Amazon CloudFront announces Passthrough Mode for mutual TLS (Viewer)

Amazon Web Services has introduced a new passthrough mode for mutual TLS (mTLS) authentication in CloudFront, allowing customers to forward client certificates directly to their origin servers for validation without requiring CloudFront to perform certificate verification at the edge. This new capability joins CloudFront's existing required and optional mTLS modes, but is specifically designed for organizations that want to maintain their existing certificate validation infrastructure at the origin rather than implementing new validation logic at CloudFront's edge locations. Under passthrough mode, CloudFront forwards every client request to the origin along with the complete certificate chain, while bypassing its caching mechanism to ensure end-to-end authentication by the origin server. The feature still supports CloudFront's connection functions, enabling customers to inspect or transform certificate data before it reaches the origin. AWS is offering this passthrough mode at no additional cost as part of CloudFront's existing mTLS viewer authentication capabilities.