On May 14, 2026, Amazon Web Services introduced passthrough mode for Amazon CloudFront Viewer Mutual TLS (mTLS) . The new capability allows CloudFront to forward client certificates directly to origins for validation without requiring certificate verification at CloudFront edge locations. Previously, CloudFront Viewer mTLS supported required mode and optional mode , where certificate authentication is handled by CloudFront using trust stores. Passthrough mode introduces a different approach by allowing existing mTLS validation systems at origins to remain unchanged while CloudFront forwards certificate information. Mutual TLS (mTLS) extends standard TLS authentication by requiring both the client and server to present certificates before establishing a secure connection. This enables stronger identity verification compared to traditional TLS, where only the server proves its identity.…