AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2026-06-28 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md

Summary

Added requirement to URL-encode asterisk (*) and question mark (?) characters in resource paths to prevent unintended wildcard matching.

Security assessment

The change explicitly addresses a security risk where unencoded special characters could grant broader access than intended (overly permissive URLs), which could lead to unauthorized data exposure.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
index 513ad9fd5..1840cf14a 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md
@@ -156,0 +157,2 @@ Note the following:
+  * **Special characters** – If the URL for your resource contains an asterisk (`*`) or question mark (`?`) character (for instance, in the object key name), you must URL-encode those characters (`%2A` for `*` and `%3F` for `?`). This is because CloudFront interprets unencoded `*` and `?` characters as wildcard characters in the resource path. If these characters are not URL-encoded, the signed URL may grant broader access than intended.
+