Amazon CloudFront announces Passthrough Mode for mutual TLS (Viewer)

Amazon CloudFront now supports passthrough mode for mutual TLS (mTLS) viewer authentication, allowing CloudFront to forward client certificates to the origin without verifying the certificates on CloudFront. Customers who already validate client certificates at their origin can now add CloudFront to their existing mTLS infrastructure without changing how or where validation happens.

In passthrough mode, customers configure mutual TLS on their CloudFront distribution without setting up a trust store. CloudFront forwards every request along with the client's full certificate chain directly to the origin for authentication. Connection functions, which allow customers to inspect or transform connection-level data at the edge, still run on every request, enabling customers to process or reformat certificate headers before requests reach the origin. Customers benefit from CloudFront's global edge network while maintaining their current mutual TLS authentication architecture.

Passthrough mode is now available alongside other mutual TLS modes in CloudFront. Required mode validates all client certificates against trust stores at the edge. Optional mode allows customers to configure trust store validation at the edge while serving both clients that present certificates and clients that do not present certificates from the same application. CloudFront mutual TLS in passthrough mode is available at no additional cost. To learn more, refer to the documentation for CloudFront Mutual TLS (Viewer).