AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2026-04-25 · Documentation low

File: AmazonS3/latest/userguide/checking-object-integrity-upload.md

Summary

Added four new checksum algorithms (XXHash64, XXHash3, XXHash128, SHA-512) to supported algorithms list, updated MD5 to composite-only, added important note about multipart upload requirements for new algorithms, and reorganized content about content-MD5 header.

Security assessment

This change expands documentation for checksum algorithms used during upload for data integrity. The added note about multipart upload requirements for new algorithms helps prevent validation failures but doesn't indicate a security vulnerability. The documentation adds security feature information (integrity checks) but no evidence of addressing a security issue.

Diff

diff --git a/AmazonS3/latest/userguide/checking-object-integrity-upload.md b/AmazonS3/latest/userguide/checking-object-integrity-upload.md
index 11154dd87..54104309e 100644
--- a//AmazonS3/latest/userguide/checking-object-integrity-upload.md
+++ b//AmazonS3/latest/userguide/checking-object-integrity-upload.md
@@ -35 +35 @@ With Amazon S3, you can choose a checksum algorithm to calculate the checksum va
-###### Note
+  * XXHash64 (`XXHASH64`)
@@ -37 +37,3 @@ With Amazon S3, you can choose a checksum algorithm to calculate the checksum va
-The `content-MD5` header is only available using the S3 ETag for objects uploaded in a single part upload (`PUT` operation) that uses the SSE-S3 encryption.
+  * XXHash3 (`XXHASH3`)
+
+  * XXHash128 (`XXHASH128`)
@@ -38,0 +41 @@ The `content-MD5` header is only available using the S3 ETag for objects uploade
+  * SHA-512 (`SHA512`)
@@ -41,0 +45,5 @@ The `content-MD5` header is only available using the S3 ETag for objects uploade
+
+###### Note
+
+The `content-MD5` header is only available using the S3 ETag for objects uploaded in a single part upload (`PUT` operation) that uses the SSE-S3 encryption.
+
@@ -98 +106,9 @@ Amazon S3 supports the following full object and composite checksum algorithm ty
-  * MD5 (`MD5`): Supports both full object and composite checksum types.
+  * MD5 (`MD5`): Supports composite checksum type only (non-linearizable).
+
+  * XXHash64 (`XXHASH64`): Supports composite checksum type only (non-linearizable).
+
+  * XXHash3 (`XXHASH3`): Supports composite checksum type only (non-linearizable).
+
+  * XXHash128 (`XXHASH128`): Supports composite checksum type only (non-linearizable).
+
+  * SHA-512 (`SHA512`): Supports composite checksum type only (non-linearizable).
@@ -119,0 +136,5 @@ SHA-256 (`SHA256`) | No | Yes
+MD5 (`MD5`) | No | Yes  
+XXHash64 (`XXHASH64`) | No | Yes  
+XXHash3 (`XXHASH3`) | No | Yes  
+XXHash128 (`XXHASH128`) | No | Yes  
+SHA-512 (`SHA512`) | No | Yes  
@@ -132,0 +154,8 @@ To initiate the multipart upload, you can specify the checksum algorithm and the
+###### Important
+
+When using multipart uploads with the new checksum algorithms (MD5, XXHash3, XXHash64, XXHash128, SHA-512), you must specify the checksum algorithm in the `CreateMultipartUpload` request using the `x-amz-checksum-algorithm` header. If you provide a checksum value in the `CompleteMultipartUpload` request (for example, `x-amz-checksum-sha512`) without having specified the algorithm in `CreateMultipartUpload`, the request will fail with an `InvalidRequest` error.
+
+###### Note
+
+For existing checksum algorithms (CRC32, CRC32C, SHA-1, SHA-256), if the algorithm is not specified in `CreateMultipartUpload`, any checksum header provided in `CompleteMultipartUpload` is currently accepted but not validated or stored with the object. We recommend always specifying the algorithm in `CreateMultipartUpload` to ensure your checksums are validated and stored.
+