Amazon CloudFront introduces SHA-256 support for enhanced security in signed URLs and cookies

Amazon CloudFront has announced the addition of SHA-256 as a hash algorithm option for generating signed URLs and signed cookies. This enhancement aims to bolster security by providing stronger collision resistance and aligning with contemporary cryptographic standards, thereby enhancing the security of content access restrictions.

Previously, the generation of signatures for CloudFront signed URLs and signed cookies relied solely on SHA-1. The introduction of SHA-256 addresses security and compliance requirements that necessitate the use of this hash algorithm for digital signatures, while also ensuring that content delivery processes are prepared for future developments.

To implement SHA-256, users can incorporate the Hash-Algorithm=SHA256 query parameter within signed URLs or utilize the CloudFront-Hash-Algorithm=SHA256 attribute in signed cookies. Importantly, existing signed URLs and cookies that do not specify a hash algorithm will continue to operate with SHA-1, ensuring full backward compatibility.

This new feature is accessible across all Amazon CloudFront edge locations, and there are no additional charges for utilizing SHA-256 signing. For further details, users are encouraged to consult the Amazon CloudFront Developer Guide, specifically the sections on creating signed URLs using a canned policy and setting signed cookies with a canned policy.