AWS AmazonCloudFront medium security documentation change
Summary
Added TLSv1.2_2025 security policy column to cipher/signature scheme tables and introduced FIPS 140-3 compliance documentation
Security assessment
The change introduces TLSv1.2_2025 as a FIPS 140-3-compliant policy and adds a section explaining FIPS compliance requirements. This directly relates to cryptographic security standards compliance, which is a security-focused enhancement. The update helps users meet government security requirements but does not indicate remediation of a specific vulnerability.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md b/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md index fad8ef4d2..af2972f28 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md +++ b//AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.md @@ -5 +5 @@ -OpenSSL, s2n, and RFC cipher namesSupported signature schemes between viewers and CloudFront +FIPs security policiesOpenSSL, s2n, and RFC cipher namesSupported signature schemes between viewers and CloudFront @@ -24 +24 @@ A viewer must support at least one of the supported ciphers to establish an HTTP -| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2025 +| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.2_2025 | TLSv1.3_2025 @@ -26,5 +26,5 @@ A viewer must support at least one of the supported ciphers to establish an HTTP -TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -TLSv1.1 | ♦ | ♦ | ♦ | ♦ | | | | -TLSv1 | ♦ | ♦ | ♦ | | | | | -SSLv3 | ♦ | | | | | | | +TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +TLSv1.1 | ♦ | ♦ | ♦ | ♦ | | | | | +TLSv1 | ♦ | ♦ | ♦ | | | | | | +SSLv3 | ♦ | | | | | | | | @@ -32,3 +32,3 @@ SSLv3 | ♦ | | | | | | | -TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | ♦ @@ -36,7 +36,7 @@ TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | -ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | -ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | -ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | +ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | +ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | | +ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | +ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | +ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | | @@ -44,14 +44,22 @@ ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | -ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | -ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | -ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | -ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | -AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | | | -AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | | | -AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | | | -AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | -AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | -DES-CBC3-SHA | ♦ | ♦ | | | | | | -RC4-MD5 | ♦ | | | | | | | +ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | +ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | | +ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | +ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | +ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | | +ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | | +AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | | | | +AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | | | | +AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | | | | +AES256-SHA | ♦ | ♦ | ♦ | ♦ | | | | | +AES128-SHA | ♦ | ♦ | ♦ | ♦ | | | | | +DES-CBC3-SHA | ♦ | ♦ | | | | | | | +RC4-MD5 | ♦ | | | | | | | | + +## FIPs security policies + +The Federal Information Processing Standard (FIPS) is a US and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. To learn more, see [Federal Information Processing Standard (FIPS) 140](https://aws.amazon.com/compliance/fips/) on the _AWS Cloud Security Compliance_ page. + +All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more, see the [ AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) page on the _NIST Cryptographic Module Validation Program_ site. + +TLSv1.2_2025 is a FIPS 140-3-compliant version of the TLS1.2_2021 security policy. @@ -129,19 +137,19 @@ CloudFront supports the following signature schemes for connections between view -Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2025 -TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | -TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ -TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ | | | | -TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ | | | | +Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.2_2025 | TLSv1.3_2025 +TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | +TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | | +TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ +TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ | | | | | +TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ | | | | |