AWS AmazonCloudFront documentation change
Summary
Updated documentation for canned policy signed URLs to include SHA-256 support, added Hash-Algorithm parameter to examples and reserved parameter list, and provided instructions for using SHA-256 instead of SHA-1.
Security assessment
This change extensively documents support for SHA-256 hash algorithm in CloudFront signed URLs, including updated examples, parameter restrictions, and implementation instructions. This enhances security by allowing stronger cryptographic hashing but doesn't indicate a specific security vulnerability being fixed.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md index 24ee1e28d..d8f08e976 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md @@ -17 +17 @@ To create a signed URL using a canned policy, complete the following steps. - https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1767290400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F + https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1767290400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F&Hash-Algorithm=SHA256 @@ -60 +60 @@ You can specify the following query parameters in any order. -Your query string parameters can't be named `Expires`, `Signature`, or `Key-Pair-Id`. +Your query string parameters can't be named `Expires`, `Signature`, `Key-Pair-Id`, or `Hash-Algorithm`. @@ -84,0 +85,5 @@ This public key must belong to a key group that is a trusted signer in the distr +**7.`&Hash-Algorithm=``SHA1 or SHA256`** + + +(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't specify this parameter, CloudFront defaults to `SHA1`. + @@ -138 +143 @@ You can specify only one value for `Resource`. -The base URL including your query strings, if any, but excluding the CloudFront `Expires`, `Signature`, and `Key-Pair-Id` parameters, for example: +The base URL including your query strings, if any, but excluding the CloudFront `Expires`, `Signature`, `Key-Pair-Id`, and `Hash-Algorithm` parameters, for example: @@ -192,0 +198,4 @@ For additional information and examples of how to hash, sign, and encode the pol +###### Note + +The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `Hash-Algorithm=SHA256` query parameter in the signed URL. + @@ -195 +204,3 @@ For additional information and examples of how to hash, sign, and encode the pol - 1. Use the SHA-1 hash function and the generated RSA or ECDSA private key to hash and sign the policy statement that you created in the procedure To create the policy statement for a signed URL that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces. + 1. Use the SHA-1 or SHA-256 hash function and the generated RSA or ECDSA private key to hash and sign the policy statement that you created in the procedure To create the policy statement for a signed URL that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces. + +If you use SHA-256, you must include `&Hash-Algorithm=SHA256` in the signed URL.