AWS Security ChangesHomeSearch

AWS mediatailor high security documentation change

Service: mediatailor · 2025-10-16 · Security-related high

File: mediatailor/latest/ug/cf-comprehensive-configuration.md

Summary

Updated origin request policy recommendations to differentiate between cacheable/non-cacheable content, removed CORS cache poisoning scenario explanation, changed policies from 'Managed-CORS-S3Origin' to 'None'/'AllViewer' in multiple sections

Security assessment

The changes explicitly address cache poisoning prevention by recommending 'None' policy for cacheable segments (reducing attack surface) and 'AllViewer' for non-cacheable manifests. The removal of CORS cache poisoning scenario explanation is offset by proactive guidance to prevent it. Specific security-focused language like 'prevent cache poisoning' and header forwarding requirements demonstrate security intent.

Diff

diff --git a/mediatailor/latest/ug/cf-comprehensive-configuration.md b/mediatailor/latest/ug/cf-comprehensive-configuration.md
index 3053edea0..93cf8904a 100644
--- a//mediatailor/latest/ug/cf-comprehensive-configuration.md
+++ b//mediatailor/latest/ug/cf-comprehensive-configuration.md
@@ -76 +76 @@ With the origin hostname `manifests.mediatailor.`region`.amazonaws.com`, you can
-Review and adjust origin request policies based on your specific content origin requirements. The example uses S3 origin policies, but you might need different policies for custom origins. Consider these factors when selecting origin request policies:
+Select origin request policies based on content type to prevent cache poisoning while ensuring proper functionality. The key distinction is between cacheable and non-cacheable content:
@@ -78 +78 @@ Review and adjust origin request policies based on your specific content origin
-  * **S3 origins** : Use `Managed-CORS-S3Origin` for Amazon S3 buckets
+  * **Manifests (non-cacheable)** : Use `AllViewer` to forward all headers needed for dynamic content. Since manifests aren't cached, there's no cache poisoning risk.
@@ -80 +80 @@ Review and adjust origin request policies based on your specific content origin
-  * **Custom origins** : Use `Managed-AllViewer` or `Managed-AllViewerAndCloudFrontHeaders-2022-6` for custom HTTP origins
+  * **Segments (cacheable)** : Use `None` for optimal performance.
@@ -82 +82,3 @@ Review and adjust origin request policies based on your specific content origin
-  * **MediaPackage origins** : Use `Managed-CORS-S3Origin` for MediaPackage V2 endpoints
+  * **S3 origins** : Use `CORS-S3Origin` for Amazon S3 buckets
+
+  * **MediaPackage origins** : Use `CORS-S3Origin` for MediaPackage V2 endpoints
@@ -124,8 +125,0 @@ This is **MediaTailorSegments** in the example in the preceding section on origi
-The `Managed-CachingOptimized` cache policy should be configured to include the Origin header in the cache key to prevent CORS cache poisoning issues. Without the `Origin` header in the cache key, the following scenario can occur:
-
-    1. A request without an `Origin` header is received and cached by CloudFront
-
-    2. A subsequent request with an `Origin` header receives the cached response (which lacks CORS headers)
-
-    3. The browser rejects the response due to missing CORS headers, causing playback failures
-
@@ -134,3 +128 @@ For details about what's included in the CloudFront managed cache policy, see [C
-  * **Origin request policy:** `Managed-CORS-S3Origin`
-
-For details about what's included in the CloudFront managed origin request policy, see [CORS-S3Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-cors-s3) in the CloudFront user guide. You can also use these same settings from the managed policy in your third-party CDN.
+  * **Origin request policy:** `None`
@@ -140,2 +131,0 @@ For details about what's included in the CloudFront managed origin request polic
-Using the `Managed-CORS-with-preflight-and-SecurityHeadersPolicy` response headers policy is critical for preventing CORS cache poisoning. This policy ensures that CloudFront includes the `Access-Control-Allow-Origin` header in responses, which is necessary for web-based players to access ad segments from different origins.
-
@@ -193,3 +183 @@ For details about what's included in the CloudFront managed cache policy, see [C
-  * **Origin request policy:** `Managed-CORS-S3Origin`
-
-For details about what's included in the CloudFront managed origin request policy, see [CORS-S3Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-cors-s3) in the CloudFront user guide. You can also use these same settings from the managed policy in your third-party CDN.
+  * **Origin request policy:** `None`
@@ -224 +212 @@ For details about what's included in the cache policy, see [CachingDisabled](htt
-  * **Origin request policy:** `Managed-AllViewerAndCloudFrontHeaders-2022-6`
+  * **Origin request policy:** `AllViewer`
@@ -226 +214 @@ For details about what's included in the cache policy, see [CachingDisabled](htt
-For details about what's included in the origin request policy, see [AllViewerAndCloudFrontHeaders-2022-6 ](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer-and-cloudfront)in the CloudFront user guide.
+For personalized manifests, use the `AllViewer` policy to forward all headers needed for dynamic content. 
@@ -270 +258 @@ For details about what's included in the cache policy, see [CachingDisabled](htt
-  * **Origin request policy:** `Managed-AllViewerAndCloudFrontHeaders-2022-6`
+  * **Origin request policy:** `AllViewer`
@@ -272 +260 @@ For details about what's included in the cache policy, see [CachingDisabled](htt
-For details about what's included in the origin request policy, see [AllViewerAndCloudFrontHeaders-2022-6 ](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer-and-cloudfront)in the CloudFront user guide.
+For server-side beacon requests, use the `AllViewer` policy to forward all headers needed for tracking. Since these requests aren't cached, there's no cache poisoning risk.
@@ -301 +289 @@ For low latency HLS implementations, consider using a custom caching policy with
-  * **Origin request policy:** Configured to pass appropriate headers and query string parameters to your content origin. For information about available managed origin request policies, see [Use managed origin request policies](https://docs.aws.amazon.com/https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-cors-custom) in the CF developer guide.
+  * **Origin request policy:** `None`