Here’s what the documentation has to say. Basically it boils down to the timestamp, and to mitigate against replay attacks, they suggest using SSL.

Authenticating Requests

Requests to AWS are authenticated by verifying information contained
within the request. This verification is performed using the
information in the following table.

AWSAccessKeyId The sender’s AWS account is identified by the Access Key ID. The Access Key ID is used to look up the Secret Access Key.

Signature Each request to a web service that requires authenticated requests must contain a valid request signature, or the request is rejected. A request signature is
calculated using the Secret Access Key assigned to the developer’s account by AWS, which is a shared secret known only to AWS and the developer.

Timestamp The date and time the request was created, represented as a string in UTC. The format of the value of this parameter must match the format of the XML Schema dateTime data type.

The second link has this to offer:

The best mechanism for defense against a replay attack is to ensure
all your requests are made over an SSL connection. If you cannot use
SSL, then the mechanism available to you for prevention of replay
attacks is the Expires parameter in signature version 2. This requires
your client to be synchronized to atomic time (using NTP, or a similar
synchronization protocol). If you do not use the Expires parameter,
and rely only on the timestamp parameter, your requests are subject to
a request expiration period, which varies by service, but can be as
long as 15 minutes.