|Did this page help you? Yes No Tell us about it...|
By default, CloudFront accepts both non-secure HTTP and secure HTTPS connections.
An HTTPS connection used in conjunction with a valid public key certificate (such as a certificate provided by VeriSign or DigiCert) validates your site identity and ensures that the data passed to and from your site is encrypted. However, HTTP connections don't ensure the identity of your site, and they don't provide data encryption.
You can use CloudFront to restrict access to your distributions to HTTPS connections. CloudFront passes end-user requests to your Amazon S3 bucket or custom origin in the same format it receives them. When you configure your distribution to refuse non-secure HTTP requests, CloudFront only passes HTTPS requests to Amazon S3 or to your custom origin. The concept is illustrated in the following graphic.
Process for HTTP and HTTPS Requests When the Connection is Restricted
In the preceding graphic there are two different end users sending requests to CloudFront. One user sends an HTTPS request; the other user sends an HTTP request.
Because your distribution is configured to accept secure requests only, CloudFront refuses the non-secure HTTP request.
CloudFront passes the HTTPS request to Amazon S3.
The only way to ensure that your end users retrieve an object using HTTPS is never to use any other protocol to fetch the object. If you have recently changed from HTTP to HTTPS, we recommend that you clear your objects’ cache—because cached objects are protocol agnostic. That means that an edge location will return an object from the cache irrespective of whether the current request protocol matches the protocol used previously. For information about expiring cached objects see Object Expiration.
You can use either the AWS Management Console or the CloudFront API to restrict access to your distribution to HTTPS only. The following sections describe both methods.
To use the AWS Management Console to restrict access to your distribution
Sign in to the AWS Management Console and open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/.
Select the distribution to modify.
Under Allowed Connections, to restrict access to your distribution to HTTPS requests only, select HTTPS Only. (Selecting HTTP and HTTPS will allow CloudFront to use either protocol to serve the request, and will not limit allowed connections to HTTPS only.)
To save your changes, click Yes, Edit.
To create a new distribution with access restricted to HTTPS only, create a new distribution as described in the Amazon CloudFront Getting Started Guide, and select HTTPS Only when you specify Allowed Connections.
To use the API to restrict access to your distribution
Create a new distribution (or update an existing distribution) so that it includes the
Create basic HTTPS links for your distribution objects. (For more information see Basic Links.)
You don’t need to change any configuration settings when using Amazon S3 as an origin.
The following example shows a CloudFront distribution's configuration with the
<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2010-11-01/"> <S3Origin> <DNSName>myawsbucket.s3.amazonaws.com</DNSName> </S3Origin> <CallerReference>20120229090000</CallerReference> <Comment>My comments</Comment> <Enabled>true</Enabled> <Logging> <Bucket>myawslogbucket.s3.amazonaws.com</Bucket> <Prefix>myprefix/</Prefix> </Logging> <RequiredProtocols> <Protocol>https</Protocol> </RequiredProtocols> </DistributionConfig>
If you want your distribution to accept both HTTPS and HTTP requests, simply omit the
element. You can update your configuration at any time to include the
CloudFront doesn't support CNAMEs with HTTPS. If content is requested over HTTPS using CNAMEs, your end users' browsers will display the warning: This page contains both secure and non-secure items. To prevent this message from appearing, don't use CNAMEs with CloudFront HTTPS distributions.
You always incur a surcharge for HTTPS requests and bytes transferred. For information on billing rates, refer to the CloudFront pricing plan.