Amazon CloudFront Adds Mutual TLS Passthrough Mode for Origin Certificate Verification
Amazon CloudFront has expanded its viewer mutual TLS authentication capabilities with a new passthrough mode. Previously, users had to choose between mandatory or optional modes, both of which required CloudFront to perform certificate validation using a trust store. With the passthrough option, CloudFront simply forwards the client certificate to the origin server, allowing the backend to handle the full authentication process.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
High-value hosting and deployment path for frontend and cloud readers.
View VercelStrong cloud alternative for startups and developer-led infrastructure decisions.
View DigitalOceanA strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareComparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Validation Location | CloudFront edge location using trust stores | Backend origin server infrastructure |
| Configuration | Requires managing trust stores within AWS | No trust store configuration needed in CloudFront |
| Operational Flow | Offloads mTLS processing to the CDN | Maintains existing mTLS logic on the origin |
| Viewer Certificate | Terminated and validated at the edge | Forwarded directly to the backend for review |
Action Checklist
- Identify existing origin servers with mTLS validation logic Useful for backends that already manage their own certificate authorities
- Update CloudFront cache policy to forward the necessary headers Ensure the origin can receive and parse the client certificate
- Enable mTLS passthrough in the CloudFront distribution settings This feature is available at no additional cost
- Test origin connectivity to ensure proper certificate handling Verify that the backend correctly rejects invalid viewer certificates
Source: AWS What's New
This page summarizes the original source. Check the source for full details.
