AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-11-25 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.md

Summary

Added quotas for mTLS/trust stores and Connection Functions, updated terminology from 'real-time logs' to 'real-time access logs'

Security assessment

Documentation of mTLS-related quotas (trust stores, certificates) directly supports security configuration limits. Connection Functions quotas relate to mTLS security feature implementation.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.md b/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.md
index c64a21e06..347a4b844 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.md
@@ -5 +5 @@
-General quotasGeneral quotas on distributionsGeneral quotas on policiesQuotas on CloudFront FunctionsQuotas on key value storesQuotas on Lambda@EdgeQuotas on SSL certificatesQuotas on invalidationsQuotas on key groupsQuotas on WebSocket connectionsQuotas on field-level encryptionQuotas on cookies (legacy cache settings)Quotas on query strings (legacy cache settings)Quotas on headersQuotas on multi-tenant distributionsRelated information
+General quotasGeneral quotas on distributionsGeneral quotas on policiesQuotas on mTLS and trust storesQuotas on CloudFront FunctionsQuotas on Connection FunctionsQuotas on key value storesQuotas on Lambda@EdgeQuotas on SSL certificatesQuotas on invalidationsQuotas on key groupsQuotas on WebSocket connectionsQuotas on field-level encryptionQuotas on cookies (legacy cache settings)Quotas on query strings (legacy cache settings)Quotas on headersQuotas on multi-tenant distributionsRelated information
@@ -31,0 +32,2 @@ CloudFront is subject to the following quotas.
+  * Quotas on mTLS and trust stores
+
@@ -33,0 +36,2 @@ CloudFront is subject to the following quotas.
+  * Quotas on Connection Functions
+
@@ -71 +75 @@ Maximum length of a URL |  8,192 bytes
-Maximum number of real-time log delivery configurations per AWS account |  150  
+Maximum number of real-time access log delivery configurations per AWS account |  150  
@@ -117,0 +122,11 @@ Continuous deployment policies per AWS account |  20 [Request a higher quota](ht
+## Quotas on mTLS and trust stores
+
+Entity |  Default quota  
+---|---  
+Trust stores per AWS account |  20 [Request a higher quota](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase)  
+Distributions per trust store |  25  
+CA bundle size |  64 KB [Request a higher quota](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase)  
+Certificate size in CA bundle |  16384 [Request a higher quota](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase)  
+Number of certificates in CA bundle |  25  
+Certificate chain depth |  4  
+  
@@ -128,0 +144,11 @@ In addition to these quotas, there are some other restrictions when using CloudF
+## Quotas on Connection Functions
+
+Entity |  Default quota  
+---|---  
+Connection Functions per AWS account For more information, see [Request a Connection Function quota increase](./connection-functions.html#request-connection-function-quota-increase). |  0  
+Maximum Connection Function size This quota isn't adjustable. To store additional data for your Connection Functions, create a key value store and add your key-value pairs. For more information, see [Amazon CloudFront KeyValueStore](./kvs-with-functions.html). |  10 KB  
+Maximum Connection Function memory |  2 MB  
+Distributions associated with the same Connection Function |  100  
+  
+In addition to these quotas, there are some other restrictions when using Connection Functions. For more information, see [Associate a CloudFront Connection Function](./connection-functions.html).
+