AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2026-06-04 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/georestrictions.md

Summary

Added note about certificate validation exemption for geographic restrictions and AWS WAF configuration guidance.

Security assessment

Addresses potential certificate validation failures caused by geographic restrictions, which could lead to TLS certificate expiration and man-in-the-middle vulnerabilities. Explicitly prevents misconfigurations that break certificate issuance.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/georestrictions.md b/AmazonCloudFront/latest/DeveloperGuide/georestrictions.md
index aa2d26f89..8c0fa7801 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/georestrictions.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/georestrictions.md
@@ -58,0 +59,6 @@ Here’s how geographic restrictions work:
+###### Note
+
+Geographic restrictions do not apply to certificate validation requests for CloudFront managed certificates. When you use a CloudFront managed certificate, requests to the `/.well-known/pki-validation/` path are excluded from geographic restriction rules. This ensures that Certificate Authorities can validate your certificate from the multiple geographically distributed network perspectives required for issuance and renewal, regardless of your geographic restriction configuration.
+
+If you use AWS WAF with your distribution, ensure that your AWS WAF rules (including bot control rules) do not block requests to the `/.well-known/pki-validation/` path. Blocking these requests can prevent certificate validation from completing successfully.
+