0
0
AwsHow-ToBeginner · 3 min read

How to Use SSL with AWS CloudFront for Secure Content Delivery

To use SSL with CloudFront, configure your distribution to use HTTPS by selecting an SSL certificate from AWS Certificate Manager or uploading a custom certificate. Then, set the viewer protocol policy to redirect HTTP requests to HTTPS or require HTTPS to ensure secure connections.
📐

Syntax

When setting up SSL with CloudFront, you configure the distribution's Viewer Certificate and Viewer Protocol Policy.

  • ViewerCertificate: Specifies the SSL certificate to use, either from AWS Certificate Manager (ACM) or a custom uploaded certificate.
  • ViewerProtocolPolicy: Controls whether CloudFront accepts HTTP, HTTPS, or redirects HTTP to HTTPS.
yaml
ViewerCertificate:
  AcmCertificateArn: "arn:aws:acm:region:account:certificate/your-certificate-id"
  SslSupportMethod: "sni-only"

DefaultCacheBehavior:
  ViewerProtocolPolicy: "redirect-to-https"
💻

Example

This example shows how to configure a CloudFront distribution with an ACM SSL certificate and enforce HTTPS by redirecting HTTP requests.

yaml
Resources:
  MyCloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        Origins:
          - Id: myS3Origin
            DomainName: mybucket.s3.amazonaws.com
            S3OriginConfig: {}
        DefaultCacheBehavior:
          TargetOriginId: myS3Origin
          ViewerProtocolPolicy: redirect-to-https
          AllowedMethods:
            - GET
            - HEAD
        ViewerCertificate:
          AcmCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-56ef-78gh-90ij-klmnopqrstuv
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2021
Output
CloudFront distribution created with HTTPS enforced and ACM SSL certificate applied.
⚠️

Common Pitfalls

  • Using an SSL certificate from a region other than us-east-1 for CloudFront will cause errors because CloudFront requires certificates in us-east-1.
  • Not setting ViewerProtocolPolicy to redirect-to-https or https-only allows insecure HTTP traffic.
  • Uploading a custom SSL certificate without proper permissions or validation can cause deployment failures.
yaml
Wrong way:
ViewerCertificate:
  AcmCertificateArn: "arn:aws:acm:eu-west-1:account:certificate/xyz"
  SslSupportMethod: "sni-only"

Right way:
ViewerCertificate:
  AcmCertificateArn: "arn:aws:acm:us-east-1:account:certificate/xyz"
  SslSupportMethod: "sni-only"
📊

Quick Reference

Remember these key points when using SSL with CloudFront:

  • Use ACM certificates only from us-east-1 for CloudFront.
  • Set ViewerProtocolPolicy to redirect-to-https or https-only to enforce SSL.
  • Choose SslSupportMethod as sni-only for most cases to support multiple domains.
  • Test your distribution URL with https:// to confirm SSL is active.

Key Takeaways

Always use an ACM SSL certificate from the us-east-1 region for CloudFront distributions.
Set ViewerProtocolPolicy to redirect HTTP to HTTPS or require HTTPS to secure your content.
Use SNI-only SSL support method for cost-effective multi-domain SSL support.
Verify your CloudFront distribution URL uses HTTPS after deployment.
Avoid uploading custom certificates unless necessary and ensure proper validation.

Related by keyword

How to Use S3 with CloudFront for Fast Content DeliveryS3How to Secure AWS Account: Best Practices and StepsSecurityWhat is AWS STS: Secure Temporary Access ExplainedIAMHow to Sync a Folder to AWS S3 Using AWS CLIS3How to Point Your Domain to AWS CloudFront EasilyRoute 53

Up next

How to Use Global Tables in DynamoDB for Multi-Region ReplicationWhat is DynamoDB in AWS: Simple Explanation and Use CasesA Record vs CNAME vs Alias in Route 53: Key Differences and UsageHow to Create a Hosted Zone in AWS Route 53

More in CloudFront

CloudFront vs S3 Direct Access: Key Differences and When to Use EachHow to Create AWS CloudFront Distribution: Step-by-Step GuideHow to Invalidate CloudFront Cache Quickly and CorrectlyHow to Set Cache Policy in AWS CloudFront