Amazon CloudFront announces Passthrough Mode for mutual TLS (Viewer)
News
This article announces passthrough mode for Amazon CloudFront viewer mutual TLS (mTLS) authentication, enabling certificate forwarding to origins without CloudFront validation.
- CloudFront forwards client certificates to origin for validation without edge verification
- Maintains existing mTLS validation infrastructure at origin without trust store configuration
- Forwards full certificate chain with every request to ensure end-to-end authentication
- Disables caching to guarantee each request is authenticated by origin
- Connection functions still available to inspect or transform certificate data
- Available at no additional cost
Passthrough mode allows customers with existing mTLS implementations to use CloudFront without redesigning their validation logic.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
May 14
2026
2026
Amazon CloudFront announces support for OCSP Revocation for Mutual TLS (Viewer)
Nov 24
2025
2025
Amazon CloudFront announces support for mutual TLS authentication
Feb 2
2026
2026
Amazon CloudFront announces mutual TLS support for origins
Nov 20
2025
2025
Amazon CloudFront now supports TLS 1.3 for origin connections
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.