AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2026-06-04 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md

Summary

Added note about geographic restrictions compatibility with certificate validation.

Security assessment

Directly addresses certificate validation failures caused by geographic restrictions, preventing potential TLS disruptions. Mentions past workarounds and provides resolution guidance.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md b/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
index 6aa36d84e..11e6308c5 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.md
@@ -259,0 +260,6 @@ You don't need to call the ACM API operations to create or update your certifica
+###### Note
+
+**Geographic restrictions compatibility** — CloudFront managed certificate validation is compatible with geographic restrictions. When you enable geographic restrictions on a distribution that uses a CloudFront managed certificate, validation requests are excluded from geographic restriction rules. Certificate Authorities verify domain ownership from multiple geographically distributed network perspectives (Multi Perspective Issuance Corroboration) to protect against BGP hijacking. CloudFront ensures these validation requests succeed regardless of which countries you block or allow.
+
+No action is required to use this functionality. If you previously removed geographic restrictions as a workaround for certificate validation failures, you can safely re-apply them.
+