AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.md

Summary

Updated documentation for custom policy signed URLs to include SHA-256 support, added Hash-Algorithm parameter to examples and reserved parameter list, and provided instructions for using SHA-256 instead of SHA-1.

Security assessment

This change mirrors the canned policy updates, documenting SHA-256 support for custom policy signed URLs with updated examples and parameter restrictions. This promotes stronger cryptographic practices but doesn't address a specific security incident.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.md
index 4bcc3754c..4a8daac3f 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.md
@@ -17 +17 @@ To create a signed URL using a custom policy, complete the following procedure.
-        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Policy=eyANCiAgICEXAMPLEW1lbnQiOiBbeyANCiAgICAgICJSZXNvdXJjZSI6Imh0dHA6Ly9kemJlc3FtN3VuMW0wLmNsb3VkZnJvbnQubmV0L2RlbW8ucGhwIiwgDQogICAgICAiQ29uZGl0aW9uIjp7IA0KICAgICAgICAgIklwQWRkcmVzcyI6eyJBV1M6U291cmNlSXAiOiIyMDcuMTcxLjE4MC4xMDEvMzIifSwNCiAgICAgICAgICJEYXRlR3JlYXRlclRoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTI5Njg2MDE3Nn0sDQogICAgICAgICAiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyOTY4NjAyMjZ9DQogICAgICB9IA0KICAgfV0gDQp9DQo&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F
+        https://d111111abcdef8.cloudfront.net/image.jpg?color=red&size=medium&Policy=eyANCiAgICEXAMPLEW1lbnQiOiBbeyANCiAgICAgICJSZXNvdXJjZSI6Imh0dHA6Ly9kemJlc3FtN3VuMW0wLmNsb3VkZnJvbnQubmV0L2RlbW8ucGhwIiwgDQogICAgICAiQ29uZGl0aW9uIjp7IA0KICAgICAgICAgIklwQWRkcmVzcyI6eyJBV1M6U291cmNlSXAiOiIyMDcuMTcxLjE4MC4xMDEvMzIifSwNCiAgICAgICAgICJEYXRlR3JlYXRlclRoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTI5Njg2MDE3Nn0sDQogICAgICAgICAiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyOTY4NjAyMjZ9DQogICAgICB9IA0KICAgfV0gDQp9DQo&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=K2JCJMDEHXQW5F&Hash-Algorithm=SHA256
@@ -62 +62 @@ You can specify the following query parameters in any order.
-Your query string parameters can't be named `Policy`, `Signature`, or `Key-Pair-Id`.
+Your query string parameters can't be named `Policy`, `Signature`, `Key-Pair-Id`, or `Hash-Algorithm`.
@@ -84,0 +85,5 @@ This public key must belong to a key group that is a trusted signer in the distr
+**7.`&Hash-Algorithm=``SHA1 or SHA256`**
+    
+
+(Optional) The hash algorithm used to create the signature. Supported values are `SHA1` and `SHA256`. If you don't specify this parameter, CloudFront defaults to `SHA1`.
+
@@ -155 +160 @@ When you create a policy statement for a custom policy, you specify the followin
-The URL, including any query strings, but excluding the CloudFront `Policy`, `Signature`, and `Key-Pair-Id` parameters. For example:
+The URL, including any query strings, but excluding the CloudFront `Policy`, `Signature`, `Key-Pair-Id`, and `Hash-Algorithm` parameters. For example:
@@ -359,0 +365,4 @@ For additional information and examples of how to hash, sign, and encode the pol
+###### Note
+
+The linked examples use SHA-1 by default. To use SHA-256 instead, replace `sha1` with `sha256` in the OpenSSL commands and include the `Hash-Algorithm=SHA256` query parameter in the signed URL.
+
@@ -362 +371,3 @@ For additional information and examples of how to hash, sign, and encode the pol
-  1. Use the SHA-1 hash function and the generated RSA or ECDSA private key to hash and sign the JSON policy statement that you created in the procedure To create the policy statement for a signed URL that uses a custom policy. Use the version of the policy statement that no longer includes empty spaces but that has not yet been base64-encoded.
+  1. Use the SHA-1 or SHA-256 hash function and the generated RSA or ECDSA private key to hash and sign the JSON policy statement that you created in the procedure To create the policy statement for a signed URL that uses a custom policy. Use the version of the policy statement that no longer includes empty spaces but that has not yet been base64-encoded.
+
+If you use SHA-256, you must include `&Hash-Algorithm=SHA256` in the signed URL.