AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-05-16 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/configuring-additional-settings.md

Summary

Removed the entire section about 'Client certificate validation Optional mode' including its behavior, configuration steps, and CLI examples.

Security assessment

The removal documents the deprecation of a feature (mTLS optional mode) but doesn't reference any security vulnerability. Optional mode allowed non-authenticated clients which had security implications, but the change doesn't cite specific vulnerabilities.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/configuring-additional-settings.md b/AmazonCloudFront/latest/DeveloperGuide/configuring-additional-settings.md
index 5c0f9b520..7d9032e98 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/configuring-additional-settings.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/configuring-additional-settings.md
@@ -7 +7 @@
-Client certificate validation Optional modeCertificate Authority advertisementCertificate expiration handlingNext steps
+Certificate Authority advertisementCertificate expiration handlingNext steps
@@ -13,45 +12,0 @@ After enabling basic mutual TLS authentication, you can configure additional set
-## Client certificate validation Optional mode
-
-CloudFront offers an alternative Optional client certificate validation mode that validates client certificates that are presented but allows access to clients that don't present certificates.
-
-### Optional mode behavior
-
-  * Grants connection to clients with valid certificates, (invalid certificates are denied).
-
-  * Allows connection to clients without certificates
-
-  * Allows mixed client authentication scenarios through a single distribution.
-
-
-
-
-Optional mode is ideal for gradual migration to mTLS authentication, supporting clients with certificates and clients without certificates, or maintaining backward compatibility with legacy clients.
-
-###### Note
-
-In optional mode, Connection Functions are still invoked even when clients don't present certificates. This allows you to implement custom logic such as logging client IP addresses or applying different policies based on whether certificates are presented.
-
-### To configure optional mode (Console)
-
-  1. In your distribution settings, navigate to the **General** tab, choose **Edit**.
-
-  2. Scroll to the **Viewer mutual authentication (mTLS)** section within the **Connectivity** container.
-
-  3. For **Client certificate validation mode** , select **Optional**.
-
-  4. Save changes.
-
-
-
-
-### To configure optional mode (AWS CLI)
-
-The following example shows how to configure optional mode:
-    
-    
-    "ViewerMtlsConfig": {
-       "Mode": "optional",
-       ...other settings
-    }
-                    
-