AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-10-13 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md

Summary

Added TLSv1.2_2025 security policy column to cipher/signature scheme tables and introduced FIPS 140-3 compliance documentation

Security assessment

The change introduces TLSv1.2_2025 as a FIPS 140-3-compliant policy and adds a section explaining FIPS compliance requirements. This directly relates to cryptographic security standards compliance, which is a security-focused enhancement. The update helps users meet government security requirements but does not indicate remediation of a specific vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md b/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md
index fad8ef4d2..af2972f28 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md
@@ -5 +5 @@
-OpenSSL, s2n, and RFC cipher namesSupported signature schemes between viewers and CloudFront
+FIPs security policiesOpenSSL, s2n, and RFC cipher namesSupported signature schemes between viewers and CloudFront
@@ -24 +24 @@ A viewer must support at least one of the supported ciphers to establish an HTTP
-| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2025  
+| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.2_2025 | TLSv1.3_2025  
@@ -26,5 +26,5 @@ A viewer must support at least one of the supported ciphers to establish an HTTP
-TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-TLSv1.1 | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-TLSv1 | ♦ | ♦ | ♦ |  |  |  |  |   
-SSLv3 | ♦ |  |  |  |  |  |  |   
+TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
+TLSv1.1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+TLSv1 | ♦ | ♦ | ♦ |  |  |  |  |  |   
+SSLv3 | ♦ |  |  |  |  |  |  |  |   
@@ -32,3 +32,3 @@ SSLv3 | ♦ |  |  |  |  |  |  |
-TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | ♦  
@@ -36,7 +36,7 @@ TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦
-ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
-ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
-ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
+ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
+ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
+ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
+ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
+ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
+ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
@@ -44,14 +44,22 @@ ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |
-ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
-ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
-ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-DES-CBC3-SHA | ♦ | ♦ |  |  |  |  |  |   
-RC4-MD5 | ♦ |  |  |  |  |  |  |   
+ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
+ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
+ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
+ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
+ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |   
+ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |   
+AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |   
+AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |   
+AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+DES-CBC3-SHA | ♦ | ♦ |  |  |  |  |  |  |   
+RC4-MD5 | ♦ |  |  |  |  |  |  |  |   
+  
+## FIPs security policies
+
+The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see [Federal Information Processing Standard (FIPS) 140](https://aws.amazon.com/compliance/fips/) on the _AWS Cloud Security Compliance_ page.
+
+All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the [ AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) page on the _NIST Cryptographic Module Validation Program_ site.
+
+TLSv1.2_2025 is a FIPS 140-3-compliant version of the TLS1.2_2021 security policy.
@@ -129,19 +137,19 @@ CloudFront supports the following signature schemes for connections between view
-Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 |  TLSv1.2_2021 | TLSv1.3_2025  
-TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |   
-TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
-TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |   
-TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |   
+Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 |  TLSv1.2_2021 | TLSv1.2_2025 | TLSv1.3_2025  
+TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
+TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |   
+TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦  
+TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |   
+TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |