AWS AmazonCloudFront high security documentation change
Summary
Added note about geographic restrictions compatibility with certificate validation.
Security assessment
Directly addresses certificate validation failures caused by geographic restrictions, preventing potential TLS disruptions. Mentions past workarounds and provides resolution guidance.
Diff
diff --git a/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md b/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md index 6aa36d84e..11e6308c5 100644 --- a//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md +++ b//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md @@ -259,0 +260,6 @@ You don't need to call the ACM API operations to create or update your certifica +###### Note + +**Geographic restrictions compatibility** — CloudFront managed certificate validation is compatible with geographic restrictions. When you enable geographic restrictions on a distribution that uses a CloudFront managed certificate, validation requests are excluded from geographic restriction rules. Certificate Authorities verify domain ownership from multiple geographically distributed network perspectives (Multi Perspective Issuance Corroboration) to protect against BGP hijacking. CloudFront ensures these validation requests succeed regardless of which countries you block or allow. + +No action is required to use this functionality. If you previously removed geographic restrictions as a workaround for certificate validation failures, you can safely re-apply them. +