In the CPS document it said this is SHA256 fingerprint. So I run the following command and the value doesn't match. I have asked AWS support. They said it is out of scope. Mostly like the support team doesn't know either.
openssl x509 -in AmazonRootCA1.pem -noout -fingerprint -sha256