AWS AmazonCloudFront documentation change
Summary
Added new 'Passthrough mode' to mTLS options and restructured mode descriptions with new links.
Security assessment
Introduces passthrough mode where validation shifts to origins, expanding security documentation but without citing vulnerabilities. New links improve security feature discoverability.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.md b/AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.md index f58f99c09..58f570c97 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.md +++ b//AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.md @@ -17 +17,10 @@ In a standard TLS handshake, only the server presents a certificate to prove its -CloudFront performs this certificate validation at AWS edge locations, offloading the authentication complexity from your origin servers while maintaining CloudFront's global performance benefits. You can configure mTLS in two modes: verify mode (which requires all clients to present valid certificates) or optional mode (which validates certificates when presented but also allows connections without certificates). +CloudFront performs this certificate validation at AWS edge locations, offloading the authentication complexity from your origin servers while maintaining CloudFront's global performance benefits. You can configure mTLS in three modes: + + * **Required mode** (default) — CloudFront validates the client certificate against a trust store. If validation fails or no certificate is presented, CloudFront denies the connection. Use required mode when every client must authenticate with a valid certificate. + + * **Optional mode** — CloudFront validates the client certificate if one is presented, but allows connections without a certificate. Certificate metadata is available in Connection Functions and HTTP headers for your origin to make authorization decisions. Use optional mode when you support both authenticated and unauthenticated clients. + + * **Passthrough mode** — CloudFront does not validate the client certificate against a trust store. CloudFront only validates that the client possesses the corresponding private key. It forwards the certificate to your origin as HTTP headers for your origin to perform validation. No trust store is required and no caching occurs. Use passthrough mode when you have existing mTLS implementations at your origin. + + + @@ -42 +51,5 @@ Mutual TLS authentication with CloudFront addresses several critical security sc - * [Revocation using CloudFront Connection Function and KVS](./revocation-connection-function-kvs.html) + * [Certificate revocation](./certificate-revocation.html) + + * [Helper methods for mutual TLS](./mtls-helper-methods-link.html) + + * [Additional validation modes](./mtls-validation-modes.html)