AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-07-04 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md

Summary

Added guidance for SaaS providers to handle DNS TXT records for certificate issuance without requiring customer DNS changes

Security assessment

The change provides a workflow optimization for certificate management in multi-tenant environments but does not address any security vulnerabilities or introduce new security features. It focuses on DNS delegation practices without security implications.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md b/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
index 0ff05dd89..8c0f8dd9e 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
@@ -91,0 +92,15 @@ You can find your CloudFront routing endpoint in the console on the distribution
+###### Tip
+
+If you're a SaaS provider and you want to allow certificate issuance without requiring your customers (tenants) to add a TXT record directly to their DNS, do the following:
+
+  1. If you own the domain `example-saas-provider.com`, assign subdomains to your tenants, such as `customer-123.example-saas-provider.com`
+
+  2. In your DNS, add the `_cf_challenge.customer-123.example-saas-provider.com TXT d111111abcdef8.cloudfront.net` TXT record to your DNS configuration.
+
+  3. Next, your customers (the tenants) can then update their own DNS record to map their domain name to the subdomain that you provided.
+
+`www.customer-domain.com CNAME customer-123.example-saas-provider.com`
+
+
+
+