← All posts
2 min read

Upload an S3 object with a SHA-256 checksum

#aws#cli#s3#storage
📑 On this page

Part 42 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

Checksums help detect accidental corruption in transit and at rest. The checksum algorithm is separate from server-side encryption.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

echo "checksum demo" > checksum.txt
aws s3api put-object \
  --bucket "$BUCKET" \
  --key checksum.txt \
  --body checksum.txt \
  --checksum-algorithm SHA256

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api head-object \
  --bucket "$BUCKET" \
  --key checksum.txt \
  --checksum-mode ENABLED \
  --query "{SHA256:ChecksumSHA256,Size:ContentLength}"

Read the returned fields rather than assuming the write succeeded exactly as intended.

One tiny variation

aws s3api get-object \
  --bucket "$BUCKET" \
  --key checksum.txt \
  --checksum-mode ENABLED   downloaded-checksum.txt

The response includes checksum metadata while the object body is written to the output file.

Common mistake

An ETag is not a universal MD5 checksum. Multipart uploads and encrypted objects can produce ETags that must not be treated as content hashes.

Cleanup

aws s3 rm "s3://$BUCKET/checksum.txt"
rm checksum.txt downloaded-checksum.txt

The checked object and local files are removed.

Next, we will learn Verify stored S3 checksums without downloading.

Official AWS CLI reference