without content. Amazon S3 inserts delete
markers automatically into versioned buckets when an object is deleted.
deliverability
The likelihood that an email message will arrive at its intended destination.
deliveries
The number of emails, sent through Amazon SES, that were accepted by an
Internet Service Provider (p. 175) for delivery to recipient (p. 184)s over a period of
time.
deny
The result of a policy (p. 182) statement that includes deny as the effect, so that
a specific action or actions are expressly forbidden for a user, group, or role.
Explicit deny take precedence over explicit allow (p. 154).
deployment configuration
In AWS CodeDeploy, a set of deployment rules and success and failure conditions
used by the service during a deployment.
deployment group
In AWS CodeDeploy, a set of individually tagged instances, Amazon EC2 instances
in Auto Scaling groups, or both.
detailed monitoring
Monitoring of AWS-provided metrics derived at a 1-minute frequency.
Description property
A property added to parameters, resources, resource properties, mappings, and
outputs, to help you to document AWS CloudFormation template elements.
dimension
A name/value pair (for example, InstanceType=m1.small, or EngineName=mysql),
that contains additional information to identify a metric.
discussion forums
A place where AWS users can post technical questions and feedback to help
accelerate their development efforts and to engage with the AWS community.
The discussion forums are located at http://www.amazonaws.cn/forums/.
distributed cache
A Hadoop feature that allow you to transfer files from a distributed file system to
the local file system. It can distribute data and text files as well as more complex
types such as archives and JARs.
distribution
A link between an origin server (such as an Amazon S3 bucket) and a domain
name, which CloudFront automatically assigns. Through this link, CloudFront
identifies the object you have stored in your origin server (p. 181).
DKIM
DomainKeys Identified Mail. A standard that email senders use to sign their
messages. ISPs use those signatures to verify that messages are legitimate. For
more information, see http://www.dkim.org.
DNS
See Domain Name System (DNS).
Docker image
A layered file system template that is the basis of a Docker container (p. 166).
Docker images can comprise specific operating systems or applications.
document
Amazon CloudSearch (p. 155): An item that can be returned as a search result.
Each document has a collection of fields that contain the data that can be searched
or returned. The value of a field can be either a string or a number. Each document
must have a unique ID and at least one field.
Version 1.0
169
Amazon Web Services General Reference
document batch
Amazon CloudSearch (p. 155): A collection of add and delete document operations.
You use the document service API to submit batches to update the data in your
search domain.
document service API
Amazon CloudSearch (p. 155): The API call that you use to submit document
batches to update the data in a search domain.
document service endpoint
Amazon CloudSearch (p. 155): The URL that you connect to when sending
document updates to an Amazon CloudSearch domain. Each search domain has
a unique document service endpoint that remains the same for the life of the
domain.
domain
All Amazon SimpleDB information is stored in domains. Domains are like tables
that contain similar data. You can execute queries against a domain, but cannot
execute joins between domains.
See Also search domain.
Domain Name System (DNS)
A distributed naming system that associates network information with
human-readable domain names on the Internet.
Donation button
An HTML-coded button to provide an easy and secure way for US-based,
IRS-certified 501(c)3 nonprofit organizations to solicit donations.
E
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
EBS
See Amazon Elastic Block Store (Amazon EBS).
EC2
See Amazon Elastic Compute Cloud (Amazon EC2).
EC2 compute unit
An AWS standard for compute CPU and memory. This measure enables you to
evaluate the CPU capacity of different EC2 instance types.
EC2 instance
In Amazon EC2, this is simply an instance (p. 175). Other AWS services use the
term EC2 instance to distinguish these instances from other types of instances
they support.
ECR
See Amazon EC2 Container Registry (Amazon ECR).
ECS
See Amazon EC2 Container Service (Amazon ECS).
edge location
A site that CloudFront uses to cache copies of your content for faster delivery to
users at any location.
EFS
See Amazon Elastic File System (Amazon EFS).
Elastic Block Store
See Amazon Elastic Block Store (Amazon EBS).
Elastic IP address
A fixed (static) IP address that you have allocated in Amazon EC2 or Amazon
VPC and then attached to an instance. Elastic IP addresses are associated with
your account, not a specific instance. They are elastic because you can easily
allocate, attach, detach, and free them as your needs change. Unlike traditional
static IP addresses, Elastic IP addresses allow you to mask instance or Availability
Zone failures by rapidly remapping your public IP addresses to another instance.
Version 1.0
170
Amazon Web Services General Reference
Elastic Load Balancing
A web service that improves an application's availability by distributing incoming
traffic between two or more EC2 instance (p. 170)s.
See Also http://www.amazonaws.cn/elasticloadbalancing.
elastic network interface
An additional network interface that can be attached to an instance (p. 175). ENIs
include a primary private IP address, one or more secondary private IP addresses,
an elastic IP address (optional), a MAC address, membership in specified security
groups, a description, and a source/destination check flag. You can create an
ENI, attach it to an instance, detach it from an instance, and attach it to another
instance.
EMR
See Amazon Elastic MapReduce (Amazon EMR).
encrypt
To use a mathematical algorithm to make data unintelligible to unauthorized
user (p. 193)s while allowing authorized users a method (such as a key or
password) to convert the altered data back to its original state.
encryption context
A set of key–value pairs that contains additional information associated with AWS
Key Management Service (AWS KMS) (p. 161)–encrypted information.
endpoint
A URL that identifies a host and port as the entry point for a web service. Every
web service request contains an endpoint. Most AWS products provide regional
endpoints to enable faster connectivity. For more information, see Regions and
Endpoints in the Amazon Web Services General Reference
Amazon ElastiCache (p. 156): The DNS name of a cache node (p. 164).
Amazon RDS (p. 157): The DNS name of a DB instance (p. 168).
AWS CloudFormation (p. 160): The DNS name or IP address of the server that
receives an HTTP request.
endpoint port
Amazon ElastiCache (p. 156): The port number used by a cache node (p. 164).
Amazon RDS (p. 157): The port number used by a DB instance (p. 168).
envelope encryption
The use of a master key and a data key to algorithmically protect data.The master
key is used to encrypt and decrypt the data key and the data key is used to encrypt
and decrypt the data itself.
environment
A specific running instance of an application (p. 158).The application has a CNAME
and includes an application version and a customizable configuration (which is
inherited from the default container type).
environment configuration
A collection of parameters and settings that define how an environment and its
associated resources behave.
ephemeral store
See instance store.
epoch
The date from which time is measured. For most Unix environments, the epoch
is January 1, 1970.
eventual consistency
The method through which AWS products achieve high availability, which involves
replicating data across multiple servers in Amazon's data centers. When data is
written or updated and "Success" is returned, all copies of the data are updated.
However, it takes time for the data to propagate to all storage locations. The data
will eventually be consistent, but an immediate read might not show the change.
Consistency is usually reached within seconds, but a high system load might
increase this time.
Version 1.0
171
Amazon Web Services General Reference
eventually consistent read
See consistent read.
eviction
An eviction occurs when CloudFront deletes an object from an edge
location (p. 170) before its expiration time. If an object in an edge location isn't
frequently requested, CloudFront might evict the object (remove the object before
its expiration date) to make room for objects that are more popular.
exbibyte
A contraction of exa binary byte, an exbibyte is 2^60 or 1,152,921,504,606,846,976
bytes. An exabyte (EB) is 10^18 or 1,000,000,000,000,000,000 bytes. 1,024 EiB
is a zebibyte (p. 195).
expiration
Expiration occurs when CloudFront stops serving an object from an edge
location (p. 170). The next time the edge location needs to serve that object,
CloudFront gets a new copy from the origin server (p. 181).
explicit launch permission
An Amazon Machine Image (AMI) (p. 157) launch permission granted to a specific
AWS account (p. 153).
exponential backoff
A strategy that incrementally increases the wait between retry attempts in order
to reduce the load on the system and increase the likelihood that repeated requests
will succeed. For example, client applications might wait up to 400 milliseconds
before attempting the first retry, up to 1600 milliseconds before the second, up
to 6400 milliseconds (6.4 seconds) before the third, and so on.
expression
Amazon CloudSearch (p. 155): A numeric expression that you can use to control
how search hits are sorted.You can construct Amazon CloudSearch expressions
using numeric fields, other rank expressions, a document's default relevance
_score, and standard numeric operators and functions. When you use the sort
option to specify an expression in a search request, the expression is evaluated
for each search hit and the hits are listed according to their expression values.
F
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
facet
An Amazon CloudSearch index field that represents a category that you want to
use to refine and filter search results.
facet enabled
An Amazon CloudSearch index field option that enables facet information to be
calculated for the field.
FBL
See feedback loop.
federated identity management
Allows individuals to sign in to different networks or services, using the same
group or personal credentials to access data across all networks. With identity
federation in AWS, external identities (federated users) are granted secure access
to resources in an AWS account (p. 153) without having to create IAM user (p. 193)s.
These external identities can come from a corporate identity store (such as LDAP
or Windows Active Directory) or from a third party (such as Login with Amazon,
Facebook, or Google). AWS federation also supports SAML 2.0.
federated user
See federated identity management.
federation
See federated identity management.
Version 1.0
172
Amazon Web Services General Reference
feedback loop
The mechanism by which a mailbox provider (for example, an Internet Service
Provider (p. 175)) forwards a recipient (p. 184)'s complaint (p. 166) back to the
sender (p. 187).
field weight
The relative importance of a text field in a search index. Field weights control how
much matches in particular text fields affect a document's relevance _score.
filter
A criterion you specify to limit the results when you list or describe your Amazon
EC2 resources.
filter query
A way to filter search results without affecting how the results are scored and
sorted. Specified with the Amazon CloudSearch fq parameter.
FIM
See federated identity management.
Firehose
See Amazon Kinesis Firehose.
format version
See template format version.
forums
See discussion forums.
function
See intrinsic function.
fuzzy search
A simple search query that uses approximate string matching (fuzzy matching)
to correct for typographical errors and misspellings.
G
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
geospatial search
A search query that uses locations specified as a latitude and longitude to
determine matches and sort the results.
gibibyte
A contraction of giga binary byte, a gibibyte is 2^30 or 1,073,741,824 bytes. A
gigabyte (GB) is 10^9 or 1,000,000,000 bytes. 1,024 GiB is a tebibyte (p. 192).
grant
AWS Key Management Service (AWS KMS) (p. 161): A mechanism for giving
AWS principal (p. 182)s long-term permissions to use customer master key
(CMK) (p. 167)s.
grant token
A type of identifier that allows the permissions in a grant (p. 173) to take effect
immediately.
group
A collection of IAM (p. 161) user (p. 193)s. You can use IAM groups to simplify
specifying and managing permissions for multiple users.
H
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
Hadoop
See http://hadoop.apache.org.
hard bounce
A persistent email delivery failure such as "mailbox does not exist."
Version 1.0
173
Amazon Web Services General Reference
hardware VPN
A hardware-based IPsec VPN connection over the Internet.
HDFS
Hadoop Distributed File System. The HDFS file system stores large files across
multiple machines. It achieves reliability by replicating the data across multiple
hosts, and hence does not require RAID storage on hosts.
health check
A system call to check on the health status of each instance in an Auto Scaling
group.
high-quality email
Email that recipients find valuable and want to receive. Value means different
things to different recipients and can come in the form of offers, order
confirmations, receipts, newsletters, etc.
highlights
Amazon CloudSearch (p. 155): Excerpts returned with search results that show
where the search terms appear within the text of the matching documents.
highlight enabled
An Amazon CloudSearch index field option that enables matches within the field
to be highlighted.
hit
A document that matches the criteria specified in a search request. Also referred
to as a search result.
Hive
An open source, data warehouse and analytic package that runs on top of Hadoop.
Hive scripts use an SQL-like language called Hive QL (query language) that
abstracts the MapReduce programming model and supports typical data
warehouse interactions.
HMAC
Hash-based Message Authentication Code. A specific construction for calculating
a message authentication code (MAC) involving a cryptographic hash function in
combination with a secret key. You can use it to verify both the data integrity and
the authenticity of a message at the same time. AWS calculates the HMAC using
a standard, cryptographic hash algorithm, such as SHA-256.
hosted zone
A collection of resource record sets that Amazon Route 53 hosts. Like a traditional
DNS zone file, a hosted zone represents a collection of records that are managed
together under a single domain name.
HVM virtualization
Hardware Virtual Machine virtualization. Allows the guest VM to run as though it
is on a native hardware platform, except that it still uses paravirtual (PV) network
and storage drivers for improved performance.
See Also PV virtualization.
I
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
IAM
See AWS Identity and Access Management (IAM).
IAM group
See group.
IAM policy simulator
See policy simulator.
IAM role
See role.
IAM user
See user.
Version 1.0
174
Amazon Web Services General Reference
Identity and Access
Management
See AWS Identity and Access Management (IAM).
identity provider (IdP)
An IAM (p. 161) entity that holds metadata about external identity providers.
IdP
See identity provider (IdP) .
image
See Amazon Machine Image (AMI).
import/export station
A machine that uploads or downloads your data to, or from, Amazon S3.
import log
A report that contains details about how AWS Import/Export processed your data.
index
See search index.
index field
A name-value pair that is included in an Amazon CloudSearch domain's index.
An index field can contain text or numeric data, dates, or a location.
indexing options
Configuration settings that define an Amazon CloudSearch domain's index fields,
how document data is mapped to those index fields, and how the index fields can
be used.
inline policy
An IAM (p. 161) policy (p. 182) that is embedded in a single IAM user (p. 193),
group (p. 173), or role (p. 186).
instance
A copy of an Amazon Machine Image running as a virtual server in the AWS
cloud.
instance family
A general instance type (p. 175) grouping using either storage or CPU capacity.
instance group
A Hadoop cluster contains one master instance group that contains one master
node (p. 179), a core instance group containing one or more core node (p. 167)
and an optional task node (p. 192) instance group, which can contain any number
of task nodes.
instance profile
A container that passes IAM role (p. 186) information to an EC2 instance (p. 175)
at launch.
instance store
Disk storage that is physically attached to the host computer for an EC2 instance,
and therefore has the same lifespan as the instance. When the instance
terminates, you lose any data in the instance store.
instance store-backed AMI
Instances launched from this type of AMI use an instance store volume as the
root device. Compare this with instances launched from Amazon EBS-backed
AMIs, which use an Amazon EBS volume as the root device.
instance type
A specification that defines the memory, CPU, storage capacity, and hourly cost
for an instance. Some instance types are designed for standard applications,
whereas others are designed for CPU-intensive, memory-intensive applications,
and so on.
Internet gateway
Connects a network to the Internet. You can route traffic for IP addresses outside
your VPC (p. 194) to the Internet gateway.
Internet Service Provider
A company that provides subscribers with access to the Internet. Many ISPs are
also mailbox provider (p. 178)s. Mailbox providers are sometimes referred to as
ISPs, even if they only provide mailbox services.
intrinsic function
A special action in a template that assigns values to properties not available until
runtime. These functions follow the format Fn::Attribute, such as Fn::GetAtt.
Version 1.0
175
Amazon Web Services General Reference
Arguments for intrinsic functions can be parameters, pseudo parameters, or the
output of other intrinsic functions.
IP address
All EC2 instances are assigned two IP addresses at launch, which are directly
mapped to each other through network address translation (NAT): a private IP
address (following RFC 1918) and a public IP address. Instances launched in a
VPC are assigned only a private IP address. Instances launched in your default
VPC are assigned both a private IP address and a public IP address.
IP match condition
AWS WAF (p. 163): An attribute that specifies the IP addresses or IP address
ranges that web requests originate from. Based on the specified IP addresses,
you can configure AWS WAF to allow or block web requests to AWS resources
such as Amazon CloudFront distributions.
ISP
See Internet Service Provider.
issuer
The issuer is the person who writes a policy (p. 182) to grant permissions to a
resource. The issuer (by definition) is always the resource owner. AWS does not
permit Amazon SQS users to create policies for resources they don't own. If John
is the resource owner, AWS authenticates John's identity when he submits the
policy he's written to grant permissions for that resource.
item
Similar to rows on a spreadsheet, items represent individual objects that contain
one or more value-attribute pairs.
item name
An identifier for an item. The identifier must be unique within the domain (p. 170).
J
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
job flow
A job flow specifies the complete processing of the data. It's comprised of one or
more steps, which specify all of the functions to be performed on the data.
job ID
A five-character, alphanumeric string that uniquely identifies a storage device in
your shipment. AWS issues the job ID in response to a CREATE JOB email
command.
job prefix
The AWS Import/Export process generates a log file. The log file name always
ends with the phrase import-log- followed by your Job ID. There is a remote
chance that you already have an object with this name. To avoid a key collision,
you can add an optional prefix to the log file.
See Also key prefix.
JSON
JavaScript Object Notation. A lightweight data-interchange format. For information
about JSON, see http://www.json.org/.
junk folder
The location where email messages that various filters determine to be of lesser
value are collected so that they do not arrive in the recipient (p. 184)'s inbox, but
are still accessible to the recipient. This is also referred to as a spam (p. 189) or
bulk folder.
Version 1.0
176
Amazon Web Services General Reference
K
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
key
A credential that identifies an AWS account (p. 153) or user (p. 193) to AWS (such
as the AWS secret access key (p. 187)).
Amazon Simple Storage Service (Amazon S3) (p. 157), Amazon Elastic MapReduce
(Amazon EMR) (p. 156): The unique identifier for an object in a bucket. Every
object in a bucket has exactly one key. Because a bucket and key together
uniquely identify each object, you can think of Amazon S3 as a basic data map
between the bucket + key, and the object itself. You can uniquely address every
object in Amazon S3 through the combination of the web service endpoint, bucket
name, and key, for example:
http://doc.s3.amazonaws.com/2006-03-01/AmazonS3.wsdl, where doc
is the name of the bucket, and 2006-03-01/AmazonS3.wsdl is the key.
AWS Import/Export (p. 161): The name of an object in Amazon Simple Storage
Service (Amazon S3) (p. 157). It is a sequence of Unicode characters whose UTF-8
encoding cannot exceed 1024 bytes. If a key, for example, logPrefix +
import-log-JOBID, is longer than 1024 bytes, Elastic Beanstalk returns an
InvalidManifestField error.
IAM (p. 161): In the context of writing a policy (p. 182): A specific characteristic that
is the basis for restricting access (such as the current time, or the IP address of
the requester).
Tagging resources: A general tag (p. 191) label that acts like a category for more
specific tag values. For example, you might have EC2 instance (p. 170) with the
tag key of Owner and the tag value of Jan. You can tag an AWS resource with
up to 10 key–value pairs. Not all AWS resources can be tagged.
key pair
A set of security credentials you use to prove your identity electronically. A key
pair consists of a private key and a public key.
key prefix
A logical grouping of the objects in a bucket (p. 164). The prefix value is similar to
a directory name that enables you to store similar data under the same directory
in a bucket.
kibibyte
A contraction of kilo binary byte, a kibibyte is 2^10 or 1,024 bytes. A kilobyte (KB)
is 10^3 or 1,000 bytes. 1,024 KiB is a mebibyte (p. 179).
KMS
See AWS Key Management Service (AWS KMS).
L
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
launch configuration
A set of descriptive parameters used to create new EC2 instances in an Auto
Scaling activity.
A template that an Auto Scaling group (p. 159) uses to launch new EC2 instances.
The launch configuration contains information such as the Amazon Machine
Image (AMI) (p. 157) ID, the instance type, key pairs, security groups, and block
device mappings, among other configuration settings.
Version 1.0
177
Amazon Web Services General Reference
launch permission
An Amazon Machine Image (AMI) (p. 157) (AMI) attribute that allows users to
launch an AMI.
lifecycle
The lifecycle state of the EC2 instance (p. 170) contained in an AutoScalingGroup.
EC2 instances progress through several states over their lifespan; these include
Pending, InService, Terminating and Terminated.
link to VPC
The process of linking (or attaching) an EC2-Classic instance to a
ClassicLink-enabled VPC.
See Also ClassicLink, unlink from VPC.
load balancer
A load balancer is a combination of a DNS name and a set of ports, which together
provide a destination for all requests intended for your application. A load balancer
can distribute traffic to multiple application instances across every Availability
Zone (p. 159) within a region (p. 185). Load balancers can span multiple Availability
Zones within an Amazon EC2 region, but they cannot span multiple regions.
logical name
A case-sensitive unique string within an AWS CloudFormation template that
identifies a resource (p. 185), mapping (p. 179), parameter, or output. In an AWS
CloudFormation template, each parameter, resource, property, mapping, and
output must be declared with a unique logical name. You use the logical name
when dereferencing these items using the Ref function.
M
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
machine utilization
The amount of machine capacity used to complete a particular request (for
example SELECT, GET, PUT, and so on), normalized to the hourly capacity of
a standard processor. Machine utilization is measured in machine hour increments.
Mail Transfer Agent (MTA)
Software that transports email messages from one computer to another by using
a client-server architecture.
mailbox provider
An organization that provides email mailbox hosting services. Mailbox providers
are sometimes referred to as Internet Service Provider (p. 175)s, even if they only
provide mailbox services.
mailbox simulator
A set of email addresses that you can use to test an Amazon SES-based email
sending application without sending messages to actual recipients. Each email
address represents a specific scenario (such as a bounce or complaint) and
generates a typical response that is specific to the scenario.
main route table
The default route table that any new VPC subnet uses for routing. You can
associate a subnet with a different route table of your choice.You can also change
which route table is the main route table.
managed policy
A standalone IAM (p. 161) policy (p. 182) that you can attach to multiple
user (p. 193)s, group (p. 173)s, and role (p. 186)s in your IAM account (p. 153).
Managed policies can either be AWS managed policies (which are created and
managed by AWS) or customer managed policies (which you create and manage
in your AWS account).
manifest
When sending a create job request for an import or export operation you describe
your job in a text file called a manifest. The manifest file is a YAML-formatted file
Version 1.0
178
Amazon Web Services General Reference
that specifies how to transfer data between your storage device and the AWS
cloud.
MapReduce
See http://hadoop.apache.org/docs/r1.2.0/mapred_tutorial.html.
mapper
An executable that splits the raw data into key/value pairs. The reducer uses the
output of the mapper, called the intermediate results, as its input.
mapping
A way to add conditional parameter values to an AWS CloudFormation template.
You specify mappings in the template's optional Mappings section and retrieve
the desired value using the FN::FindInMap function.
marker
See pagination.
master node
A process running on an Amazon Machine Image (AMI) (p. 157) that keeps track
of the work its core and task nodes complete.
maximum price
The maximum price you will pay to launch one or more Spot instances. If your
maximum price exceeds the current Spot price (p. 189) and your restrictions are
met, Amazon EC2 launches instances on your behalf.
maximum send rate
The maximum number of emails that you can send per second using Amazon
SES.
mebibyte
A contraction of mega binary byte, a mebibyte is 2^20 or 1,048,576 bytes. A
megabyte (MB) is 10^6 or 1,000,000 bytes. 1,024 MiB is a gibibyte (p. 173).
member resources
See resource.
message ID
Amazon Simple Email Service (Amazon SES) (p. 157): A unique identifier that is
assigned to every email message that is sent.
Amazon Simple Queue Service (Amazon SQS) (p. 157): The identifier returned
when you send a message to a queue.
metadata
Amazon Simple Storage Service (Amazon S3) (p. 157), Amazon Elastic MapReduce
(Amazon EMR) (p. 156): A set of name/value pairs that describe the object. These
include default metadata such as the date last modified and standard HTTP
metadata such as Content-Type. Users can also specify custom metadata at the
time they store an object.
Amazon Elastic Compute Cloud (Amazon EC2) (p. 155): Data about an EC2
instance (p. 170) that the instance can retrieve to determine things about itself,
such as the instance type, the IP address, and so on.
metric
An element of time-series data defined by a unique combination of exactly one
namespace, exactly one metric name, and between zero and ten dimensions.
Metrics and the statistics derived from them are the basis of Amazon CloudWatch.
metric name
The primary identifier of a metric, used in combination with a namespace and
optional dimensions.
MFA
See multi-factor authentication (MFA).
micro instance
A type of EC2 instance (p. 170) that is more economical to use if you have
occasional bursts of high CPU activity.
MIME
See Multipurpose Internet Mail Extensions (MIME).
MTA
See Mail Transfer Agent (MTA).
Version 1.0
179
Amazon Web Services General Reference
Multi-AZ deployment
A primary DB instance (p. 168) that has a synchronous standby replica in a different
Availability Zone (p. 159). The primary DB instance is synchronously replicated
across Availability Zones to the standby replica.
multi-factor authentication
(MFA)
An optional AWS account (p. 153) security feature. Once you enable AWS MFA,
you must provide a six-digit, single-use code in addition to your sign-in credentials
whenever you access secure AWS web site pages or the AWS Management
Console. You get this single-use code from an authentication device that you
keep in your physical possession.
See Also http://www.amazonaws.cn/mfa/.
multi-valued attribute
An attribute with more than one value.
multipart upload
A feature that allows you to upload a single object as a set of parts.
Multipurpose Internet Mail
Extensions (MIME)
An Internet standard that extends the email protocol to include non-ASCII text
and non-text elements like attachments.
Multitool
A Cascading (p. 165) application that provides a simple command-line interface
for managing large datasets.
N
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
namespace
An abstract container that provides context for the items (names, or technical
terms, or words) it holds, and allows disambiguation of homonym items residing
in different namespaces.
NAT
Network address translation. A strategy of mapping one or more IP addresses to
another while data packets are in transit across a traffic routing device. This is
commonly used to restrict Internet communication to private instances while
allowing outgoing traffic.
See Also Network Address Translation and Protocol Translation, NAT gateway,
NAT instance.
NAT gateway
A NAT device, managed by AWS, that performs NAT (p. 180) in a private subnet,
to secure inbound Internet traffic. A NAT gateway uses both NAT (p. 180) and port
address translation.
See Also NAT instance.
NAT instance
A NAT device, configured by a user, that performs NAT (p. 180) in a VPC public
subnet to secure inbound Internet traffic.
See Also NAT gateway.
network ACL
An optional layer of security that acts as a firewall for controlling traffic in and out
of a subnet. You can associate multiple subnets with a single network ACL, but
a subnet can be associated with only one network ACL at a time.
Network Address Translation
and Protocol Translation
(NAT-PT) An Internet protocol standard defined in RFC 2766.
See Also NAT instance, NAT gateway.
node
After an Amazon Machine Image (AMI) (p. 157) is launched, the resulting running
system is referred to as a node. All instances based on the same AMI are identical
at start-up. Any information about the node is lost when the node terminates or
fails.
Version 1.0
180
Amazon Web Services General Reference
NoEcho
A property of AWS CloudFormation parameters that will prevent the otherwise
default reporting of names and values of a template parameter. Declaring the
NoEcho property causes the parameter value to be masked with asterisks in the
report by the cfn-describe-stacks command.
null object
A null object is one whose version ID is null. Amazon S3 adds a null object to a
bucket when versioning (p. 194) for that bucket is suspended. It is possible to have
only one null object for each key in a bucket.
O
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
object
Amazon Simple Storage Service (Amazon S3) (p. 157): The fundamental entity
type stored in Amazon S3. Objects consist of object data and metadata. The data
portion is opaque to Amazon S3.
Amazon CloudFront (p. 154): Any entity that can be served either over HTTP or a
version of RTMP.
on-demand instance
An Amazon EC2 pricing option that charges you for compute capacity by the hour
with no long-term commitment.
operation
An API function. Also called an action.
origin access identity
Also called OAI. A virtual identity you use when giving your distribution permission
to fetch a private object from your origin server (Amazon S3 bucket).
origin server
The Amazon S3 bucket or custom origin containing the definitive original version
of the content you deliver through CloudFront.
P
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
pagination
Some APIs that return a potentially large list of records can return a subset by
using a value to set the maximum number of returned records. They then provide
a marker, which identifies the last record returned so that in a subsequent call,
the user can get the next sequence of records.
paid AMI
An Amazon Machine Image (AMI) that you sell to other Amazon EC2 users using
AWS Marketplace.
paravirtual virtualization
See PV virtualization.
part
In a multipart upload request, each part is a contiguous portion of the object's
data.
PAT
Port address translation.
pebibyte
A contraction of peta binary byte, a pebibyte is 2^50 or 1,125,899,906,842,624
bytes. A petabyte (PB) is 10^15 or 1,000,000,000,000,000 bytes. 1,024 PiB is an
exbibyte (p. 172).
Version 1.0
181
Amazon Web Services General Reference
period
See sampling period.
permission
A statement within a policy (p. 182) that allows or denies access to a particular
resource. You can state any permission like this: "A has permission to do B to
C." For example, Jane (A) has permission to read messages (B) from John's
Amazon SQS queue (C). Whenever Jane sends a request to Amazon SQS to
use John's queue, the service checks to see if she has permission and if the
request satisfies the conditions John set forth in the permission.
persistent storage
A long-term data storage solution. Options within AWS are: Amazon S3, Amazon
EBS, and Amazon SimpleDB.
physical name
A unique label AWS CloudFormation assigns to each resource when creating a
stack (p. 190). Some AWS CloudFormation commands accept the physical name
as a value with the --physical-name parameter.
Pig
An open-source Apache library that runs on top of Hadoop. The library takes
SQL-like commands written in a language called Pig Latin and converts those
commands into MapReduce job flows.
pipeline
In AWS CodePipeline, a workflow construct that defines the way software changes
go through a release process.
plaintext
Information that has not been encrypted (p. 171), as opposed to ciphertext (p. 165).
policy
IAM (p. 161): A document defining permissions that apply to a user, group, or role;
the permissions in turn determine what users can do in AWS. A policy typically
allow (p. 154)s access to specific actions, and can optionally grant that the actions
are allowed for specific resources, like EC2 instances, S3 buckets, and so on.
Policies can also explicitly deny (p. 169) access.
Auto Scaling (p. 159): An object that stores the information needed to launch or
terminate instances for an Auto Scaling group. Executing the policy causes
instances to be launched or terminated. You can configure an alarm (p. 154) to
invoke an Auto Scaling policy.
policy generator
A tool in the IAM (p. 161) AWS Management Console (p. 161) that helps you build
a policy (p. 182) by selecting elements from lists of available options.
policy simulator
A tool in the IAM (p. 161) AWS Management Console (p. 161) that helps you test
and troubleshoot policies (p. 182) so you can see their effects in real-world
scenarios.
policy validator
A tool in the IAM (p. 161) AWS Management Console (p. 161) that examines your
existing IAM access control policies (p. 182) to ensure that they comply with the
IAM policy grammar.
presigned URL
A URL that uses query string authentication (p. 184).
prefix
See job prefix.
Premium Support
A one-on-one, fast-response support channel that AWS customers can subscribe
to for support for AWS infrastructure services.
See Also http://www.amazonaws.cn/support-plans/.
principal
The user (p. 193), service, or account (p. 153) that receives permissions that are
defined in a policy (p. 182). The principal is A in the statement "A has permission
to do B to C."
Version 1.0
182
Amazon Web Services General Reference
private IP address
All EC2 instances are assigned two IP addresses at launch, which are directly
mapped to each other through Network Address Translation (NAT): a private
address (following RFC 1918) and a public address. Exception: Instances launched
in Amazon VPC are assigned only a private IP address.
private subnet
A VPC subnet whose instances cannot be reached from the Internet.
product code
The product code is an identifier provided by AWS when you submit a product to
AWS Marketplace.
properties
See resource property.
property rule
A JSON (p. 176)-compliant markup standard for declaring properties, mappings,
and output values in an AWS CloudFormation template.
Provisioned IOPS
A storage option designed to deliver fast, predictable, and consistent I/O
performance. When you specify an IOPS rate while creating a DB instance,
Amazon RDS provisions that IOPS rate for the lifetime of the DB instance.
pseudo parameter
A predefined setting, such as AWS:StackName that can be used in AWS
CloudFormation templates without having to declare them. You can use pseudo
parameters anywhere you can use a regular parameter.
public AMI
An Amazon Machine Image (AMI) (p. 157) that all AWS account (p. 153)s have
permission to launch.
public data set
A large set of public data that can be seamlessly integrated into AWS cloud-based
applications. Amazon stores public data sets at no charge to the community and,
like all AWS services, users pay only for the compute and storage they use for
their own applications. These data sets currently include data from the Human
Genome Project, the U.S. Census, Wikipedia, and other sources.
See Also http://www.amazonaws.cn/publicdatasets.
public IP address
All EC2 instances are assigned two IP addresses at launch, which are directly
mapped to each other through Network Address Translation (NAT): a private
address (following RFC 1918) and a public address. Exception: Instances launched
in Amazon VPC are assigned only a private IP address.
public subnet
A subnet whose instances can be reached from the Internet.
PV virtualization
Paravirtual virtualization. Allows guest VMs to run on host systems that do not
have special support extensions for full hardware and CPU virtualization. Because
PV guests run a modified operating system that does not use hardware emulation,
they cannot provide hardware-related features such as enhanced networking or
GPU support.
See Also HVM virtualization.
Q
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
Query
A type of HTTP-based request interface that generally uses only the GET or POST
HTTP method and a query string with parameters.
See Also REST, REST-Query.
Version 1.0
183
Amazon Web Services General Reference
query string authentication
An AWS feature that lets you place the authentication information in the HTTP
request query string instead of in the Authorization header, which enables
URL-based access to objects in a bucket.
queue
A sequence of messages or jobs held in temporary storage awaiting transmission
or processing.
queue URL
A URL that uniquely identifies a queue.
quota
Amazon RDS (p. 157):The maximum number of DB instance (p. 168)s and available
storage you can use.
Amazon ElastiCache (p. 156): The maximum number of the following items:
• The number of cache clusters for each AWS account (p. 153)
• The number of cache nodes per cache cluster
• The total number of cache nodes per AWS account across all cache clusters
created by that AWS account
R
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
range GET
A range GET specifies a byte range of data to get for a download. If an object is
large, you can break up a download into smaller units by sending multiple range
GET requests that each specify a different byte range to GET.
raw email
A type of sendmail request that allows you to specify the email headers and MIME
types.
RDS
See Amazon Relational Database Service (Amazon RDS).
read replica
An active copy of another DB instance. Any updates to the data on the source
DB instance are replicated to the read replica DB instance using the built-in
replication feature of MySQL 5.1.
receipt handle
An identifier you get when you receive a message from the queue. This identifier
is required to delete a message from the queue or when changing a message's
visibility timeout.
receiver
The entity that consists of the network systems, software, and policies that manage
email delivery for a recipient (p. 184).
recipient
Amazon Simple Email Service (Amazon SES) (p. 157): The person or entity
receiving an email message. For example, a person named in the "To" field of a
message.
reducer
An executable in the MapReduce process that uses the intermediate results from
the mapper and processes them into the final output.
reference
A means of inserting a property from one AWS resource into another. For example,
you could insert an Amazon EC2 security group property into an Amazon RDS
resource.
Version 1.0
184
Amazon Web Services General Reference
region
A named set of AWS resources in the same geographical area. A region comprises
at least two Availability Zones.
reply path
The email address to which an email reply is sent. This is different from the return
path (p. 186).
reputation
1. An Amazon SES metric, based on factors that might include bounces,
complaints, and other metrics, regarding whether or not a customer is sending
high-quality emails.
2. A measure of confidence, as judged by an Internet Service Provider (p. 175) or
other entity that an IP address that they are receiving emails from is not the source
of spam (p. 189).
requester
The person (or application) that sends a request to AWS to perform a specific
action. When AWS receives a request, it first evaluates the requester's permissions
to determine whether the requester is allowed to perform the request action (if
applicable, for the requested resource).
Requester Pays
An Amazon S3 feature that allows a bucket owner (p. 164) to specify that anyone
who requests access to objects in a particular bucket must pay the data transfer
and request costs.
reservation
A collection of EC2 instances started as part of the same launch request. Not to
be confused with a Reserved Instance (p. 185).
Reserved Instance
A pricing option for EC2 instances which discounts the On-Demand usage charge
for instances that meet the specified parameters. Customers pay for the entire
term of the instance, regardless of how they use it.
Reserved Instance Marketplace
Matches sellers who have reserved capacity that they no longer need with buyers
who are looking to purchase additional capacity. Reserved Instances that you
purchase from third-party sellers will have less than a full standard term remaining
and can be sold at different upfront prices. The usage or reoccurring fees will
remain the same as the fees set when the Reserved Instances were originally
purchased. Full standard terms for Reserved Instances available from AWS run
for one year or three years.
resource
1. An entity that users can work with in AWS, such as an EC2 instance, a
DynamoDB table, an IAM user, an AWS OpsWorks stack, and so on.
2. Tools, code, and documents that AWS provides to support users.
3. A required element of an AWS CloudFormation stack (p. 190). Each stack
contains at least one resource, such as an Auto Scaling LaunchConfiguration.
All resources in a stack must be created successfully for the stack to be created.
resource property
A value required when including an AWS resource in an AWS CloudFormation
stack (p. 190). Each resource may have one or more properties associated with
it. For example, an AWS::EC2::Instance resource may have a UserData
property. In an AWS CloudFormation template, resources must declare a
properties section, even if the resource has no properties.
resource record
Also called resource record set. Standard DNS terminology.
See Also http://en.wikipedia.org/wiki/Domain_Name_System.
REST
A type of HTTP-based request interface that generally uses only the GET or POST
HTTP method and a query string with parameters. Sometimes known as Query.
Version 1.0
185
Amazon Web Services General Reference
In some implementations of a REST interface, other HTTP verbs besides GET
and POST are used.
REST-Query
Also known as Query or HTTP Query.This is a type of HTTP request that generally
uses only the GET or POST HTTP method and a query string with parameters.
Compare this with REST, which is a type of HTTP request that uses any HTTP
method (GET, DELETE, POST, etc.), a resource, HTTP headers, and possibly
a query string with parameters.
return enabled
An Amazon CloudSearch index field option that enables the field's values to be
returned in the search results.
return path
The email address to which bounced emails are returned. The return path is
specified in the header of the original email. This is different from the reply
path (p. 185).
revision
In AWS CodePipeline, a change made to a source that is configured in a source
action, such as a pushed commit to a GitHub repository or an update to a file in
a versioned Amazon S3 bucket.
role
A tool for giving temporary access to AWS resources in your AWS account (p. 153).
rollback
A return to a previous state that follows the failure to create an object, such as
AWS CloudFormation stack (p. 190). All resources associated with the failure are
deleted during the rollback. For AWS CloudFormation, you can override this
behavior using the --disable-rollback option on the command line.
root credentials
Authentication information associated with the AWS account (p. 153) owner.
root device volume
Contains the image used to boot the instance. If you launched the instance from
an AMI backed by instance store, this is an instance store volume created from
a template stored in Amazon S3. If you launched the instance from an AMI backed
by Amazon EBS, this is an Amazon EBS volume created from an Amazon EBS
snapshot.
route table
A set of routing rules that controls the traffic leaving any subnet that is associated
with the route table. You can associate multiple subnets with a single route table,
but a subnet can be associated with only one route table at a time.
rule
AWS WAF (p. 163): A set of conditions that AWS WAF searches for in web requests
to AWS resources such as Amazon CloudFront distributions. You add rules to a
web ACL, and then specify whether you want to allow or block web requests
based on each rule.
S
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
S3
See Amazon Simple Storage Service (Amazon S3).
sampling period
A defined duration of time, such as one minute, over which CloudWatch computes
a statistic (p. 190).
sandbox
A testing location where you can test the functionality of your application without
affecting production, incurring charges, or purchasing products.
Version 1.0
186
Amazon Web Services General Reference
Amazon Simple Email Service (Amazon SES) (p. 157): An Amazon SES
environment that is designed for developers to test and evaluate the service. In
the sandbox, you have full access to the Amazon SES API, but you can only send
messages to verified email addresses and the mailbox simulator. To get out of
the sandbox, you need to apply for production access. Accounts in the sandbox
also have lower sending limits (p. 188) than production accounts.
scaling activity
A process that changes the size, configuration, or makeup of an Auto Scaling
group (p. 159) by launching or terminating instances. For more information, see
Auto Scaling Concepts in the Auto Scaling Developer Guide.
scheduler
The method used for placing task (p. 192)s on container instance (p. 166)s.
search API
The Amazon CloudSearch API that you use to submit search requests to a search
domain.
search domain
Encapsulates your searchable data and the search instances that handle your
search requests. You typically set up a separate Amazon CloudSearch domain
for each different collection of data that you want to search.
search domain configuration
An Amazon CloudSearch domain's indexing options, analysis schemes,
expressions, suggesters, access policies, and scaling and availability options.
search enabled
An Amazon CloudSearch index field option that enables the field data to be
searched.
search endpoint
The URL that you connect to when sending search requests to a search domain.
Each Amazon CloudSearch domain has a unique search endpoint that remains
the same for the life of the domain.
search index
A representation of your searchable data that facilitates fast and accurate data
retrieval.
search instance
A compute resource that indexes your data and processes search requests. An
Amazon CloudSearch domain has one or more search instances, each with a
finite amount of RAM and CPU resources. As your data volume grows, more
search instances or larger search instances are deployed to contain your indexed
data. When necessary, your index is automatically partitioned across multiple
search instances. As your request volume or complexity increases, each search
partition is automatically replicated to provide additional processing capacity.
search request
A request that is sent to an Amazon CloudSearch domain's search endpoint to
retrieve documents from the index that match particular search criteria.
search result
A document that matches a search request. Also referred to as a search hit.
secret access key
A key that is used in conjunction with the access key ID (p. 153) to cryptographically
sign programmatic AWS requests. Signing a request identifies the sender and
prevents the request from being altered. You can generate secret access keys
for your AWS account (p. 153), individual IAM user (p. 193)s, and temporary
sessions.
security group
A named set of allowed inbound network connections for an instance. (Security
groups in Amazon VPC also include support for outbound connections.) Each
security group consists of a list of protocols, ports, and IP address ranges. A
security group can apply to multiple instances, and multiple groups can regulate
a single instance.
sender
The person or entity sending an email message.
Version 1.0
187
Amazon Web Services General Reference
Sender ID
A Microsoft-controlled version of SPF. An email authentication and anti-spoofing
system. For more information about Sender ID, go to http://wikipedia.org/wiki/
Sender_ID.
sending limits
The sending quota (p. 188) and maximum send rate (p. 179) that are associated
with every Amazon SES account.
sending quota
The maximum number of emails that you can send using Amazon SES in a
24-hour period.
server-side encryption (SSE)
The encrypting (p. 171) of data at the server level. Amazon S3 (p. 157) supports
three modes of server-side encryption: SSE-S3, in which Amazon S3 manages
the keys; SSE-C, in which the customer manages the keys; and SSE-KMS, in
which AWS Key Management Service (AWS KMS) (p. 161) manages keys.
service
See Amazon ECS service.
service endpoint
See endpoint.
service health dashboard
A web page showing up-to-the-minute information about AWS service availability.
The dashboard is located at http://status.amazonaws.cn/.
service role
An IAM role that grants permissions to an AWS service so it can access AWS
resources. The policies you attach to the service role determine which AWS
resources the service can access, and what it can do with those resources.
SES
See Amazon Simple Email Service (Amazon SES).
session
The period during which the temporary security credentials provided by AWS
Security Token Service (AWS STS) (p. 162) allow access to your AWS account.
SHA
Secure Hash Algorithm. SHA1 is an earlier version of the algorithm, which AWS
has deprecated in favor of SHA256.
shard
Amazon Elasticsearch Service (Amazon ES) (p. 156): A partition of data in an
index. You can split an index into multiple shards, which can include primary
shards (original shards) and replica shards (copies of the primary shards). Replica
shards provide failover, which means that a replica shard is promoted to a primary
shard if a cluster node that contains a primary shard fails. Replica shards also
can handle requests.
shared AMI
An Amazon Machine Image (AMI) (p. 157) that a developer builds and makes
available for others to use.
shutdown action
A predefined bootstrap action that launches a script that executes a series of
commands in parallel before terminating the job flow.
signature
Refers to a digital signature, which is a mathematical way to confirm the
authenticity of a digital message. AWS uses signatures to authenticate the requests
you send to our web services. For more information, to
http://www.amazonaws.cn/security.
SIGNATURE file
A file you copy to the root directory of your storage device. The file contains a job
ID, manifest file, and a signature.
Signature Version 4
Protocol for authenticating inbound API requests to AWS services in all AWS
regions.
Simple Mail Transfer Protocol
See SMTP.
Simple Storage Service
See Amazon Simple Storage Service (Amazon S3).
Version 1.0
188
Amazon Web Services General Reference
Single-AZ DB instance
A standard (non-Multi-AZ) DB instance (p. 168) that is deployed in one Availability
Zone (p. 159), without a standby replica in another Availability Zone.
See Also Multi-AZ deployment.
single-valued attribute
An attribute with one value.
sloppy phrase search
A search for a phrase that specifies how close the terms must be to one another
to be considered a match.
SMTP
Simple Mail Transfer Protocol. The standard that is used to exchange email
messages between internet hosts for the purpose of routing and delivery.
snapshot
Amazon Elastic Block Store (Amazon EBS) (p. 155): A backup of your volumes
and stores them in Amazon S3. You can use these snapshots as the starting
point for new Amazon EBS volumes or to protect your data for long-term durability.
See Also DB snapshot.
SNS
See Amazon Simple Notification Service (Amazon SNS).
Snowball
AWS Import/Export (p. 161) has a feature called Snowball. This feature uses
Amazon-owned Snowball appliances for transferring your data.
See Also http://www.amazonaws.cn/importexport.
soft bounce
A temporary email delivery failure such as "mailbox full."
software VPN
A software appliance-based VPN connection over the Internet.
sort enabled
An Amazon CloudSearch index field option that enables a field to be used to sort
the search results.
source/destination checking
A security measure to verify that an EC2 instance is the origin of all traffic that it
sends and the ultimate destination of all traffic that it receives, that is, that the
instance is not relaying traffic. Source/destination checking is enabled by default.
For instances that function as gateways, such as VPC NAT instances,
source/destination checking must be disabled.
spam
Unsolicited bulk email.
spamtrap
An email address that is set up by an anti-spam (p. 189) entity, not for
correspondence, but to monitor unsolicited email. This is also called a honeypot.
SPF
Sender Policy Framework. A standard for authenticating email.
See Also http://www.openspf.org.
Spot instance
A type of EC2 instance (p. 170) that you can bid on to take advantage of unused
Amazon EC2 capacity.
Spot price
The price for a Spot instance (p. 189) at any given time. If your maximum price
exceeds the current price and your restrictions are met, Amazon EC2 launches
instances on your behalf.
SQL injection match condition
AWS WAF (p. 163): An attribute that specifies the part of web requests, such as
a header or a query string, that AWS WAF inspects for malicious SQL code.
Based on the specified conditions, you can configure AWS WAF to allow or block
web requests to AWS resources such as Amazon CloudFront distributions.
SQS
See Amazon Simple Queue Service (Amazon SQS).
SSE
See server-side encryption (SSE).
SSL
Secure Sockets Layer
Version 1.0
189
Amazon Web Services General Reference
See Also Transport Layer Security.
stack
AWS CloudFormation (p. 160): A collection of AWS resources you create and
delete as a single unit.
AWS OpsWorks (p. 161): A set of instances you manage collectively, typically
because they have a common purpose such as serving PHP applications. A stack
serves as a container and handles tasks that apply to the group of instances as
a whole, such as managing applications and cookbooks.
station
AWS CodePipeline (p. 160): A portion of a pipeline workflow where one or more
actions are performed.
station
A place at an AWS facility where we transfer your AWS Import/Export data on to,
or off of, your storage device.
statistic
One of five functions of the values submitted for a given sampling period (p. 186).
These functions are "Maximum", "Minimum," "Sum," "Average," and
"SampleCount."
stem
The common root or substring shared by a set of related words.
stemming
The process of mapping related words to a common stem. This enables matching
on variants of a word. For example, a search for "horse" could return matches for
horses, horseback, and horsing, as well as horse. Amazon CloudSearch supports
both dictionary based and algorithmic stemming.
step
A single function applied to the data in a job flow (p. 176). The sum of all steps
comprises a job flow.
step type
The type of work done in a step. There are a limited number of step types, such
as moving data from Amazon S3 to Amazon EC2 or from Amazon EC2 to Amazon
S3.
sticky session
A feature of the load balancer that binds a user's session to a specific application
instance so that all requests coming from the user during the session are sent to
the same application instance. By contrast, a load balancer defaults to route each
request independently to the application instance with the smallest load.
stopping
The process of filtering stop words from an index or search request.
stopword
A word that is not indexed and is automatically filtered out of search requests
because it is either insignificant or so common that including it would result in too
many matches to be useful. Stop words are language-specific.
streaming
Amazon Elastic MapReduce (Amazon EMR) (p. 156): A utility that comes with
Hadoop that enables you to develop MapReduce executables in languages other
than Java.
Amazon CloudFront (p. 154): The ability to use a media file in real time—as it is
transmitted in a steady stream from a server.
streaming distribution
A special kind of distribution (p. 169) that serves streamed media files using a Real
Time Messaging Protocol (RTMP) connection.
Streams
See Amazon Kinesis Streams.
string-to-sign
Before you calculate an HMAC signature, you first assemble the required
components in a canonical order. The pre-encrypted string is the string-to-sign.
Version 1.0
190
Amazon Web Services General Reference
string match condition
AWS WAF (p. 163): An attribute that specifies the strings that AWS WAF searches
for in a web request, such as a value in a header or a query string. Based on the
specified strings, you can configure AWS WAF to allow or block web requests to
AWS resources such as Amazon CloudFront distributions.
structured query
Search criteria specified using the Amazon CloudSearch structured query
language.You use the structured query language to construct compound queries
that use advanced search options and combine multiple search criteria using
Boolean operators.
STS
See AWS Security Token Service (AWS STS).
subnet
A segment of the IP address range of a VPC (p. 194) that EC2 instances can be
attached to. You can create subnets to group instances according to security and
operational needs.
Subscription button
An HTML-coded button that enables an easy way to charge customers a recurring
fee.
suggester
Specifies an Amazon CloudSearch index field you want to use to get autocomplete
suggestions and options that can enable fuzzy matches and control how
suggestions are sorted.
suggestions
Documents that contain a match for the partial search string in the field designated
by the suggester. Amazon CloudSearch suggestions include the document IDs
and field values for each matching document. To be a match, the string must
match the contents of the field starting from the beginning of the field.
supported AMI
An Amazon Machine Image (AMI) (p. 157) similar to a paid AMI (p. 181), except
that the owner charges for additional software or a service that customers use
with their own AMIs.
SWF
See Amazon Simple Workflow Service (Amazon SWF).
symmetric encryption
Encryption (p. 171) that uses a private key only.
See Also asymmetric encryption.
synchronous bounce
A type of bounce (p. 164) that occurs while the email servers of the sender (p. 187)
and receiver (p. 184) are actively communicating.
synonym
A word that is the same or nearly the same as an indexed word and that should
produce the same results when specified in a search request. For example, a
search for "Rocky Four" or "Rocky 4" should return the fourth Rocky movie. This
can be done by designating that four and 4 are synonyms for IV. Synonyms
are language-specific.
T
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
tag
Metadata that you can define and assign to AWS resources, such as an EC2
instance (p. 170). Not all AWS resources can be tagged.
tagging
Also called labeling. A way to format return path (p. 186) email addresses so that
you can specify a different return path for each recipient of a message. Tagging
enables you to support VERP (p. 194). For example, if Andrew manages a mailing
Version 1.0
191
Amazon Web Services General Reference
list, he can use the return paths [email protected] and
[email protected] so that he can determine which email bounced.
target revision
In AWS CodeDeploy, the most recent version of the application revision that has
been uploaded to the repository and will be deployed to the instances in a
deployment group. In other words, the application revision currently targeted for
deployment. This is also the revision that will be pulled for automatic deployments.
task
An instantiation of a task definition (p. 192) that is running on a container
instance (p. 166).
task definition
The blueprint for your task. Specifies the name of the task (p. 192), revisions,
container definition (p. 166)s, and volume (p. 194) information.
task node
An EC2 instance (p. 170) that runs Hadoop map and reduce tasks, but does not
store data. Task nodes are managed by the master node (p. 179), which assigns
Hadoop tasks to nodes and monitors their status. While a job flow is running you
can increase and decrease the number of task nodes. Because they don't store
data and can be added and removed from a job flow, you can use task nodes to
manage the EC2 instance capacity your job flow uses, increasing capacity to
handle peak loads and decreasing it later.
Task nodes only run a TaskTracker Hadoop daemon.
tebibyte
A contraction of tera binary byte, a tebibyte is 2^40 or 1,099,511,627,776 bytes.
A terabyte (TB) is 10^12 or 1,000,000,000,000 bytes. 1,024 TiB is a
pebibyte (p. 181).
template format version
The version of an AWS CloudFormation template design that determines the
available features. If you omit the AWSTemplateFormatVersion section from
your template, AWS CloudFormation assumes the most recent format version.
template validation
The process of confirming the use of JSON (p. 176) code in an AWS
CloudFormation template. You can validate any AWS CloudFormation template
using the cfn-validate-template command.
temporary security credentials
Authentication information that is provided by AWS STS (p. 162) when you call an
STS API action. Includes an access key ID (p. 153), a secret access key (p. 187),
a session (p. 188) token, and an expiration time.
throttling
The means by which Amazon SES rejects your attempts to send email because
you have exceeded your sending limits (p. 188).
time series data
Data provided as part of a metric. The time value is assumed to be when the
value occurred. A metric is the fundamental concept for CloudWatch and
represents a time-ordered set of data points. You publish metric data points into
CloudWatch and later retrieve statistics about those data points as a time-series
ordered data set.
time stamp
A date/time string in ISO 8601 format.
TLS
See Transport Layer Security.
tokenization
The process of splitting a stream of text into separate tokens on detectable
boundaries such as whitespace and hyphens.
topic
A communication channel to send messages and subscribe to notifications. It
provides an access point for publishers and subscribers to communicate with
each other.
Version 1.0
192
Amazon Web Services General Reference
transition
In AWS CodePipeline, the act of a revision in a pipeline continuing from one stage
to the next in a workflow.
Transport Layer Security
A cryptographic protocol that provides security for communication over the Internet.
Its predecessor is Secure Sockets Layer (SSL).
trust policy
An IAM (p. 161) policy (p. 182) that is an inherent part of an IAM role (p. 186). The
trust policy specifies which principal (p. 182)s are allowed to use the role.
trusted signers
AWS account (p. 153)s that the CloudFront distribution owner has given permission
to create signed URLs for a distribution's content.
tuning
Selecting the number and type of AMIs (p. 157) to run a Hadoop job flow most
efficiently.
tunnel
A route for transmission of private network traffic that uses the Internet to connect
nodes in the private network. The tunnel uses encryption and secure protocols
such as PPTP to prevent the traffic from being intercepted as it passes through
public routing nodes.
U
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
unbounded
The number of potential occurrences is not limited by a set number. This value
is often used when defining a data type that is a list (for example,
maxOccurs="unbounded"), in Web Services Description Language (p. 195).
unit
Standard measurement for the values submitted to CloudWatch as metric data.
Units include Seconds, Percent, Bytes, Bits, Count, Bytes/Second, Bits/Second,
Count/Second, and None.
unlink from VPC
The process of unlinking (or detaching) an EC2-Classic instance from a
ClassicLink-enabled VPC.
See Also ClassicLink, link to VPC.
usage report
An AWS report giving details of your usage of a particular AWS service. You can
generate and download usage reports from http://www.amazonaws.cn/
usage-reports/.
user
A person or application under an account (p. 153) that needs to make API calls to
AWS products. Each user has a unique name within the AWS account, and a set
of security credentials not shared with other users. These credentials are separate
from the AWS account's security credentials. Each user is associated with one
and only one AWS account.
V
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
validation
See template validation.
Version 1.0
193
Amazon Web Services General Reference
value
Instances of attributes (p. 159) for an item, such as cells in a spreadsheet. An
attribute might have multiple values.
Tagging resources: A specific tag (p. 191) label that acts as a descriptor within a
tag category (key). For example, you might have EC2 instance (p. 170) with the
tag key of Owner and the tag value of Jan. You can tag an AWS resource with
up to 10 key–value pairs. Not all AWS resources can be tagged.
Variable Envelope Return Path
See VERP.
verification
The process of confirming that you own an email address or a domain so that
you can send emails from or to it.
VERP
Variable Envelope Return Path. A way in which email sending applications can
match bounced emails with the undeliverable address that caused the bounce
by using a different return path (p. 186) for each recipient. VERP is typically used
for mailing lists. With VERP, the recipient's email address is embedded in the
address of the return path, which is where bounced emails are returned. This
makes it possible to automate the processing of bounced emails without having
to open the bounce messages, which may vary in content.
versioning
Every object in Amazon S3 has a key and a version ID. Objects with the same
key, but different version IDs can be stored in the same bucket. Versioning is
enabled at the bucket layer using PUT Bucket versioning.
virtualization
Allows multiple guest virtual machines (VM) to run on a host operating system.
Guest VMs can run on one or more levels above the host hardware, depending
on the type of virtualization.
See Also PV virtualization, HVM virtualization.
virtual private cloud
See VPC.
virtual private gateway
See VPG.
visibility timeout
The period of time that a message is invisible to the rest of your application after
an application component gets it from the queue. During the visibility timeout, the
component that received the message usually processes it, and then deletes it
from the queue. This prevents multiple components from processing the same
message.
volume
Allow you to share data between container (p. 166)s and persist the data on the
container instance (p. 166) when the containers are no longer running.
VPC
Virtual private cloud. An elastic network populated by infrastructure, platform, and
application services that share common security and interconnection.
VPC endpoint
A feature that enables you to create a private connection between your VPC and
an another AWS service without requiring access over the Internet, through a
NAT instance, a VPN connection, or AWS Direct Connect.
VPG
Virtual private gateway. The Amazon side of a VPN connection that maintains
connectivity. The internal interfaces of the virtual private gateway connect to your
VPC via the VPN attachment and the external interfaces connect to the VPN
connection, which leads to the customer gateway.
VPN CloudHub
See AWS VPN CloudHub.
VPN connection
Although VPN connection is a general term, we specifically mean the IPsec
connection between a VPC (p. 194) and some other network, such as a corporate
data center, home network, or co-location facility.
Version 1.0
194
Amazon Web Services General Reference
W
Numbers and Symbols (p. 153) | A (p. 153) | B (p. 163) | C (p. 164) | D (p. 168) | E (p. 170) | F (p. 172) | G (p. 173) | H (p. 173)
| I (p. 174) | J (p. 176) | K (p. 177) | L (p. 177) | M (p. 178) | N (p. 180) | O (p. 181) | P (p. 181) | Q (p. 183) | R (p. 184) | S (p. 186)
| T (p. 191) | U (p. 193) | V (p. 193) | W (p. 195) | X, Y, Z (p. 195)
WAM
See Amazon WorkSpaces Application Manager (Amazon WAM).
web access control list
AWS WAF (p. 163): A set of rules that defines the conditions that AWS WAF
searches for in web requests to AWS resources such as Amazon CloudFront
distributions. A web access control list (web ACL) specifies whether to allow,
block, or count the requests.
Web Services Description
Language
A language used to describe the actions that a web service can perform, along
with the syntax of action requests and responses. Your SOAP or other toolkit
interprets a WSDL file to provide your application access to the actions provided
by the web service. For most toolkits, your application calls a service action using
routines and classes provided or generated by the toolkit.
X, Y, Z
X.509 certificate
An digital document that uses the X.509 public key infrastructure (PKI) standard
to verify that a public key belongs to the entity described in the certificate (p. 165).
yobibyte
A contraction of yotta binary byte, a yobibyte is 2^80 or
1,208,925,819,614,629,174,706,176 bytes. A yottabyte (YB) is 10^24 or
1,000,000,000,000,000,000,000,000 bytes.
zebibyte
A contraction of zetta binary byte, a zebibyte is 2^70 or
1,180,591,620,717,411,303,424 bytes. A zettabyte (ZB) is 10^21 or
1,000,000,000,000,000,000,000 bytes. 1,024 ZiB is a yobibyte (p. 195).
zone awareness
Amazon Elasticsearch Service (Amazon ES) (p. 156): A configuration that
distributes nodes in a cluster across two Availability Zones in the same region.
Zone awareness helps to prevent data loss and minimizes downtime in the event
of node and data center failure.
Version 1.0
195
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement