Monday, April 10, 2006

Amazon S3: no WS-Security, why?

Amazon has released its new S3 service (Simple Storage Service). Through a REST or SOAP API, data can be securely stored on the servers of Amazon.

This new service made me think: when will such shared storage be used to exchange business documents between business partners? Why not use this

To use this shared storage for B2B, a good security and authorization mechanism is needed. It is possible to grant rights to users with Amazon accounts, but that is not enough.

While browsing through the documentation, and the SOAP API in particular, I noticed the nice secure mechanism based on HMAC: "HMAC-SHA1 digest ( of the concatenation of "AmazonS3" + OPERATION + Timestamp, using your AWS Secret Access Key as the key"".

But why didn't Amazon use WS-Security and the UserName Token Profile? The Username Token Profile is such a nice spec! Why opted Amazon for this HMAC solution?

Finally: Amazon also has a Simple Queue Service, but that only supports messages upto 4K.