AWS AmazonCloudFront medium security documentation change
Summary
Added requirement to URL-encode asterisk (*) and question mark (?) characters in resource paths to prevent unintended wildcard matching.
Security assessment
The change explicitly addresses a security risk where unencoded special characters could grant broader access than intended (overly permissive URLs), which could lead to unauthorized data exposure.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md index 513ad9fd5..1840cf14a 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md +++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.md @@ -156,0 +157,2 @@ Note the following: + * **Special characters** – If the URL for your resource contains an asterisk (`*`) or question mark (`?`) character (for instance, in the object key name), you must URL-encode those characters (`%2A` for `*` and `%3F` for `?`). This is because CloudFront interprets unencoded `*` and `?` characters as wildcard characters in the resource path. If these characters are not URL-encoded, the signed URL may grant broader access than intended. +