AWS AmazonCloudFront high security documentation change
Summary
Added multiple entries related to mutual TLS (viewer), connection logs, Connection Functions, BYOIP support, and updated IAM policies with new permissions
Security assessment
Mutual TLS (mTLS) enhances authentication security by requiring client certificates. Connection logs and Connection Functions are tied to mTLS implementation. IAM policy updates include security-related permissions (e.g., AWS WAF Web ACL management).
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/WhatsNew.md b/AmazonCloudFront/latest/DeveloperGuide/WhatsNew.md index 27dbd3952..f4a1acb2f 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/WhatsNew.md +++ b//AmazonCloudFront/latest/DeveloperGuide/WhatsNew.md @@ -10,0 +11,6 @@ Change| Description| Date +[Added mutual TLS (viewer)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.html)| CloudFront supports mutual TLS (viewer).| November 24, 2025 +[Added log field for access logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logs-reference.html)| Added the `connection-id` field for access logs (standard logs) and real-time access logs.| November 24, 2025 +[Added connection logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/connection-logs.html)| Added connection logs as a new logging feature for mutual TLS (viewer).| November 24, 2025 +[Added Connection Functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/connection-functions.html)| CloudFront supports Connection Functions for mutual TLS (viewer).| November 24, 2025 +[Add support for bringing your own IP to CloudFront using IPAM](./bring-your-own-ip-address-using-ipam.html)| CloudFront supports bringing your own IPv4 addresses through IPAM's BYOIP for global services.| November 24, 2025 +[AWS managed policy update](./security-iam-awsmanpol.html)| The `CloudFrontReadOnlyAccess` and `CloudFrontFullAccess` IAM policies now support `ec2:DescribeIpamPools` and `ec2:GetIpamPoolCidrs` actions.| November 24, 2025 @@ -15,0 +22,2 @@ Change| Description| Date +[Updated AWS managed policy](./security-iam-awsmanpol.html)| Updated `CloudFrontFullAccess` to allow permission to create an AWS WAF Web ACL resource and create, update, delete, and read access to AWS Pricing Plan Manager.| November 18, 2025 +[Updated AWS managed policy](./security-iam-awsmanpol.html)| Updated `CloudFrontReadOnlyAccess` to allow read-only permission to AWS Pricing Plan Manager. | November 18, 2025 @@ -42 +50 @@ CloudFront public endpoints now support IPv6| See [Amazon CloudFront endpoints a -[Added additional real-time log fields for standard logging (v2)](./standard-logging.html)| You can specify the `c-country` and `cache-behavior-path-pattern` real-time log fields when you enable standard logging (v2).| January 31, 2025 +[Added additional real-time access log fields for standard logging (v2)](./standard-logging.html)| You can specify the `c-country` and `cache-behavior-path-pattern` real-time access log fields when you enable standard logging (v2).| January 31, 2025 @@ -57 +65 @@ CloudFront public endpoints now support IPv6| See [Amazon CloudFront endpoints a -[Real-time log fields for CMCD](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config)| Added 18 common media client data (CMCD) fields for real-time logging.| April 9, 2024 +[Real-time access log fields for CMCD](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config)| Added 18 common media client data (CMCD) fields for real-time access logs.| April 9, 2024 @@ -111 +119 @@ New TLS protocol| CloudFront now supports the TLS 1.3 protocol for HTTPS connect -New real-time logs| CloudFront now supports configurable real-time logs. With real-time logs, you can get information about requests made to a distribution in real time. You can use real-time logs to monitor, analyze, and take action based on content delivery performance. For more information, see [Real-time logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html).| August 31, 2020 +New real-time access logs| CloudFront now supports configurable real-time access logs. With real-time access logs, you can get information about requests made to a distribution in real time. You can use real-time access logs to monitor, analyze, and take action based on content delivery performance. For more information, see [Real-time logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html).| August 31, 2020