AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-11-25 · Documentation high

File: AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.md

Summary

Added documentation for Connection Functions validating mTLS connections, including certificate validation, custom authentication logic, and function structure examples.

Security assessment

Documents new security capabilities for mTLS certificate validation and connection authentication. No evidence of fixing existing vulnerabilities; instead enhances security documentation for a new feature.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.md b/AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.md
index 8b4842887..cb322ad28 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/function-code-choose-purpose.md
@@ -5 +5 @@
-Modify the HTTP request in a viewer request event typeGenerate an HTTP response in a viewer request event typeModify the HTTP response in a viewer response event typeRelated information
+Modify the HTTP request in a viewer request event typeGenerate an HTTP response in a viewer request event typeModify the HTTP response in a viewer response event typeValidate mTLS connections in a connection request event typeRelated information
@@ -18,0 +19,2 @@ Before you write your function code, determine the purpose of your function. Mos
+  * Validate mTLS connections in a connection request event type
+
@@ -91,0 +94,23 @@ The function returns the modified `response` object to CloudFront, which CloudFr
+## Validate mTLS connections in a connection request event type
+
+Connection functions are a type of CloudFront Functions that run during TLS connections to provide custom validation and authentication logic. Connection functions are currently available for mutual TLS (mTLS) connections, where you can validate client certificates and implement custom authentication logic beyond standard certificate validation. Connection functions run during the TLS handshake process and can allow or deny connections based on certificate properties, client IP addresses, or other criteria.
+
+After you create and publish a connection function, make sure to add an association for the _connection request_ event type with an mTLS-enabled distribution. This makes the function run each time a client attempts to establish an mTLS connection with CloudFront.
+
+###### Example 
+
+The following pseudocode shows the structure of a connection function:
+    
+    
+    function connectionHandler(connection) {
+        // Validate certificate and connection properties here.
+        
+        if (/* validation passes */) {
+            connection.allow();
+        } else {
+            connection.deny();
+        }
+    }
+
+The function uses helper methods to determine whether to allow or deny the connection. Unlike viewer request and viewer response functions, connection functions cannot modify HTTP requests or responses.
+