AWS AmazonCloudFront documentation change
Summary
Added support for mTLS origins in selectRequestOriginById() and createRequestOriginGroup(), including code examples. Updated updateRequestOrigin() behavior and syntax.
Security assessment
The changes document expanded capabilities for mutual TLS (security feature) but show no evidence of vulnerability remediation. The modifications provide implementation guidance for security features without referencing any security incident or weakness resolution.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/origin-mtls-cloudfront-functions.md b/AmazonCloudFront/latest/DeveloperGuide/origin-mtls-cloudfront-functions.md index df549c39b..94a8006f1 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/origin-mtls-cloudfront-functions.md +++ b//AmazonCloudFront/latest/DeveloperGuide/origin-mtls-cloudfront-functions.md @@ -7 +7 @@ -Supported CloudFront Functions operationsUnsupported CloudFront Functions operations +Supported CloudFront Functions operations @@ -21 +21 @@ The updateRequestOrigin() function supports limited modifications when working w - * **Switching between origin mTLS origins:** You can update the request to route to a different origin that uses origin mTLS, provided both origins use the **same client certificate**. This allows you to implement custom routing logic while maintaining mutual TLS authentication. + * **Switching between origin mTLS origins:** You can update the request to route to a different origin that uses origin mTLS, provided both origins use the **same client certificate**. This allows you to implement custom routing logic while maintaining mutual TLS authentication. Switching between origins that make use of different certificates is supported through the `selectRequestOriginById()` and `createRequestOriginGroup()` APIs. @@ -30,0 +31,2 @@ The updateRequestOrigin() function supports limited modifications when working w + import cf from 'cloudfront'; + @@ -36,3 +38,4 @@ The updateRequestOrigin() function supports limited modifications when working w - request.origin = { - domainName: 'api-v2.example.com', - customHeaders: {}, + cf.updateRequestOrigin({ + "domainName": "api-v2.example.com", + "mTLSConfig": "inherit", + // If no value is provided for mTLSConfig, it defaults to inherit @@ -40 +43 @@ The updateRequestOrigin() function supports limited modifications when working w - }; + }); @@ -48,0 +52,2 @@ The updateRequestOrigin() function supports limited modifications when working w + import cf from 'cloudfront'; + @@ -54,5 +59,4 @@ The updateRequestOrigin() function supports limited modifications when working w - request.origin = { - domainName: 'public-origin.example.com', - customHeaders: {}, - mTLSConfig: 'off' - }; + cf.updateRequestOrigin({ + "domainName": "public-origin.example.com", + "mTLSConfig": "off" + }); @@ -64 +68 @@ The updateRequestOrigin() function supports limited modifications when working w -## Unsupported CloudFront Functions operations +### selectRequestOriginById() @@ -66 +70,3 @@ The updateRequestOrigin() function supports limited modifications when working w -The following CloudFront Functions operations do not support mTLS-enabled origins at general availability: +The `selectRequestOriginById()` function supports selecting origins that have mutual TLS (origin) enabled. You can use this function to dynamically route requests to mTLS-enabled origins configured in your distribution. When selecting a mutual TLS (origin) enabled origin by ID, CloudFront uses the client certificate configured for that origin in the distribution settings. + +#### Example: Selecting a mutual TLS (origin) enabled origin by ID @@ -68 +73,0 @@ The following CloudFront Functions operations do not support mTLS-enabled origin -### selectRequestOriginById() @@ -70 +75 @@ The following CloudFront Functions operations do not support mTLS-enabled origin -The `selectRequestOriginById()` function cannot select an origin that has origin mTLS enabled. Attempting to select a mTLS-enabled origin using this function will result in a validation error. + import cf from 'cloudfront'; @@ -72 +77,10 @@ The `selectRequestOriginById()` function cannot select an origin that has origin -If your use case requires dynamic origin selection with origin mTLS, use `updateRequestOrigin()` instead, ensuring all target origins use the same client certificate. + function handler(event) { + var request = event.request; + + // Select mTLS-enabled origin based on request characteristics + if (request.uri.startsWith('/secure-api')) { + cf.selectRequestOriginById("mtls-origin-1"); + } + + return request; + } @@ -76 +90,6 @@ If your use case requires dynamic origin selection with origin mTLS, use `update -The `createRequestOriginGroup()` function does not support creating origin groups that include mTLS-enabled origins. Origin groups with origin mTLS origins cannot be created dynamically through CloudFront Functions. +The `createRequestOriginGroup()` function supports creating origin groups that include mutual TLS (origin) enabled origins. You can dynamically create origin groups with mTLS-enabled origins for failover scenarios within CloudFront Functions. + +#### Example: Creating an origin group with mutual TLS (origin) enabled origins + + + import cf from 'cloudfront'; @@ -78 +97,11 @@ The `createRequestOriginGroup()` function does not support creating origin group -If you need origin failover capabilities with origin mTLS, configure origin groups directly in your CloudFront distribution settings rather than creating them dynamically in functions. + function handler(event) { + // Create origin group with mTLS-enabled primary and failover origins + cf.createRequestOriginGroup({ + "originIds": ["mtls-origin-primary", "mtls-origin-failover"], + "failoverCriteria": { + "statusCodes": [500, 502, 503, 504] + } + }); + + return event.request; + }