Upload an S3 object with a SHA-256 checksum
📑 On this page
Part 42 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
Checksums help detect accidental corruption in transit and at rest. The checksum algorithm is separate from server-side encryption.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
echo "checksum demo" > checksum.txt
aws s3api put-object \
--bucket "$BUCKET" \
--key checksum.txt \
--body checksum.txt \
--checksum-algorithm SHA256A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api head-object \
--bucket "$BUCKET" \
--key checksum.txt \
--checksum-mode ENABLED \
--query "{SHA256:ChecksumSHA256,Size:ContentLength}"Read the returned fields rather than assuming the write succeeded exactly as intended.
One tiny variation
aws s3api get-object \
--bucket "$BUCKET" \
--key checksum.txt \
--checksum-mode ENABLED downloaded-checksum.txtThe response includes checksum metadata while the object body is written to the output file.
Common mistake
An ETag is not a universal MD5 checksum. Multipart uploads and encrypted objects can produce ETags that must not be treated as content hashes.
Cleanup
aws s3 rm "s3://$BUCKET/checksum.txt"
rm checksum.txt downloaded-checksum.txtThe checked object and local files are removed.
Next, we will learn Verify stored S3 checksums without downloading.