AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-04-28 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/media-quality-score.md

Summary

Added requirement to include mediapackagev2:GetHeadObject IAM action when using Media Quality Alert Reporting (MQAR) with Origin Access Control (OAC)

Security assessment

The change explicitly documents required IAM permissions for secure HEAD request authorization to MediaPackage v2 origins. Missing this permission could prevent MQAR from functioning properly and might lead to unauthorized access attempts or misconfigured security policies.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/media-quality-score.md b/AmazonCloudFront/latest/DeveloperGuide/media-quality-score.md
index 6117e08d2..cbbeb4740 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/media-quality-score.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/media-quality-score.md
@@ -58,0 +59,2 @@ If CloudFront determines that both MediaPackage v2 origins have the same score,
+  * If you enabled the MQAR feature and origin access control (OAC), add the `mediapackagev2:GetHeadObject` action to the IAM policy. MQAR requires this permission to send `HEAD` requests to the MediaPackage v2 origin. For more information about OAC, see [Restrict access to an AWS Elemental MediaPackage v2 origin](./private-content-restricting-access-to-mediapackage.html).
+