Skip to content

How do I use CloudFront to serve HTTPS requests for my S3 bucket?

3 minute read
1

I want to configure an Amazon CloudFront distribution to serve HTTPS requests for my Amazon Simple Storage Service (Amazon S3) bucket.

Resolution

Your Amazon S3 bucket can use either an Amazon S3 website endpoint or a REST API endpoint. For more information, see Use an Amazon S3 bucket. When you use the Amazon S3 static website endpoint, connections between Amazon CloudFront and Amazon S3 are available only over HTTP.

Create a standard distribution

Complete the following steps:

  1. Open the CloudFront console.
  2. In the navigation pane, select Distributions, and then choose Create distribution.
  3. Enter a Distribution name
  4. Choose Single website or app, and then choose Next.
    Note: For DNS providers other than Amazon Route 53, skip domain setup. Add your custom domain and TLS certificate after you create the distribution.
  5. On the Specify origin page, select Amazon S3.
  6. For Origin, select your S3 bucket or enter your Amazon S3 website endpoint domain.
  7. Choose Use recommended origin settings or customize as necessary. Then, choose Next.
  8. On the Enable security protections page, configure AWS WAF. Then, choose Next.
  9. If you configured a custom domain in step 4, then you see the TLS certificate page. Select one of the following options:
    • Create a new certificate: CloudFront requests a new AWS Certificate Manager (ACM) certificate for your domain.
    • Use existing certificate: Select an existing ACM certificate from the us-east-1 AWS Region.
  10. Choose Next, and then choose Create distribution.

Configure HTTPS settings

When you select Amazon S3 as the origin type, CloudFront applies default cache settings that are tailored to Amazon S3 content. CloudFront also sets the Viewer Protocol Policy to Redirect HTTP to HTTPS in your default behavior path pattern. This pattern automatically redirects all CloudFront HTTP requests to HTTPS.

The viewer protocol policy includes the following options:

  • Redirect HTTP to HTTPS: Automatically redirects HTTP requests to HTTPS.
  • HTTP and HTTPS: Allows both HTTP and HTTPS requests to your CloudFront distribution.
  • HTTPS only: Allows only HTTPS requests to your CloudFront distribution.

To modify the viewer protocol policy, complete the following steps:

  1. Open the CloudFront console.
  2. Select your distribution ID.
  3. Choose the Behaviors tab.
  4. Select Default(*) behavior, and then select Edit behavior.
  5. Under Viewer, select Viewer protocol policy. Then, select your preferred option.
  6. Choose Save changes.

Custom domain setup

To use a custom domain with your distribution, add an alternate domain name to your distribution. Then, update your DNS to create a CNAME record that points to the CloudFront distribution domain. For more information, see Add an alternate domain name.

Related information

Create a distribution

Require HTTPS for communication between CloudFront and your Amazon S3 origin

How do I use CloudFront to serve a static website that's hosted on Amazon S3?

Website endpoints

3 Comments

How should the S3 bucket be configured prior to this? Should it have enabled static website hosting?

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR

replied 3 years ago

Hi, Tried this and its not working. As soon as I input my S3's http static website endpoint (it only has an http endpoint) it defaults to HTTP for Cloudfront and doesn't give you the option to change it to https.

Any other solution for this? We aim to host the S3 static webhosting endpoint via Cloudfront but using only HTTPS in cloudfront.

replied 3 years ago