OCPBUGS-27393:CloudFront update

Author: Brendan Daly

installing/install_config/configuring-firewall.adoc

@@ -10,3 +10,8 @@ If you use a firewall, you must configure it so that {product-title} can access
 Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
 
 include::modules/configuring-firewall.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-auth-flow-aws-oidc_cco-short-term-creds[OpenID Connect requirements for AWS STS]

modules/configuring-firewall.adoc

@@ -99,7 +99,7 @@ You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn
 |443
 |Required to access Alibaba Cloud services and resources. Review the link:https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/endpoints/endpoints_config.go?spm=a2c4g.11186623.0.0.47875873ciGnC8&file=endpoints_config.go[Alibaba endpoints_config.go file] to determine the exact endpoints to allow for the regions that you use.
 
-.16+|AWS
+.17+|AWS
 |`aws.amazon.com`
 |443
 |Used to install and manage clusters in an AWS environment.
@@ -166,6 +166,10 @@ Alternatively, if you choose to not use a wildcard for AWS APIs, you must allowl
 |443
 |Allows the assignment of metadata about AWS resources in the form of tags.
 
+|`*.cloudfront.net`
+|443
+|Used to provide access to CloudFront. If you use the AWS Security Token Service (STS) and the private S3 bucket, you must provide access to CloudFront.
+
 .2+|GCP
 |`*.googleapis.com`
 |443