AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-10-01 · Documentation low

File: waf/latest/developerguide/data-protection-masking.md

Summary

Added detailed technical explanation of SHA-256 hashing process for data protection

Security assessment

Enhances documentation about existing security feature (data masking) but doesn't introduce new security controls or address vulnerabilities

Diff

diff --git a/waf/latest/developerguide/data-protection-masking.md b/waf/latest/developerguide/data-protection-masking.md
index 88cf9b147..17e9d9ce9 100644
--- a//waf/latest/developerguide/data-protection-masking.md
+++ b//waf/latest/developerguide/data-protection-masking.md
@@ -22 +22,18 @@ You can configure data protection at either:
-Data protection can be specified as either a substitution or hashing. Substitution refers to replacing content with the word `REDACTED`. Hashing refers to replacing content with `sha256(account_number + content[:64])`. You should review the characteristics of SHA-256 hashing to determine if it meets your requirements before you select the appropriate data protection method. We do not recommend relying on SHA-256 hashing if you intend to achieve an outcome equivalent to encryption or tokenization.
+Data protection can be specified as either a substitution or hashing. 
+
+Substitution refers to replacing content with the word `REDACTED`. 
+
+Hashing refers to replacing content, from string to SHA-256 binary to Base64:
+
+  1. First, the algorithm builds a string from account_number and content.
+
+  2. It then applies SHA-256 to produce a binary hash.
+
+  3. Finally, it encodes those bytes using Base64.
+
+
+
+
+###### Tip
+
+You should review the characteristics of SHA-256 hashing to determine if it meets your requirements before you select the appropriate data protection method. We do not recommend relying on SHA-256 hashing if you intend to achieve an outcome equivalent to encryption or tokenization.