Prerequisites and requirements Enable origin mTLS Using AWS CLI Next steps

Enable origin mutual TLS for CloudFront distributions

After obtaining a client certificate through AWS Certificate Manager and configuring your origin server to require mutual TLS, you can enable origin mTLS on your CloudFront distribution.

Prerequisites and requirements

Before enabling origin mTLS on a CloudFront distribution, ensure you have:

A client certificate stored in AWS Certificate Manager in the US East (N. Virginia) Region (us-east-1)
Origin servers configured to require mutual TLS authentication and validate client certificates
Origin servers presenting certificates from publicly trusted Certificate Authorities
Permissions to modify CloudFront distributions
Origin mTLS is only available on Business, Premium plans or Pay as you go pricing plans.

Note

Origin mTLS can be configured for custom origins (including origins hosted outside AWS) and AWS origins that support mutual TLS such as Application Load Balancer and API Gateway.

Important

The following CloudFront features are not supported with origin mTLS:

gRPC traffic: gRPC protocol is not supported for origins with origin mTLS enabled
WebSocket connections: WebSocket protocol is not supported for origins with origin mTLS enabled
VPC origins: origin mTLS cannot be used with VPC origins
Origin request and origin response triggers with Lambda@Edge: Lambda@Edge functions in origin request and origin response positions are not supported with origin mTLS
Embedded POPs: origin mTLS is not supported for embedded POPs

Enable origin mTLS

Per-origin configuration allows you to specify different client certificates for different origins within the same distribution. This approach provides maximum flexibility when your origins have different authentication requirements.

For new distributions (Console)

Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.
Choose Create distribution
Select a pricing plan: Choose either Business or Premium or Pay As You Go (Origin mTLS is not available on the Free plan)
In the Origin settings section, choose Origin Type as Other
In the Origin settings section, choose Customize origin settings
Configure your first origin (domain name, protocol, etc.)
In the origin configuration, find mTLS
Toggle mTLS to On
For Client certificate, select your certificate from AWS Certificate Manager
(Optional) Add additional origins with their own origin mTLS configurations
Complete the remaining distribution settings and choose Create distribution

For existing distributions (Console)

Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/v4/home.
From the distribution list, select the distribution you want to modify. (Note: Ensure your distribution is on a Pro or Premium or Pay As You Go pricing plan. If not, you must upgrade your pricing plan before enabling origin mTLS)
Choose the Origins tab
Select the origin you want to configure and choose Edit
In the origin settings, find mTLS
Toggle mTLS to On
For Client certificate, select your certificate from AWS Certificate Manager. (Note: Only client certificates with the EKU (Extended Key Usage) property set to "TLS Client Authentication" will be listed)
Choose Save changes
Repeat for additional origins as needed

Using AWS CLI

For per-origin configuration, specify the origin mTLS settings within each origin's configuration:


{
  "Origins": {
    "Quantity": 2,
    "Items": [
      {
        "Id": "origin-1",
        "DomainName": "api.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "ClientCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-1"
        }
      },
      {
        "Id": "origin-2",
        "DomainName": "backend.example.com",
        "CustomOriginConfig": {
          "HTTPSPort": 443,
          "OriginProtocolPolicy": "https-only"
        },
        "OriginMtlsConfig": {
          "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/cert-2"
        }
      }
    ]
  }
}

Note

CloudFront will not provide the client certificate if the server does not request it, allowing the connection to proceed normally.

Next steps

After enabling origin mTLS on your CloudFront distribution, you can monitor authentication events using CloudFront access logs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Certificate management with AWS Certificate Manager

Using CloudFront Functions with origin mutual TLS