AWS AmazonCloudFront documentation change
Summary
Added guidance for SaaS providers to handle DNS TXT records for certificate issuance without requiring customer DNS changes
Security assessment
The change provides a workflow optimization for certificate management in multi-tenant environments but does not address any security vulnerabilities or introduce new security features. It focuses on DNS delegation practices without security implications.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md b/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md index 0ff05dd89..8c0f8dd9e 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md +++ b//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md @@ -91,0 +92,15 @@ You can find your CloudFront routing endpoint in the console on the distribution +###### Tip + +If you're a SaaS provider and you want to allow certificate issuance without requiring your customers (tenants) to add a TXT record directly to their DNS, do the following: + + 1. If you own the domain `example-saas-provider.com`, assign subdomains to your tenants, such as `customer-123.example-saas-provider.com` + + 2. In your DNS, add the `_cf_challenge.customer-123.example-saas-provider.com TXT d111111abcdef8.cloudfront.net` TXT record to your DNS configuration. + + 3. Next, your customers (the tenants) can then update their own DNS record to map their domain name to the subdomain that you provided. + +`www.customer-domain.com CNAME customer-123.example-saas-provider.com` + + + +