AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-10-19 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.md

Summary

Clarified that TLS certificates for origins must also be from Mozilla's CA list and improved wording consistency

Security assessment

The change explicitly states that origin TLS certificates must comply with Mozilla's CA list, enforcing stricter encryption standards. This prevents potential man-in-the-middle attacks from untrusted CAs.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.md b/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.md
index 1964275dd..f42031cb5 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.md
@@ -51 +51 @@ The requirements for SSL/TLS certificates are described in this topic. They appl
-We recommend that you use a public certificate issued by [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/). For information about getting a certificate from ACM, see the _[AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/)_. To use an ACM certificate with CloudFront, make sure you request (or import) the certificate in the US East (N. Virginia) Region (`us-east-1`).
+We recommend that you use a public certificate issued by [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/). For information about getting a certificate from ACM, see the _[AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/)_. To use an ACM certificate with a CloudFront distribution, make sure you request (or import) the certificate in the US East (N. Virginia) Region (`us-east-1`).
@@ -53 +53,5 @@ We recommend that you use a public certificate issued by [AWS Certificate Manage
-CloudFront supports the same certificate authorities (CAs) as Mozilla, so if you don’t use ACM, use a certificate issued by a CA on the [Mozilla Included CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates). For more information about getting and installing a certificate, refer to the documentation for your HTTP server software and to the documentation for the CA.
+CloudFront supports the same certificate authorities (CAs) as Mozilla, so if you don’t use ACM, use a certificate issued by a CA on the [Mozilla Included CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates). 
+
+TLS certificates used by the origin that you specified for your CloudFront distribution also need to be issued from the CA on the Mozilla Included CA Certificate List.
+
+For more information about getting and installing a certificate, refer to the documentation for your HTTP server software and to the documentation for the CA.