Amazon CloudFront
Developer Guide (API Version 2010-11-01)
AWS Documentation » Amazon CloudFront » Developer Guide » Creating Secure HTTPS Connections
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Creating Secure HTTPS Connections

Topics

By default, CloudFront accepts both non-secure HTTP and secure HTTPS connections.

An HTTPS connection used in conjunction with a valid public key certificate (such as a certificate provided by VeriSign or DigiCert) validates your site identity and ensures that the data passed to and from your site is encrypted. However, HTTP connections don't ensure the identity of your site, and they don't provide data encryption.

HTTPS Connections

You can use CloudFront to restrict access to your distributions to HTTPS connections. CloudFront passes end-user requests to your Amazon S3 bucket or custom origin in the same format it receives them. When you configure your distribution to refuse non-secure HTTP requests, CloudFront only passes HTTPS requests to Amazon S3 or to your custom origin. The concept is illustrated in the following graphic.

Basic flow for HTTP and HTTPS requests when your distribution is restricted to HTTPS requests

Process for HTTP and HTTPS Requests When the Connection is Restricted

In the preceding graphic there are two different end users sending requests to CloudFront. One user sends an HTTPS request; the other user sends an HTTP request.

Because your distribution is configured to accept secure requests only, CloudFront refuses the non-secure HTTP request.

CloudFront passes the HTTPS request to Amazon S3.


[Caution]Caution

The only way to ensure that your end users retrieve an object using HTTPS is never to use any other protocol to fetch the object. If you have recently changed from HTTP to HTTPS, we recommend that you clear your objects’ cache—because cached objects are protocol agnostic. That means that an edge location will return an object from the cache irrespective of whether the current request protocol matches the protocol used previously. For information about expiring cached objects see Object Expiration.

How to Restrict Access to Your Distribution to HTTPS Only

Topics

You can use either the AWS Management Console or the CloudFront API to restrict access to your distribution to HTTPS only. The following sections describe both methods.

Using the AWS Management Console to Restrict Access

To use the AWS Management Console to restrict access to your distribution

  1. Sign in to the AWS Management Console and open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/.

  2. Select the distribution to modify.

  3. Click Edit.

    Edit Distribution Button

  4. Under Allowed Connections, to restrict access to your distribution to HTTPS requests only, select HTTPS Only. (Selecting HTTP and HTTPS will allow CloudFront to use either protocol to serve the request, and will not limit allowed connections to HTTPS only.)

    Edit Distribution Button

  5. To save your changes, click Yes, Edit.

[Note]Note

To create a new distribution with access restricted to HTTPS only, create a new distribution as described in the Amazon CloudFront Getting Started Guide, and select HTTPS Only when you specify Allowed Connections.

Using the CloudFront API to Restrict Access

To use the API to restrict access to your distribution

  1. Create a new distribution (or update an existing distribution) so that it includes the RequiredProtocols element.

  2. Create basic HTTPS links for your distribution objects. (For more information see Basic Links.)

You don’t need to change any configuration settings when using Amazon S3 as an origin.

The following example shows a CloudFront distribution's configuration with the RequiredProtocols element.

<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2010-11-01/">
   <S3Origin>
      <DNSName>myawsbucket.s3.amazonaws.com</DNSName>
   </S3Origin>
   <CallerReference>20120229090000</CallerReference>
   <Comment>My comments</Comment>
   <Enabled>true</Enabled>
   <Logging>
      <Bucket>myawslogbucket.s3.amazonaws.com</Bucket>
      <Prefix>myprefix/</Prefix>
   </Logging>
   <RequiredProtocols>
  	  <Protocol>https</Protocol>
   </RequiredProtocols>
 </DistributionConfig>
[Important]Important

Currently, https is the only acceptable value for the RequiredProtocols element. Specifying no protocol or using a different value returns an error. For more information about using the RequiredProtocols element with the CloudFront control API, go to DistributionConfig Complex Type in the Amazon CloudFront API Reference.

If you want your distribution to accept both HTTPS and HTTP requests, simply omit the RequiredProtocols element. You can update your configuration at any time to include the RequiredProtocols element.

Related Topics

CNAMEs and HTTPS

CloudFront doesn't support CNAMEs with HTTPS. If content is requested over HTTPS using CNAMEs, your end users' browsers will display the warning: This page contains both secure and non-secure items. To prevent this message from appearing, don't use CNAMEs with CloudFront HTTPS distributions.

Charges for HTTPS Connections

You always incur a surcharge for HTTPS requests and bytes transferred. For information on billing rates, refer to the CloudFront pricing plan.

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...