Amazon CloudFront now supports mutual TLS authentication for origin servers, completing end-to-end zero-trust authentication from viewers to backends. The feature replaces IP allowlists and shared sec

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

Amazon CloudFront now supports mutual TLS authentication for origin servers, enabling cryptographic verification between CloudFront and backend infrastructure. This completes end-to-end zero-trust authentication from viewers to origins, replacing IP allowlists and shared secrets. The feature uses X.509v3 certificates with bidirectional verification during TLS handshakes. It's particularly valuable for multi-cloud and hybrid deployments where origins need to verify traffic authenticity without VPNs. Best practices recommend using AWS Private CA with automated rotation rather than long-lived certificates. The feature is available at no additional charge and addresses a security gap where attackers could bypass CloudFront by connecting directly to origin servers.

CloudFront Adds Origin mTLS Authentication for End-to-End Zero Trust