AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-04-01 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md

Summary

Added documentation for SHA-256 hash algorithm support in OpenSSL commands for CloudFront signed URLs, including command examples and parameter requirements.

Security assessment

The change adds documentation for SHA-256 as an alternative to SHA-1 for signing CloudFront URLs, which is a security feature improvement (stronger cryptographic hash). No evidence of addressing a specific security vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md
index d59715050..4f18ba592 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md
@@ -10,0 +11,2 @@ For information about OpenSSL, go to [https://www.openssl.org](https://www.opens
+SHA-1 (default):
+    
@@ -13,0 +16,5 @@ For information about OpenSSL, go to [https://www.openssl.org](https://www.opens
+SHA-256:
+    
+    
+    cat policy | tr -d "\n" | tr -d " \t\n\r" | openssl sha256 -sign private_key.pem | openssl base64 -A | tr -- '+=/' '-_~'
+
@@ -20 +27 @@ In the preceding command:
-  * OpenSSL hashes the file using SHA-1 and signs it using the private key file `private_key.pem`. The private key signature can be either RSA 2048 or ECDSA 256.
+  * OpenSSL hashes the file using SHA-1 (or SHA-256) and signs it using the private key file `private_key.pem`. The private key signature can be either RSA 2048 or ECDSA 256. If you use SHA-256, include the `Hash-Algorithm=SHA256` query parameter in the signed URL, or the `CloudFront-Hash-Algorithm=SHA256` cookie for signed cookies.