AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-10-13 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/DownloadDistValuesGeneral.md

Summary

Added TLSv1.2_2025 security policy (FIPS140-3-compliant) and updated references to include it in policy lists and documentation

Security assessment

The addition of TLSv1.2_2025 explicitly addresses compliance with FIPS140-3 standards, which is a security-related enhancement. The documentation updates ensure users are aware of newer cryptographic protocols, directly impacting security posture.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/DownloadDistValuesGeneral.md b/AmazonCloudFront/latest/DeveloperGuide/DownloadDistValuesGeneral.md
index 69b6efa27..99f6e60a2 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/DownloadDistValuesGeneral.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/DownloadDistValuesGeneral.md
@@ -155,0 +156,2 @@ The security policies that are available depend on the values that you specify f
+    * TLSv1.2_2025
+
@@ -174 +176 @@ The security policies that are available depend on the values that you specify f
-In this configuration, the TLSv1.3_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, and TLSv1_2016 security policies aren’t available in the CloudFront console or API. If you want to use one of these security policies, you have the following options:
+In this configuration, the TLSv1.3_2025, TLSv1.2_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, and TLSv1_2016 security policies aren’t available in the CloudFront console or API. If you want to use one of these security policies, you have the following options:
@@ -178 +180 @@ In this configuration, the TLSv1.3_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_201
-    * If you must keep Legacy Clients Support with dedicated IP addresses, you can request one of the other TLS security policies (TLSv1.3_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) by creating a case in the [AWS Support Center](https://console.aws.amazon.com/support/home).
+    * If you must keep Legacy Clients Support with dedicated IP addresses, you can request one of the other TLS security policies (TLSv1.3_2025, TLSv1.2_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) by creating a case in the [AWS Support Center](https://console.aws.amazon.com/support/home).
@@ -184 +186 @@ Before you contact AWS Support to request this change, consider the following:
-      * When you add one of these security policies (TLSv1.3_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) to a Legacy Clients Support distribution, the security policy is applied to _all_ non-SNI viewer requests for _all_ Legacy Clients Support distributions in your AWS account. However, when viewers send SNI requests to a distribution with Legacy Clients Support, the security policy of that distribution applies. To make sure that your desired security policy is applied to _all_ viewer requests sent to _all_ Legacy Clients Support distributions in your AWS account, add the desired security policy to each distribution individually.
+      * When you add one of these security policies (TLSv1.3_2025, TLSv1.2_2025, TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) to a Legacy Clients Support distribution, the security policy is applied to _all_ non-SNI viewer requests for _all_ Legacy Clients Support distributions in your AWS account. However, when viewers send SNI requests to a distribution with Legacy Clients Support, the security policy of that distribution applies. To make sure that your desired security policy is applied to _all_ viewer requests sent to _all_ Legacy Clients Support distributions in your AWS account, add the desired security policy to each distribution individually.