Validating Requests Are From Amazon Cloud Service (certificate pinning)
https://forums.developer.amazon.com/forums/thread.jspa?messageID=15388 the accepted answer does not adequately answer the question, as the header contents in the HTTP request are not signed under the signature given. Someone (even Amazon) could easily use a different value for the signaturecertchainurl: header than the current value of '
https://s3.amazonaws.com/echo.api/echo-api-cert.pem' either with intent to deceive, or because over time the Amazon AlexaKit team changes where to find the certificate chain. How do you recommend ensuring that a publicly-accessible API end point be able to verify that not only is the signature valid, but that the signature itself is from Amazon's private key?