[dboreham]

Signed requests were also invented when the transport connection was in the clear: if the request were not signed then it could be modified in transit by an attacker. These days all sessions are encrypted (SSL/TLS) and so this concern doesn't exist (or doesn't exist if you trust the transport).

[tptacek]

The AWS API runs over TLS, and uses signed requests.

[dboreham]

Perhaps because it was originally designed for use without TLS? Request signing was pretty much ubiquitous 10 years ago.

[Promarged]

I'm not from Amazon but I'd guess they want to protect the request from being replayed inside their own systems.

[sloxy]

more likely it's so they don't have to have a more convoluted process where they call out to requesting service to verify RQ & all which that entails (on both sides).