AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.md

Summary

Added documentation about using SHA-256 as an alternative hash algorithm for signing CloudFront URLs, with instructions to update signing functions and include Hash-Algorithm=SHA256 query parameter.

Security assessment

This change adds documentation about using stronger cryptographic hash algorithms (SHA-256) instead of SHA-1, which improves security by providing stronger collision resistance and aligning with modern cryptographic standards. However, there's no evidence this addresses a specific security incident or vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.md b/AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.md
index cd8df8465..b8fba810e 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/PrivateCFSignatureCodeAndExamples.md
@@ -8,0 +9,2 @@ This section includes downloadable application examples that demonstrate how to
+The examples in this section use SHA-1 to hash and sign the policy statement. You can also use SHA-256. To use SHA-256, update the hash algorithm in the signing function (for example, replace `sha1` with `sha256` in OpenSSL calls, or use the equivalent SHA-256 constant in your language's cryptographic library). When you use SHA-256, include the `Hash-Algorithm=SHA256` query parameter in the signed URL.
+