Amazon recently added support for mutual Transport Layer Security (mTLS) in CloudFront, enabling client certificate authentication. This allows secure access for users and systems through a private Certificate Authority (CA). The article outlines a practical guide for implementing mTLS using an open-source, serverless CA, which is easy to deploy via Terraform. Applications benefiting from this setup include IoT management, secure APIs, and controlled access to web content. The implementation begins with creating a standard CloudFront distribution without authentication. Users must set up various resources in AWS, including a public Route53 Hosted Zone and an S3 bucket for static content. The author provides a step-by-step Terraform script to facilitate this deployment. Once the CloudFront distribution is active, it emphasizes security practices like Origin Access Control, S3 Block Public Access, and a strict TLS policy. After establishing the infrastructure, the next phase involves setting up the serverless CA. The author suggests using a dedicated AWS account for the CA to enhance security. A Trust Store is then created in CloudFront, followed by issuing a client certificate to the user's laptop. Testing mTLS access is straightforward using a curl command with the newly created certificate. A successful connection indicates proper setup, confirming that the implementation works as intended. The article is a practical resource for developers looking to enhance the security of their CloudFront distributions.