AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2025-11-19 · Security-related medium

File: solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/developer-guide.md

Summary

Added detailed API documentation for Admin APIs including authentication requirements, transformation policies, origins management, mappings, and error responses. Expanded from a brief source code reference to comprehensive API specifications with security integration details.

Security assessment

The change introduces mandatory AWS Cognito authentication (Bearer token requirement) for Admin API access, which directly addresses API security. This prevents unauthorized configuration changes to image transformation policies and origin mappings. The explicit documentation of authentication headers and error codes like POLICY_NOT_FOUND helps implement proper access controls.

Diff

diff --git a/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/developer-guide.md b/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/developer-guide.md
index 0a2b1d597..61aad8722 100644
--- a//solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/developer-guide.md
+++ b//solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/developer-guide.md
@@ -9 +9 @@ Source codeAPI reference
-This section provides the source code and an API reference for the solution.
+This section includes API specifications for Admin APIs, transformation policy schemas, parameter references, information about anonymized data collection, performance benchmarks, and related resources for the Dynamic Image Transformation for Amazon CloudFront solution.
@@ -19 +19,218 @@ The AWS CDK generates the Dynamic Image Transformation for Amazon CloudFront tem
-This uses the [sharp](https://sharp.pixelplumbing.com/) Node.js library to provide high-speed image processing. Open the library, then select **API** from the navigation menu to view the API guides.
+The ECS architecture includes Admin APIs for managing origins, transformation policies, and mappings. These APIs are secured with AWS Cognito authentication and provide programmatic access to configuration management.
+
+### Authentication
+
+All Admin API requests require authentication through AWS Cognito:
+    
+    
+    Authorization: Bearer <cognito-jwt-token>
+    Content-Type: application/json
+
+### Transformation Policies API
+
+Manage image transformation policies that define how images are processed.
+
+**List Policies**
+    
+    
+    GET /policies?nextToken={token}
+
+Response:
+    
+    
+    {
+      "items": [
+        {
+          "policyId": "550e8400-e29b-41d4-a716-446655440000",
+          "policyName": "mobile-optimized",
+          "description": "Mobile device optimization policy",
+          "policyJSON": "{\"transformations\":[...]}",
+          "isDefault": false,
+          "createdAt": "2024-01-15T10:30:00Z",
+          "updatedAt": "2024-01-15T10:30:00Z"
+        }
+      ],
+      "nextToken": "optional-token-for-next-page"
+    }
+
+**Create Policy**
+    
+    
+    POST /policies
+    {
+      "policyName": "mobile-optimized",
+      "description": "Mobile device optimization policy",
+      "policyJSON": "{\"transformations\":[{\"condition\":\"width > 800\",\"operations\":[{\"resize\":{\"width\":800,\"height\":600,\"fit\":\"cover\"}},{\"format\":\"webp\"},{\"quality\":85}]}]}",
+      "isDefault": false
+    }
+
+**Get Policy**
+    
+    
+    GET /policies/{policyId}
+
+**Update Policy**
+    
+    
+    PUT /policies/{policyId}
+    {
+      "policyName": "updated-mobile-optimized",
+      "description": "Updated mobile device optimization policy",
+      "policyJSON": "{\"transformations\":[...]}"
+    }
+
+**Delete Policy**
+    
+    
+    DELETE /policies/{policyId}
+
+### Origins API
+
+Manage origin configurations that define source locations for images.
+
+**List Origins**
+    
+    
+    GET /origins?nextToken={token}
+
+Response:
+    
+    
+    {
+      "items": [
+        {
+          "originId": "550e8400-e29b-41d4-a716-446655440001",
+          "originName": "my-s3-origin",
+          "originDomain": "my-images-bucket.s3.amazonaws.com",
+          "originPath": "/images",
+          "originHeaders": {
+            "x-custom-header": "value"
+          },
+          "createdAt": "2024-01-15T10:30:00Z",
+          "updatedAt": "2024-01-15T10:30:00Z"
+        }
+      ],
+      "nextToken": "optional-token-for-next-page"
+    }
+
+**Create Origin**
+    
+    
+    POST /origins
+    {
+      "originName": "my-s3-origin",
+      "originDomain": "my-images-bucket.s3.amazonaws.com",
+      "originPath": "/images",
+      "originHeaders": {
+        "x-custom-header": "value"
+      }
+    }
+
+**Get Origin**
+    
+    
+    GET /origins/{originId}
+
+**Update Origin**
+    
+    
+    PUT /origins/{originId}
+    {
+      "originName": "updated-origin-name",
+      "originDomain": "updated-bucket.s3.amazonaws.com"
+    }
+
+**Delete Origin**
+    
+    
+    DELETE /origins/{originId}
+
+### Mappings API
+
+Manage path-based or host-header based routing to map requests to specific origins and policies.
+
+**List Mappings**
+    
+    
+    GET /mappings?nextToken={token}
+
+Response:
+    
+    
+    {
+      "items": [
+        {
+          "mappingId": "550e8400-e29b-41d4-a716-446655440002",
+          "mappingName": "mobile-path-mapping",
+          "description": "Mobile path routing",
+          "mappingType": "PATH_MAPPING",
+          "pattern": "/mobile/*",
+          "originId": "550e8400-e29b-41d4-a716-446655440001",
+          "policyId": "550e8400-e29b-41d4-a716-446655440000",
+          "priority": 100,
+          "createdAt": "2024-01-15T10:30:00Z",
+          "updatedAt": "2024-01-15T10:30:00Z"
+        }
+      ],
+      "nextToken": "optional-token-for-next-page"
+    }
+
+**Create Path Mapping**
+    
+    
+    POST /mappings
+    {
+      "mappingName": "mobile-path-mapping",
+      "description": "Mobile path routing",
+      "mappingType": "PATH_MAPPING",
+      "pattern": "/mobile/*",
+      "originId": "550e8400-e29b-41d4-a716-446655440001",
+      "policyId": "550e8400-e29b-41d4-a716-446655440000",
+      "priority": 100
+    }
+
+**Create Host Header Mapping**
+    
+    
+    POST /mappings
+    {
+      "mappingName": "subdomain-mapping",
+      "description": "Subdomain routing",
+      "mappingType": "HOST_HEADER_MAPPING",
+      "pattern": "*.example.com",
+      "originId": "550e8400-e29b-41d4-a716-446655440001",
+      "policyId": "550e8400-e29b-41d4-a716-446655440000",
+      "priority": 200
+    }
+
+**Get Mapping**
+    
+    
+    GET /mappings/{mappingId}