diff --git a/.changelog/transfer-encoding-signing.md b/.changelog/transfer-encoding-signing.md
new file mode 100644
index 0000000000000000000000000000000000000000..19975f0e4f21f0735b7407e5a8eef77de86c9783
--- /dev/null
+++ b/.changelog/transfer-encoding-signing.md
@@ -0,0 +1,10 @@
+---
+applies_to: ["aws-sdk-rust"]
+authors: ["landonxjames"]
+references: ["smithy-rs#3991"]
+breaking: false
+new_feature: false
+bug_fix: true
+---
+
+Exclude `transfer-encoding` header from sigv4(a) signing since it is a hop by hop header that can be modified or removed by a proxy.
diff --git a/aws/rust-runtime/Cargo.lock b/aws/rust-runtime/Cargo.lock
index 47b7a8e10a176dd6c43f339249aa951b0b805be6..45f02311311be538d68c8656c2795c0d9f529585 100644
--- a/aws/rust-runtime/Cargo.lock
+++ b/aws/rust-runtime/Cargo.lock
@@ -228,7 +228,7 @@ version = "0.60.3"
 
 [[package]]
 name = "aws-sigv4"
-version = "1.2.7"
+version = "1.2.8"
 dependencies = [
  "aws-credential-types",
  "aws-smithy-eventstream",
diff --git a/aws/rust-runtime/aws-sigv4/Cargo.toml b/aws/rust-runtime/aws-sigv4/Cargo.toml
index 5bda4ee0414999451dfa926988ec539e2ca1224c..cdc588bbe93619807476cad0aa83ae6170200e16 100644
--- a/aws/rust-runtime/aws-sigv4/Cargo.toml
+++ b/aws/rust-runtime/aws-sigv4/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "aws-sigv4"
-version = "1.2.7"
+version = "1.2.8"
 authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>", "David Barsky <me@davidbarsky.com>"]
 description = "SigV4 signer for HTTP requests and Event Stream messages."
 edition = "2021"
diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs
index 4622f841d985fd9db5b54528915b3fb2cf5d59a4..265025e046e35329227ad5dc50ae4897c17a3481 100644
--- a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs
+++ b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs
@@ -877,7 +877,7 @@ mod tests {
         assert_eq!(creq.values.signed_headers().as_str(), "host;x-amz-date");
     }
 
-    // It should exclude authorization, user-agent, x-amzn-trace-id headers from presigning
+    // It should exclude authorization, user-agent, x-amzn-trace-id, and transfer-encoding headers from presigning
     #[test]
     fn non_presigning_header_exclusion() {
         let request = http0::Request::builder()
@@ -888,6 +888,7 @@ mod tests {
             .header("user-agent", "test-user-agent")
             .header("x-amzn-trace-id", "test-trace-id")
             .header("x-amz-user-agent", "test-user-agent")
+            .header("transfer-encoding", "chunked")
             .body("")
             .unwrap()
             .into();
@@ -909,7 +910,7 @@ mod tests {
         );
     }
 
-    // It should exclude authorization, user-agent, x-amz-user-agent, x-amzn-trace-id headers from presigning
+    // It should exclude authorization, user-agent, x-amz-user-agent, x-amzn-trace-id, and transfer-encoding headers from presigning
     #[test]
     fn presigning_header_exclusion() {
         let request = http0::Request::builder()
@@ -920,6 +921,7 @@ mod tests {
             .header("user-agent", "test-user-agent")
             .header("x-amzn-trace-id", "test-trace-id")
             .header("x-amz-user-agent", "test-user-agent")
+            .header("transfer-encoding", "chunked")
             .body("")
             .unwrap()
             .into();
diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs b/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs
index bc8409b807d83958f008490e6f74e12de165fbad..4ca7158eee819a64624f8c5d85553c160ef57f6e 100644
--- a/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs
+++ b/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs
@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-use http0::header::{AUTHORIZATION, USER_AGENT};
+use http0::header::{AUTHORIZATION, TRANSFER_ENCODING, USER_AGENT};
 use std::borrow::Cow;
 use std::time::Duration;
 
@@ -126,6 +126,8 @@ impl Default for SigningSettings {
                 Cow::Borrowed(USER_AGENT.as_str()),
                 // Changes based on the request from the client
                 Cow::Borrowed(HEADER_NAME_X_RAY_TRACE_ID),
+                // Hop by hop header, can be erased by Cloudfront
+                Cow::Borrowed(TRANSFER_ENCODING.as_str()),
             ]
             .to_vec(),
         );