[tptacek]

The AWS API runs over TLS, and uses signed requests.

[dboreham]

Perhaps because it was originally designed for use without TLS? Request signing was pretty much ubiquitous 10 years ago.

[Promarged]

I'm not from Amazon but I'd guess they want to protect the request from being replayed inside their own systems.

[sloxy]

more likely it's so they don't have to have a more convoluted process where they call out to requesting service to verify RQ & all which that entails (on both sides).