AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-05-19 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md

Summary

Enhanced OAC/OAI documentation with stronger recommendations for OAC usage, feature comparisons, and typo fixes

Security assessment

Promotes secure configuration best practices (OAC over OAI) but does not indicate a specific security vulnerability being patched. The changes emphasize security features without evidence of addressing an active exploit.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md
index 075bf1cca..45cba349a 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.md
@@ -9 +9,3 @@ Create a new origin access controlDelete a distribution with an OAC attached to
-CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: _origin access control_ (OAC) and _origin access identity_ (OAI). OAC helps you secure your origins, such as for Amazon S3. We recommend using OAC because it supports:
+CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: _origin access control_ (OAC) and _origin access identity_ (OAI). OAC helps you secure your origins, such as Amazon S3. 
+
+We _recommend_ that you use OAC instead because it supports the following features:
@@ -20 +22 @@ CloudFront provides two ways to send authenticated requests to an Amazon S3 orig
-Origin access identity (OAI) doesn't work for the scenarios in the preceding list, or it requires extra workarounds in those scenarios. The following topics describe how to use origin access control (OAC) with an Amazon S3 origin. For information about how to migrate from origin access identity (OAI) to origin access control (OAC), see Migrating from origin access identity (OAI) to origin access control (OAC).
+OAI doesn't support these features or it requires extra workarounds in those scenarios. If you're already using OAI and want to migrate, see Migrating from origin access identity (OAI) to origin access control (OAC).
@@ -30,0 +33,2 @@ Origin access identity (OAI) doesn't work for the scenarios in the preceding lis
+The following topics describe how to use OAC with an Amazon S3 origin. 
+
@@ -71 +75 @@ If you choose either the **Do not sign requests** or **Do not override authoriza
-  * [Origin protocol policy](./distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy) (custom orgins only)
+  * [Origin protocol policy](./distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy) (custom origins only)
@@ -371 +375 @@ To pass along the `Authorization` header from the viewer request, you _must_ add
-CloudFront _origin access identity_ (OAI) provides similar functionality as _origin access control_ (OAC), but it doesn't work for all scenarios. This is why we recommend using OAC instead. Specifically, OAI doesn't support:
+CloudFront _origin access identity_ (OAI) provides similar functionality as _origin access control_ (OAC), but it doesn't work for all scenarios. Specifically, OAI doesn't support:
@@ -384 +388,3 @@ CloudFront _origin access identity_ (OAI) provides similar functionality as _ori
-For information about how to migrating from OAI to OAC, see Migrating from origin access identity (OAI) to origin access control (OAC).
+###### Tip
+
+We recommend that you use OAC instead. To set up OAC, see Create a new origin access control. For information about how to migrate from OAI to OAC, see Migrating from origin access identity (OAI) to origin access control (OAC).