Azure provides shared access signatures ([1], [2], [3]) that can delegate access (read/write) to specific blobs/containers/tables/queues in an Azure Storage account using an access key generated through the REST API. Does AWS offer a similar feature?

Presigned URL in S3 is the equivalent: https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

There are also ways to generate them with SDKs not mentioned in this documentation, you can google it.

Python for example: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html

Equivalent for shared access signature in Amazon AWS is Query String Authentication however it is only for Amazon S3 (equivalent to Windows Azure Blob Storage). AWS does not have anything similar to shared access signature for SimpleDB/DynamoDB (counterpart of Windows Azure Table Storage) and Simple Queue Service (counterpart of Windows Azure Queue Service).

I also did a comparison between Amazon AWS and Windows Azure Storage Services (S3 v/s Blob Storage etc.) in a series of blog posts which you can read here: http://gauravmantri.com/?s=Amazon+Comparing. Thought you might find it useful.

It is almost identical to what Azure provides, just without a special name like SAS. See http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html for details.

I haven't tried it yet but looks like pre-signed URLs are the thing: See the "Amazon S3: Getting a pre-signed URL for a PUT operation with a specific payload" section of http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-examples.html

S3 presigned URLs have similar functionality (as mentioned in the other answers), but I thought I'd point out one dissimilarinty that I learned the hard way: max expiration time is very different on Azure Blob Storage vs. S3

For SAS URLs for Azure Blob Storage objects, the expiration datetime can be very far out into the future -- a year or whatever the user desires.

For S3 presigned URLs:

When using the console the maximum expiration time for a presigned URL is 12 hours from the time of creation.

When you use the AWS CLI, the maximum expiration time for a presigned URL is 7 days from the time of creation.

When you use the AWS SDKs to generate a presigned URL, the maximum expiration time is 7 days from the time of creation.

Those quotes are from https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html

This means that some of the use-cases enabled by SAS URLs on Blob Storage (like sending links to clients to download a file within the next 30 days) just can't be done with S3 presigned URLs.

If you want signed URLs that last longer, AWS suggests you glue together your own custom file sharing service using a Lambda + API Gateway + DynamoDB: https://aws.amazon.com/blogs/security/how-to-securely-transfer-files-with-presigned-urls/