On May 14, 2026, Amazon Web Services introduced passthrough mode for Amazon CloudFront Viewer Mutual TLS (mTLS). The new capability allows CloudFront to forward client certificates directly to origins for validation without requiring certificate verification at CloudFront edge locations.
Previously, CloudFront Viewer mTLS supported required mode and optional mode, where certificate authentication is handled by CloudFront using trust stores. Passthrough mode introduces a different approach by allowing existing mTLS validation systems at origins to remain unchanged while CloudFront forwards certificate information.
Mutual TLS (mTLS) extends standard TLS authentication by requiring both the client and server to present certificates before establishing a secure connection. This enables stronger identity verification compared to traditional TLS, where only the server proves its identity.
In this post, I explored the new passthrough capability by enabling Viewer mTLS on an existing CloudFront distribution in front of an EC2 instance running NGINX.
Setup
To test the new feature, I enabled Viewer Mutual TLS (mTLS) and selected Passthrough mode.
The configuration confirms that Viewer mTLS is enabled in passthrough mode.
CloudFront Viewer mTLS currently supports three modes:
Required mode
CloudFront validates client certificates against a configured trust store. Requests without valid certificates are rejected.Optional mode
CloudFront validates certificates if provided but still allows requests without certificates. Certificate information can be forwarded for authorization decisions.Passthrough mode
CloudFront does not validate certificates against a trust store. Instead, CloudFront verifies that the client possesses the corresponding private key, then forwards the client certificate chain to the origin for validation.
For passthrough mode:
- No trust store configuration is required
- Client certificates are forwarded to origins as HTTP headers
- Caching is automatically disabled
- Requires an Origin Request Policy that includes Client-Cert and Client-Cert-Chain headers (e.g., AllViewer)
- Connection Functions remain supported
- HTTP/3 is not supported
- Origin Shield is not supported
- Lambda@Edge is not supported
According to AWS documentation, caching is not performed to ensure each request is authenticated end-to-end by the origin.
Verification
To verify passthrough functionality, I sent requests using curl with a self-signed client certificate and private key.
curl -v --cert client.crt --key client.key https://dxxxxxxxxxxxxx.cloudfront.net
TLS Handshake Verification
Output:
The Request CERT (13) message confirms that CloudFront requested a client certificate during the TLS handshake, indicating Viewer mTLS is active.
In passthrough mode, CloudFront requests the certificate but does not validate it against a trust store. Certificate validation remains at the origin.
HTTP Response Verification
I then verified whether requests successfully reached the origin.
Output:
The HTTP/2 200 confirms the request successfully reached the NGINX origin. The x-cache: Miss from cloudfront is expected behavior in passthrough mode because caching is disabled to ensure every request is validated directly by the origin, which aligns with AWS documentation.
Analysis
From testing, CloudFront requested client certificates during the TLS handshake, forwarded certificate information to the origin, and bypassed caching as expected in passthrough mode. This approach allows existing applications using origin-side mTLS validation to keep their current authentication workflows without configuring trust stores in CloudFront.
Passthrough mode is well-suited for for workloads such as:
- Existing enterprise PKI environments
- API-to-API authentication
- Internal systems with custom certificate validation
- Device authentication workloads already relying on origin-side mTLS
Because certificate validation occurs at the origin, every request reaches the backend directly instead of being served from cache.
Conclusion
Based on this hands-on test, Viewer mTLS passthrough mode allows CloudFront to request client certificates while leaving certificate validation entirely to the origin. The TLS handshake, successful HTTP response, and disabled caching behavior observed during testing match the expected implementation documented by AWS.
For environments already using mTLS at origins, passthrough mode provides a way to introduce CloudFront without moving certificate validation to edge locations or configuring trust stores.
CloudFront Viewer mTLS passthrough mode is available at no additional cost across AWS Regions.
Top comments (0)