AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-11-19 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md

Summary

Updated references from 'AWS CloudFormation' to 'CloudFormation' and maintained security recommendations for OAC signing behavior

Security assessment

Changes are terminology updates (removing 'AWS' prefix) in existing security documentation about Origin Access Control signing configurations. The security recommendations (e.g., using 'always' signing behavior) were preserved but not added or substantively changed. No new vulnerabilities or security features were introduced.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
index 52d9136bc..6a28ff093 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.md
@@ -81 +81 @@ If you create a distribution and it doesn't have permission to your Lambda funct
-To create an OAC, you can use the AWS Management Console, AWS CloudFormation, the AWS CLI, or the CloudFront API.
+To create an OAC, you can use the AWS Management Console, CloudFormation, the AWS CLI, or the CloudFront API.
@@ -133 +133 @@ CloudFormation
-To create an OAC with AWS CloudFormation, use the `AWS::CloudFront::OriginAccessControl` resource type. The following example shows the AWS CloudFormation template syntax, in YAML format, for creating an OAC.
+To create an OAC with CloudFormation, use the `AWS::CloudFront::OriginAccessControl` resource type. The following example shows the CloudFormation template syntax, in YAML format, for creating an OAC.
@@ -216 +216 @@ The CloudFront OAC feature includes advanced settings that are intended only for
-OAC contains a setting named **Signing behavior** (in the console), or `SigningBehavior` (in the API, CLI, and AWS CloudFormation). This setting provides the following options:
+OAC contains a setting named **Signing behavior** (in the console), or `SigningBehavior` (in the API, CLI, and CloudFormation). This setting provides the following options:
@@ -221 +221 @@ OAC contains a setting named **Signing behavior** (in the console), or `SigningB
-We recommend using this setting, named **Sign requests (recommended)** in the console, or `always` in the API, CLI, and AWS CloudFormation. With this setting, CloudFront always signs all requests that it sends to the Lambda function URL.
+We recommend using this setting, named **Sign requests (recommended)** in the console, or `always` in the API, CLI, and CloudFormation. With this setting, CloudFront always signs all requests that it sends to the Lambda function URL.
@@ -226 +226 @@ We recommend using this setting, named **Sign requests (recommended)** in the co
-This setting is named **Do not sign requests** in the console, or `never` in the API, CLI, and AWS CloudFormation. Use this setting to turn off OAC for all origins in all distributions that use this OAC. This can save time and effort compared to removing an OAC from all origins and distributions that use it, one by one. With this setting, CloudFront doesn't sign any requests that it sends to the Lambda function URL.
+This setting is named **Do not sign requests** in the console, or `never` in the API, CLI, and CloudFormation. Use this setting to turn off OAC for all origins in all distributions that use this OAC. This can save time and effort compared to removing an OAC from all origins and distributions that use it, one by one. With this setting, CloudFront doesn't sign any requests that it sends to the Lambda function URL.
@@ -235 +235 @@ To use this setting, the Lambda function URL must be publicly accessible. If you
-This setting is named **Do not override authorization header** in the console, or `no-override` in the API, CLI, and AWS CloudFormation. Use this setting when you want CloudFront to sign origin requests only when the corresponding viewer request does not include an `Authorization` header. With this setting, CloudFront passes on the `Authorization` header from the viewer request when one is present, but signs the origin request (adding its own `Authorization` header) when the viewer request doesn't include an `Authorization` header.
+This setting is named **Do not override authorization header** in the console, or `no-override` in the API, CLI, and CloudFormation. Use this setting when you want CloudFront to sign origin requests only when the corresponding viewer request does not include an `Authorization` header. With this setting, CloudFront passes on the `Authorization` header from the viewer request when one is present, but signs the origin request (adding its own `Authorization` header) when the viewer request doesn't include an `Authorization` header.