diff --git a/README.md b/README.md
index e59cd76..5f7c26c 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,11 @@ triggered the build, `version_description: ${{github.SHA}}`.
 `environment_name`: In version 10 this parameter becomes optional. If you don't pass an environment in the action will simply create
 the version but not deploy it anywhere.
 
+### AWS Permissions
+
+It should be enough for your AWS user to have the policies **AWSElasticBeanstalkWebTier** and **AWSElasticBeanstalkService** attached 
+to be able to deploy your project. 
+
 ### Failure modes
 If you're uploading a new version the action will fail if that file already exists in S3, if the application version
 exists in Beanstalk and of course if the deployment fails. The action will wait until Beanstalk reports that the
diff --git a/aws-api-request.js b/aws-api-request.js
index 72e4389..68383ed 100644
--- a/aws-api-request.js
+++ b/aws-api-request.js
@@ -52,7 +52,10 @@ function awsApiRequest(options) {
             //Changed this from double encoding the path to single encoding it, to make S3 paths with spaces work. However, the documentation said to
             //double encode it...? The only time we actually encode a path other than / is when uploading to S3 so just change this to single encoding here
             //but it's possible it will mess up if the path has some weird characters that should be double encoded maybe??? If you had weird symbols in your version number?
-            canonical += encodeURI(path) + '\n';
+            //
+            //Unencoded parentheses in the path is valid. However, they must be encoded in the canonical path to pass signature verification even if
+            //the actual path has them unencoded.
+            canonical += encodeURI(path).replace(/\(/g, '%28').replace(/\)/g, '%29') + '\n';
         
             let qsKeys = Object.keys(querystring);
             qsKeys.sort();