Amazon CloudFront introduces SHA-256 support for enhanced security

Amazon CloudFront has announced the integration of SHA-256 as a hash algorithm for the creation of signed URLs and signed cookies. This enhancement offers a more robust security framework with improved collision detection and aligns with contemporary cryptographic standards, delivering stronger cryptographic signing capabilities for content access restrictions.

Previously, Amazon CloudFront relied solely on SHA-1 for signature generation in signed URLs and signed cookies. The introduction of SHA-256 aids users in adhering to security and compliance requirements that specifically call for SHA-256 digital signatures. Additionally, this update ensures that content delivery workflows are equipped for future demands.

To utilize SHA-256, users need to incorporate the parameter ‘Hash-Algorithm=SHA256’ in their signed URLs, or the attribute ‘CloudFront-Hash-Algorithm=SHA256’ in signed cookies. It is worth noting that existing signed URLs and cookies that do not specify a hash algorithm will continue to default to SHA-1, ensuring full backwards compatibility.

This feature is now accessible across all edge locations where Amazon CloudFront services are available, with no extra charges associated with the use of SHA-256 signing. For more detailed information, users are encouraged to consult the Amazon CloudFront Developer Guide, specifically the sections on creating signed URLs with a canned policy and setting signed cookies using a canned policy.