AWS AmazonCloudFront documentation change
Summary
Added documentation for SHA-256 hash algorithm support in OpenSSL commands for CloudFront signed URLs, including command examples and parameter requirements.
Security assessment
The change adds documentation for SHA-256 as an alternative to SHA-1 for signing CloudFront URLs, which is a security feature improvement (stronger cryptographic hash). No evidence of addressing a specific security vulnerability.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md index d59715050..4f18ba592 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-linux-openssl.md @@ -10,0 +11,2 @@ For information about OpenSSL, go to [https://www.openssl.org](https://www.opens +SHA-1 (default): + @@ -13,0 +16,5 @@ For information about OpenSSL, go to [https://www.openssl.org](https://www.opens +SHA-256: + + + cat policy | tr -d "\n" | tr -d " \t\n\r" | openssl sha256 -sign private_key.pem | openssl base64 -A | tr -- '+=/' '-_~' + @@ -20 +27 @@ In the preceding command: - * OpenSSL hashes the file using SHA-1 and signs it using the private key file `private_key.pem`. The private key signature can be either RSA 2048 or ECDSA 256. + * OpenSSL hashes the file using SHA-1 (or SHA-256) and signs it using the private key file `private_key.pem`. The private key signature can be either RSA 2048 or ECDSA 256. If you use SHA-256, include the `Hash-Algorithm=SHA256` query parameter in the signed URL, or the `CloudFront-Hash-Algorithm=SHA256` cookie for signed cookies.