Is the Body of a Sig4 request to AWS API Gateway signed by default?

Question

From my limited testing it appears that the body of a request (below) to the API Gateway is not signed by default.

This is the code used to call the API:

testAPI: function(id_token, access_key, secret_key, session, name, pass) {

let apigClient = awsApiGatewayClient.newClient({
invokeUrl: 'https://sdf523lkas.execute-api.ap-southeast-2.amazonaws.com/', // api url
accessKey: access_key, 
secretKey: secret_key, 
sessionToken: session, 
region: 'ap-southeast-2'
});

let method = 'POST'
let pathTemplate = api.createRDSPath
let params = {}
let additionalParams = {
  headers: {
    myHeader: 'this is my header' // Check if custom header is signed
  }
}

let body = { // Check if body is signed
  name: "name",
  pass: "pass",
}

// Send Request
apigClient.invokeApi(params, pathTemplate, method, additionalParams, body)
.then(function(result){
    console.log(result)
}).catch( function(result){
    console.log(result)
});
}

I seem to remember finding some documentation that actually stated the body was not signed, but I can no longer find that reference.

I don't really trust my tests, so I'd like to find a reference explicitly stating either way.

Answer 1

Signing the body is always part of Signature Version 4.

The last line in the Canonical Request -- which is a component of the input to the actual signing process -- is the lowercase, hex-encoded, SHA-256 hash of the "request payload" -- that is, the body. If the body is empty, the SHA-256 of empty string (e3b0c44298...) is used.

So, unlike signed headers -- which are listed in the request if they are included in the signature -- the body is always signed.