diff --git a/aws/resource_aws_ec2_client_vpn_endpoint.go b/aws/resource_aws_ec2_client_vpn_endpoint.go
index 17c7c2b21f8..53201820b03 100644
--- a/aws/resource_aws_ec2_client_vpn_endpoint.go
+++ b/aws/resource_aws_ec2_client_vpn_endpoint.go
@@ -96,6 +96,24 @@ func resourceAwsEc2ClientVpnEndpoint() *schema.Resource {
 					},
 				},
 			},
+			"client_connect_options": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Required: true,
+						},
+						"lambda_function_arn": {
+							Type:         schema.TypeString,
+							Required:     true,
+							ValidateFunc: validateArn,
+						},
+					},
+				},
+			},
 			"connection_log_options": {
 				Type:     schema.TypeList,
 				Required: true,
@@ -166,6 +184,19 @@ func resourceAwsEc2ClientVpnEndpointCreate(d *schema.ResourceData, meta interfac
 		req.AuthenticationOptions = authRequests
 	}
 
+	if v, ok := d.GetOk("client_connect_options"); ok {
+		clientConnSet := v.([]interface{})
+		attrs := clientConnSet[0].(map[string]interface{})
+		clientConnOpts := &ec2.ClientConnectOptions{
+			Enabled: aws.Bool(attrs["enabled"].(bool)),
+		}
+		if attrs["enabled"].(bool) && attrs["lambda_function_arn"].(string) != "" {
+			clientConnOpts.LambdaFunctionArn = aws.String(attrs["lambda_function_arn"].(string))
+		}
+
+		req.ClientConnectOptions = clientConnOpts
+	}
+
 	if v, ok := d.GetOk("connection_log_options"); ok {
 		connLogSet := v.([]interface{})
 		attrs := connLogSet[0].(map[string]interface{})
@@ -243,6 +274,8 @@ func resourceAwsEc2ClientVpnEndpointRead(d *schema.ResourceData, meta interface{
 		return fmt.Errorf("error setting authentication_options: %w", err)
 	}
 
+	err = d.Set("client_connect_options", flattenClientConnectOptions(result.ClientVpnEndpoints[0].ClientConnectOptions))
+
 	err = d.Set("connection_log_options", flattenConnLoggingConfig(result.ClientVpnEndpoints[0].ConnectionLogOptions))
 	if err != nil {
 		return fmt.Errorf("error setting connection_log_options: %w", err)
@@ -312,6 +345,21 @@ func resourceAwsEc2ClientVpnEndpointUpdate(d *schema.ResourceData, meta interfac
 		req.SplitTunnel = aws.Bool(d.Get("split_tunnel").(bool))
 	}
 
+	if d.HasChange("client_connect_options") {
+		if v, ok := d.GetOk("client_connect_options"); ok {
+			clientConnSet := v.([]interface{})
+			attrs := clientConnSet[0].(map[string]interface{})
+			clientConnOpts := &ec2.ClientConnectOptions{
+				Enabled: aws.Bool(attrs["enabled"].(bool)),
+			}
+			if attrs["enabled"].(bool) && attrs["lambda_function_arn"].(string) != "" {
+				clientConnOpts.LambdaFunctionArn = aws.String(attrs["lambda_function_arn"].(string))
+			}
+
+			req.ClientConnectOptions = clientConnOpts
+		}
+	}
+
 	if d.HasChange("connection_log_options") {
 		if v, ok := d.GetOk("connection_log_options"); ok {
 			connSet := v.([]interface{})
@@ -347,6 +395,15 @@ func resourceAwsEc2ClientVpnEndpointUpdate(d *schema.ResourceData, meta interfac
 	return resourceAwsEc2ClientVpnEndpointRead(d, meta)
 }
 
+func flattenClientConnectOptions(copts *ec2.ClientConnectResponseOptions) []map[string]interface{} {
+	m := make(map[string]interface{})
+	if copts.LambdaFunctionArn != nil {
+		m["lambda_function_arn"] = *copts.LambdaFunctionArn
+	}
+	m["enabled"] = *copts.Enabled
+	return []map[string]interface{}{m}
+}
+
 func flattenConnLoggingConfig(lopts *ec2.ConnectionLogResponseOptions) []map[string]interface{} {
 	m := make(map[string]interface{})
 	if lopts.CloudwatchLogGroup != nil {
diff --git a/aws/resource_aws_ec2_client_vpn_endpoint_test.go b/aws/resource_aws_ec2_client_vpn_endpoint_test.go
index c6b3642fea5..d07543a7ce2 100644
--- a/aws/resource_aws_ec2_client_vpn_endpoint_test.go
+++ b/aws/resource_aws_ec2_client_vpn_endpoint_test.go
@@ -268,6 +268,43 @@ func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) {
 	})
 }
 
+func testAccAwsEc2ClientVpnEndpoint_withClientConnectOptions(t *testing.T) {
+	var v1, v2 ec2.ClientVpnEndpoint
+	rStr := acctest.RandString(5)
+	resourceName := "aws_ec2_client_vpn_endpoint.test"
+	lambdaFunctionArn := "aws_lambda_function.lg"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheckClientVPNSyncronize(t); testAccPreCheck(t) },
+		ErrorCheck:   testAccErrorCheck(t, ec2.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsEc2ClientVpnEndpointDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEc2ClientVpnEndpointConfig(rStr),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v1),
+				),
+			},
+			{
+				Config: testAccEc2ClientVpnEndpointConfigWithClientConfig(rStr),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v2),
+					resource.TestCheckResourceAttr(resourceName, "client_config_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "client_config_options.0.enabled", "true"),
+					resource.TestCheckResourceAttrPair(resourceName, "client_config_options.0.lambda_function_arn", lambdaFunctionArn, "arn"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+
+}
+
 func testAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) {
 	var v1, v2 ec2.ClientVpnEndpoint
 	rStr := acctest.RandString(5)
@@ -529,6 +566,35 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
 `, rName)
 }
 
+func testAccEc2ClientVpnEndpointConfigWithClientConfig(rName string) string {
+	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
+resource "aws_lambda_function" "test" {
+  filename      = "test-fixtures/lambdatest.zip"
+  function_name = "AWSClientVPN-client_config_handler_%s"
+  publish       = false
+  role          = aws_iam_role.iam_for_lambda.arn
+  handler       = "exports.example"
+  runtime       = "nodejs12.x"
+}
+
+resource "aws_ec2_client_vpn_endpoint" "test" {
+  description            = "terraform-testacc-clientvpn-%s"
+  server_certificate_arn = aws_acm_certificate.test.arn
+  client_cidr_block      = "10.0.0.0/16"
+
+  authentication_options {
+    type                       = "certificate-authentication"
+    root_certificate_chain_arn = aws_acm_certificate.test.arn
+  }
+
+  client_config_options {
+    enabled              = true
+    lambda_function_arn  = aws_lambda_function_test.arn
+  }
+}
+`, rName, rName)
+}
+
 func testAccEc2ClientVpnEndpointConfigWithLogGroup(rName string) string {
 	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
 resource "aws_cloudwatch_log_group" "lg" {