I came across the below suggestion on AWS docs regarding protecting request data in transit:
https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
Protect data in transit To prevent tampering with a request while it's in transit, some of the request elements are used to calculate a hash (digest) of the request, and the resulting hash value is included as part of the request. When an AWS service receives the request, it uses the same information to calculate a hash and matches it against the hash value in your request. If the values don't match, AWS denies the request.
Just wondering is it not possible for the tamperer to recalculate the hash from the changed values and replace the new hash with the original hash, so that server is not able to see any problem with the request?
Is hash getting creating using a secret key? And tamperer will not be able to create the new hash properly?
I am sure I am missing something here. Could someone please help.
Yes, the "hash" referred to here is actually an HMAC, and creating it requires your AWS secret access key.