AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-08-16 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md

Summary

Updated expiration dates in examples and documentation to 2026, expanded epoch time guidance to 64-bit

Security assessment

Addresses the Year 2038 problem by updating examples to use 64-bit epoch time, ensuring signed URL expiration dates function correctly beyond 2038. This prevents potential access control failures due to time overflow.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
index 52457f195..88506715c 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
@@ -17 +17 @@ To create a signed URL using a canned policy, complete the following steps.
-        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1357034400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F
+        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1767290400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F
@@ -67 +67,5 @@ The date and time that you want the URL to stop allowing access to the file.
-Specify the expiration date and time in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2013 10:00 am UTC converts to `1357034400` in Unix time format, as shown in the example at the start of this topic. To use epoch time, use a 32-bit integer for a date that's no later than `2147483647` (January 19th, 2038 at 03:14:07 UTC). For information about UTC, see [RFC 3339, Date and Time on the Internet: Timestamps](https://tools.ietf.org/html/rfc3339).
+Specify the expiration date and time in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2026 10:00 am UTC converts to `1767290400` in Unix time format, as shown in the example at the start of this topic. 
+
+To use epoch time, specify a 64-bit integer for a date that's no later than `9223372036854775807` (Friday, April 11, 2262 at 23:47:16.854 UTC).
+
+For information about UTC, see [RFC 3339, Date and Time on the Internet: Timestamps](https://tools.ietf.org/html/rfc3339).
@@ -152 +156 @@ Note the following:
-The expiration date and time for the URL in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2013 10:00 am UTC converts to 1357034400 in Unix time format.
+The expiration date and time for the URL in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2026 10:00 am UTC converts to 1767290400 in Unix time format.
@@ -160 +164 @@ For more information, see [When CloudFront checks expiration date and time in a
-When you use the following example policy statement in a signed URL, a user can access the file `https://d111111abcdef8.cloudfront.net/horizon.jpg` until January 1, 2013 10:00 am UTC:
+When you use the following example policy statement in a signed URL, a user can access the file `https://d111111abcdef8.cloudfront.net/horizon.jpg` until January 1, 2026 10:00 am UTC:
@@ -169 +173 @@ When you use the following example policy statement in a signed URL, a user can
-                        "AWS:EpochTime": 1357034400
+                        "AWS:EpochTime": 1767290400