Posted On: May 23, 2022

CloudFront now provides the CloudFront-Viewer-TLS header for use with origin request policies. CloudFront-Viewer-TLS is an HTTP header that includes the TLS version and cipher suite used to negotiate the viewer TLS connection. Previously, TLS information was available in CloudFront access logs to analyze previous requests. Now, customers can access the TLS version and cipher suite in each HTTP request to make real-time decisions such as restricting requests with outdated TLS versions. The CloudFront-Viewer-TLS header value uses the following syntax: <TLS version>:<Cipher Suite>. For example, TLSv1.2:ECDHE-RSA-AES128-SHA256.

To configure the CloudFront-Viewer-TLS header, include it in a CloudFront origin request policy to be forwarded to your origin. When configured, the Cloudfront-Viewer-TLS header can also be accessed from CloudFront Functions and Lambda@Edge to perform functions such as restricting access at the edge.

The Cloudfront-Viewer-TLS header is now available in all regions except the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. There is no additional fee for using the header. For more information about how to use the Cloudfront-Viewer-TLS header, see the CloudFront Developer Guide. For more details on the use cases supported by origin policies, visit this blog. To learn more about Amazon CloudFront, visit the CloudFront product page.