Amazon CloudFront now supports mTLS authentication to origins
Networking & Content Delivery Blog
This article announces that Amazon CloudFront now supports mutual TLS (mTLS) authentication between CloudFront and customer origins, enabling end-to-end encrypted and authenticated connections.
- CloudFront extends mTLS from viewers to origins for complete authentication path
- Enables zero-trust architecture by removing implicit trust between tiers
- Supports client certificates from AWS Private CA or third-party CAs
- Per-origin configuration allows different certificates for different backends
- Prerequisites include X.509v3 client certificate and origin server mTLS support
- Connection overhead limited to handshake phase; steady-state performance unaffected
- AWS Private CA recommended for automated lifecycle and renewal management
CloudFront-to-origin mTLS closes trust gaps in edge architectures, providing cryptographic identity verification across the entire request path for regulated and high-risk workloads.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.