AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md

Summary

Updated documentation for canned policy signed URLs to include SHA-256 support, added Hash-Algorithm parameter to examples and reserved parameter list, and provided instructions for using SHA-256 instead of SHA-1.

Security assessment

This change extensively documents support for SHA-256 hash algorithm in CloudFront signed URLs, including updated examples, parameter restrictions, and implementation instructions. This enhances security by allowing stronger cryptographic hashing but doesn't indicate a specific security vulnerability being fixed.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
index 24ee1e28d..d8f08e976 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
@@ -17 +17 @@ To create a signed URL using a canned policy, complete the following steps.
-        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1767290400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F
+        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Expires=1767290400&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F&Hash-Algorithm=SHA256
@@ -60 +60 @@ You can specify the following query parameters in any order.
-Your query string parameters can't be named `Expires`, `Signature`, or `Key-Pair-Id`.
+Your query string parameters can't be named `Expires`, `Signature`, `Key-Pair-Id`, or `Hash-Algorithm`.
@@ -84,0 +85,5 @@ This public key must belong to a key group that is a trusted signer in the distr
+**7.`&Hash-Algorithm=``SHA1 or SHA256`**
+    
+
+(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't specify this parameter, CloudFront defaults to `SHA1`.
+
@@ -138 +143 @@ You can specify only one value for `Resource`.
-The base URL including your query strings, if any, but excluding the CloudFront `Expires`, `Signature`, and `Key-Pair-Id` parameters, for example:
+The base URL including your query strings, if any, but excluding the CloudFront `Expires`, `Signature`, `Key-Pair-Id`, and `Hash-Algorithm` parameters, for example:
@@ -192,0 +198,4 @@ For additional information and examples of how to hash, sign, and encode the pol
+###### Note
+
+The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `Hash-Algorithm=SHA256` query parameter in the signed URL.
+
@@ -195 +204,3 @@ For additional information and examples of how to hash, sign, and encode the pol
-  1. Use the SHA-1 hash function and the generated RSA or ECDSA private key to hash and sign the policy statement that you created in the procedure To create the policy statement for a signed URL that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces.
+  1. Use the SHA-1 or SHA-256 hash function and the generated RSA or ECDSA private key to hash and sign the policy statement that you created in the procedure To create the policy statement for a signed URL that uses a canned policy. Use the version of the policy statement that no longer includes empty spaces.
+
+If you use SHA-256, you must include `&Hash-Algorithm=SHA256` in the signed URL.