Enable mutual TLS(origin) for CloudFront distributions - Amazon CloudFront
Prerequisites and requirementsEnable mutual TLS (origin)Using Amazon CLINext steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable mutual TLS(origin) for CloudFront distributions

After obtaining a client certificate through Amazon Certificate Manager and configuring your origin server to require mutual TLS, you can enable mutual TLS (origin) on your CloudFront distribution.

Prerequisites and requirements

Before enabling mutual TLS (origin) on a CloudFront distribution, ensure you have:

  • A client certificate stored in Amazon Certificate Manager in the US East (N. Virginia) Region (us-east-1)

  • Origin servers configured to require mutual TLS authentication and validate client certificates

  • Origin servers presenting certificates from publicly trusted Certificate Authorities

  • Permissions to modify CloudFront distributions

  • Mutual TLS (origin) is only available on Business, Premium plans or Pay as you go pricing plans.

Note

Mutual TLS (origin) can be configured for custom origins (including origins hosted outside Amazon) and Amazon origins that support mutual TLS such as Application Load Balancer and API Gateway.

Important

The following CloudFront features are not supported with mutual TLS (origin):

  • gRPC traffic: gRPC protocol is not supported for origins with mutual TLS (origin) enabled

  • WebSocket connections: WebSocket protocol is not supported for origins with mutual TLS (origin) enabled

  • VPC origins: Mutual TLS (origin) cannot be used with VPC origins

  • Origin request and origin response triggers with Lambda@Edge: Lambda@Edge functions in origin request and origin response positions are not supported with mutual TLS (origin)

  • Embedded POPs: Mutual TLS (origin) is not supported for embedded POPs

Enable mutual TLS (origin)

Per-origin configuration allows you to specify different client certificates for different origins within the same distribution. This approach provides maximum flexibility when your origins have different authentication requirements.

For new distributions (Console)

  1. Sign in to the Amazon Web Services Management Console and open the CloudFront console at https://console.amazonaws.cn/cloudfront/v4/home.

  2. Choose Create distribution

  3. Select a pricing plan: Choose either Business or Premium or Pay As You Go (Mutual TLS (origin) is not available on the Free plan)

  4. In the Origin settings section, choose Origin Type as Other

  5. In the Origin settings section, choose Customize origin settings

  6. Configure your first origin (domain name, protocol, etc.)

  7. In the origin configuration, find Mutual TLS (origin)

  8. Toggle Enable mutual TLS (origin) to On

  9. For Client certificate, select your certificate from Amazon Certificate Manager

  10. (Optional) Add additional origins with their own mutual TLS (origin) configurations

  11. Complete the remaining distribution settings and choose Create distribution

For existing distributions (Console)

  1. Sign in to the Amazon Web Services Management Console and open the CloudFront console at https://console.amazonaws.cn/cloudfront/v4/home.

  2. From the distribution list, select the distribution you want to modify. (Note: Ensure your distribution is on a Pro or Premium or Pay As You Go pricing plan. If not, you must upgrade your pricing plan before enabling mutual TLS (origin))

  3. Choose the Origins tab

  4. Select the origin you want to configure and choose Edit

  5. In the origin settings, find mutual TLS (origin)

  6. Toggle Enable mutual TLS (origin) to On

  7. For Client certificate, select your certificate from Amazon Certificate Manager. (Note: Only client certificates with the EKU (Extended Key Usage) property set to "TLS Client Authentication" will be listed)

  8. Choose Save changes

  9. Repeat for additional origins as needed

Using Amazon CLI

For per-origin configuration, specify the mutual TLS (origin) settings within each origin's configuration:

{
  "Origins": {
    "Quantity": 2,
    "Items": [
      {
        "Id": "origin-1",
        "DomainName": "api.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "ClientCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-1"
        }
      },
      {
        "Id": "origin-2",
        "DomainName": "backend.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-2"
        }
      }
    ]
  }
}
Note

CloudFront will not provide the client certificate if the server does not request it, allowing the connection to proceed normally.

Next steps

After enabling mutual TLS (origin) on your CloudFront distribution, you can monitor authentication events using CloudFront access logs.