AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-02-19 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/origin-mtls-authentication.md

Summary

Updated terminology from 'Mutual TLS (origin)' to 'origin mTLS' throughout the document for consistency and clarity

Security assessment

The changes are purely terminological updates (e.g., 'Mutual TLS (origin)' → 'origin mTLS') without modifying security functionality or requirements. The core security mechanisms (client certificate authentication, origin validation responsibilities) remain unchanged. No evidence of vulnerability fixes or new security guidance.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/origin-mtls-authentication.md b/AmazonCloudFront/latest/DeveloperGuide/origin-mtls-authentication.md
index 49b4ae4f7..1ede8f93a 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/origin-mtls-authentication.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/origin-mtls-authentication.md
@@ -7 +7 @@ Viewer mTLS vs Origin mTLSHow it worksUse casesImportant: Origin Server Requirem
-# Mutual TLS (origin) with CloudFront
+# Origin mutual TLS with CloudFront
@@ -15 +15 @@ Mutual authentication (mTLS) can be enabled between viewers and your CloudFront
-Mutual TLS (origin) enables CloudFront to authenticate itself to your origin servers using client certificates. With mutual TLS (origin), you can ensure that only your authorized CloudFront distributions can establish connections with your application servers, helping protect against unauthorized access attempts.
+Origin mTLS enables CloudFront to authenticate itself to your origin servers using client certificates. With origin mTLS, you can ensure that only your authorized CloudFront distributions can establish connections with your application servers, helping protect against unauthorized access attempts.
@@ -19 +19 @@ Mutual TLS (origin) enables CloudFront to authenticate itself to your origin ser
-In mutual TLS (origin) connections, CloudFront acts as the client and presents its client certificate to your origin server during the TLS handshake. CloudFront does not perform validation of the client certificate's validity or revocation status—this is the responsibility of your origin server. Your origin infrastructure must be configured to validate the client certificate against its trust store, check certificate expiration, and perform revocation checks (such as CRL or OCSP validation) according to your security requirements. CloudFront's role is limited to presenting the certificate; all certificate validation logic and security policies are enforced by your origin servers.
+In origin mTLS connections, CloudFront acts as the client and presents its client certificate to your origin server during the TLS handshake. CloudFront does not perform validation of the client certificate's validity or revocation status—this is the responsibility of your origin server. Your origin infrastructure must be configured to validate the client certificate against its trust store, check certificate expiration, and perform revocation checks (such as CRL or OCSP validation) according to your security requirements. CloudFront's role is limited to presenting the certificate; all certificate validation logic and security policies are enforced by your origin servers.
@@ -23 +23 @@ In mutual TLS (origin) connections, CloudFront acts as the client and presents i
-In a standard TLS handshake between CloudFront and an origin, only the origin server presents a certificate to prove its identity to CloudFront. With mutual TLS (origin), the authentication process becomes bidirectional. When CloudFront attempts to connect to your origin server, CloudFront presents a client certificate during the TLS handshake. Your origin server validates this certificate against its trust store before establishing the secure connection.
+In a standard TLS handshake between CloudFront and an origin, only the origin server presents a certificate to prove its identity to CloudFront. With origin mTLS, the authentication process becomes bidirectional. When CloudFront attempts to connect to your origin server, CloudFront presents a client certificate during the TLS handshake. Your origin server validates this certificate against its trust store before establishing the secure connection.
@@ -27 +27 @@ In a standard TLS handshake between CloudFront and an origin, only the origin se
-Mutual TLS (origin) addresses several critical security scenarios where traditional authentication methods create operational overhead:
+Origin mTLS addresses several critical security scenarios where traditional authentication methods create operational overhead:
@@ -38 +38 @@ Mutual TLS (origin) addresses several critical security scenarios where traditio
-Mutual TLS (origin) requires your origin servers to be configured to support mutual TLS authentication. Your origin infrastructure must be capable of:
+Origin mTLS requires your origin servers to be configured to support mutual TLS authentication. Your origin infrastructure must be capable of:
@@ -51 +51 @@ Mutual TLS (origin) requires your origin servers to be configured to support mut
-CloudFront handles the client-side certificate presentation, but your origin servers are responsible for validating these certificates and managing the mutual TLS connection. Ensure your origin infrastructure is properly configured before enabling mutual TLS (origin) in CloudFront.
+CloudFront handles the client-side certificate presentation, but your origin servers are responsible for validating these certificates and managing the mutual TLS connection. Ensure your origin infrastructure is properly configured before enabling origin mTLS in CloudFront.
@@ -55 +55 @@ CloudFront handles the client-side certificate presentation, but your origin ser
-To implement mutual TLS (origin) with CloudFront, you'll need to import the client certificate in AWS Certificate Manager, configure your origin server to require mutual TLS, and enable mutual TLS (origin) on your CloudFront distribution. The following sections provide step-by-step instructions for each configuration task.
+To implement origin mTLS with CloudFront, you'll need to import the client certificate in AWS Certificate Manager, configure your origin server to require mutual TLS, and enable origin mTLS on your CloudFront distribution. The following sections provide step-by-step instructions for each configuration task.
@@ -61 +61 @@ To implement mutual TLS (origin) with CloudFront, you'll need to import the clie
-  * [Enable mutual TLS(origin) for CloudFront distributions](./origin-enable-mtls-distributions.html)
+  * [Enable origin mutual TLS for CloudFront distributions](./origin-enable-mtls-distributions.html)
@@ -63 +63 @@ To implement mutual TLS (origin) with CloudFront, you'll need to import the clie
-  * [Using CloudFront Functions with mutual TLS (origin)](./origin-mtls-cloudfront-functions.html)
+  * [Using CloudFront Functions with origin mutual TLS](./origin-mtls-cloudfront-functions.html)