Amazon CloudFront announces Passthrough Mode for mutual TLS (Viewer)
Amazon CloudFront now supports passthrough mode for viewer mutual TLS (mTLS) authentication, enabling customers to forward client certificates to their origin for validation without requiring CloudFront to perform certificate verification. Passthrough mode allows customers with existing mTLS implementations at their origins to use CloudFront without requiring to implement their validation logic at the edge.
CloudFront viewer mTLS already supports required mode and optional mode, which offload client certificate authentication to CloudFront using trust stores. Passthrough mode is designed for customers to maintain their existing mTLS validation infrastructure at their origin without requiring any trust store configuration on CloudFront. In passthrough mode, CloudFront forwards every request to the origin along with the client's full certificate chain. Caching is not performed, ensuring each request is authenticated end-to-end by your origin. Connection functions which allow you to inspect or transform connection-level data are still invoked, enabling you to process certificate data before it reaches the origin.
CloudFront Mutual TLS (viewer) in passthrough mode is available at no additional cost. To learn more, visit CloudFront mutual TLS (viewer).