AWS waf documentation change
Summary
Added detailed technical explanation of SHA-256 hashing process for data protection
Security assessment
Enhances documentation about existing security feature (data masking) but doesn't introduce new security controls or address vulnerabilities
Diff
diff --git a/waf/latest/developerguide/data-protection-masking.md b/waf/latest/developerguide/data-protection-masking.md index 88cf9b147..17e9d9ce9 100644 --- a//waf/latest/developerguide/data-protection-masking.md +++ b//waf/latest/developerguide/data-protection-masking.md @@ -22 +22,18 @@ You can configure data protection at either: -Data protection can be specified as either a substitution or hashing. Substitution refers to replacing content with the word `REDACTED`. Hashing refers to replacing content with `sha256(account_number + content[:64])`. You should review the characteristics of SHA-256 hashing to determine if it meets your requirements before you select the appropriate data protection method. We do not recommend relying on SHA-256 hashing if you intend to achieve an outcome equivalent to encryption or tokenization. +Data protection can be specified as either a substitution or hashing. + +Substitution refers to replacing content with the word `REDACTED`. + +Hashing refers to replacing content, from string to SHA-256 binary to Base64: + + 1. First, the algorithm builds a string from account_number and content. + + 2. It then applies SHA-256 to produce a binary hash. + + 3. Finally, it encodes those bytes using Base64. + + + + +###### Tip + +You should review the characteristics of SHA-256 hashing to determine if it meets your requirements before you select the appropriate data protection method. We do not recommend relying on SHA-256 hashing if you intend to achieve an outcome equivalent to encryption or tokenization.