AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-05-07 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.md

Summary

Added documentation for HTTP 503 errors caused by mutual TLS (mTLS) origin configuration issues, including troubleshooting steps

Security assessment

The change documents mutual TLS (mTLS) handshake failures as a cause for 503 errors, which relates to encrypted origin communication security features. However, there's no evidence of a specific vulnerability being fixed.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.md b/AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.md
index 710efff29..3df09b850 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/http-503-service-unavailable.md
@@ -7 +7 @@
-Origin server does not have enough capacity to support the request rateCloudFront caused the error due to resource constraints at the edge locationLambda@Edge or CloudFront Function execution errorLambda@Edge limit exceeded
+Origin server does not have enough capacity to support the request rateCloudFront caused the error due to resource constraints at the edge locationCloudFront caused the error for an origin configured with mutual TLSLambda@Edge or CloudFront Function execution errorLambda@Edge limit exceeded
@@ -14,0 +15,2 @@ If you are using Lambda@Edge or CloudFront Functions, the issue might be an exec
+If you are using origin mutual TLS (origin mTLS), the issue might be due to repeated failed attempts to establish a connection with a specific certificate.
+
@@ -20,0 +23,2 @@ If you are using Lambda@Edge or CloudFront Functions, the issue might be an exec
+  * CloudFront caused the error for an origin configured with mutual TLS
+
@@ -76,0 +81,15 @@ If this happens in your production environment, contact [Support](https://consol
+## CloudFront caused the error for an origin configured with mutual TLS
+
+If your distribution uses mutual TLS (mTLS) to connect to a custom origin, CloudFront may return an HTTP 503 status code when it is unable to establish connections to the origin. This can happen when the origin repeatedly fails to complete TLS handshakes or is unreachable due to DNS or connectivity issues. This condition is temporary — CloudFront automatically resumes normal traffic once the origin is reachable again.
+
+To resolve this issue:
+
+  * Confirm that the correct client certificate is associated with your distribution and that it has not expired. If you recently updated the certificate, allow time for the change to propagate before it takes effect.
+
+  * Confirm that the origin is reachable and that DNS records resolve correctly.
+
+
+
+
+If the issue persists despite configuring the proper certificate in your production environment, contact [Support](https://console.aws.amazon.com/support/home#/).
+