Guidance on SigV4 within the QuickStart Catalog

[andrew-glenn]

Note: The AWS Quick Start team is in the process of updating our entire catalog to reflect SigV4 requests. A blog-post is in progress at this time. For the moment, this issue serves as a placeholder for additional details - including links to relevant blog posts / documentation, etc.. Watch this space!

[davmayd]

From: https://aws.amazon.com/blogs/aws/amazon-s3-update-sigv2-deprecation-period-extended-modified/

"Every request that you make to the Amazon S3 API must be signed to ensure that it is authentic. In the early days of AWS we used a signing model that is known as Signature Version 2, or SigV2 for short. Back in 2012, we announced SigV4, a more flexible signing method, and made it the sole signing method for all regions launched after 2013. At that time, we recommended that you use it for all new S3 applications... any new buckets created after June 24, 2020 will not support SigV2 signed requests, although existing buckets will continue to support SigV2 while we work with customers to move off this older request signing method."

In order to ensure CloudFormation S3 requests use SigV4, the requests need to include the S3 bucket's regional endpoint, with the format "https://.s3..${AWS::URLSuffix}//".

For example, if "demobucket" is in us-east-2, then CloudFormation references to files in the bucket should use the pattern "https://demobucket.s3.us-east-2.amazonaws.com/demokey/", since "https://demobucket.s3.amazonaws.com/demokey/" will use SigV2 by default.