Amazon CloudFront introduces SHA-256 support for signed URLs and cookies

Amazon CloudFront has expanded its security capabilities by introducing support for the SHA-256 hash algorithm in the creation of signed URLs and signed cookies. This enhancement offers a stronger security framework through improved collision resistance and compliance with current cryptographic standards, thereby strengthening the cryptographic signatures used to restrict access to content.

Previously, CloudFront relied solely on the SHA-1 algorithm for generating signatures for URLs and cookies. The addition of SHA-256 support assists users in meeting stringent security and compliance mandates that require this more secure algorithm for digital signatures. Moreover, it ensures that content delivery processes are aligned with future security expectations.

To implement SHA-256, users can add the Hash-Algorithm=SHA256 query parameter to their signed URLs or use the CloudFront-Hash-Algorithm=SHA256 attribute in signed cookies. It is important to note that existing signed URLs and cookies that do not specify a hash algorithm will continue to function with SHA-1, ensuring full backward compatibility.

This new feature is available across all Amazon CloudFront edge locations globally, and there are no additional charges associated with using SHA-256 for signing. For further information on how to create signed URLs using a canned policy or set signed cookies with a canned policy, users can refer to the Amazon CloudFront Developer Guide.