AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-11-25 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.md

Summary

Added documentation for mutual TLS (mTLS) authentication support and client certificate validation

Security assessment

Documents new mTLS capability that enhances authentication security but does not address a specific disclosed vulnerability

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.md b/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.md
index cbdafa984..898508a5f 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.md
@@ -141,0 +142,6 @@ Also note that the `X-Forwarded-For` header may be modified by every node on the
+CloudFront supports mutual TLS (mTLS) authentication where both the client and server authenticate each other using certificates. With mTLS configured, CloudFront can validate client certificates during the TLS handshake and optionally run CloudFront Functions to implement custom validation logic.
+
+For origins that request client-side certificates when mTLS is not configured, CloudFront drops the request.
+
+For more information about configuring mTLS, see [Associate a CloudFront Connection Function](./connection-functions.html).
+