|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
For web distributions, you can use HTTPS requests to ensure that your objects are encrypted when CloudFront serves them to viewers and, if you want, when CloudFront gets them from your origin. When you create a web distribution, you can:
Configure one or more CloudFront cache behaviors to require that viewers use only the HTTPS protocol to access your objects in the CloudFront cache. This allows you to require HTTPS for some objects but not for others.
Configure one or more CloudFront origins to require that CloudFront fetches objects from your origin using the protocol that the viewer used to request the objects. For example, when you use this CloudFront setting and when the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin. When your origin is an Amazon S3 bucket, this is the default setting and cannot be changed.
If you're using an HTTP server as your origin, and if you want to use HTTPS both between viewers and CloudFront and between CloudFront and your origin, you must install an SSL certificate on the HTTP server that is signed by a third-party certificate authority, for example, VeriSign or DigiCert.
If the origin server returns an invalid certificate or a self-signed certificate, or if the origin server
returns the certificate chain in the wrong order, CloudFront drops the TCP connection, returns HTTP error code 503, and sets the
X-Cache header to
Error from cloudfront.
The following example of how CloudFront works with HTTPS connections assumes the following:
Your CloudFront distribution has one cache behavior (the default cache behavior) and one origin.
You have configured your distribution to use HTTPS between viewers and CloudFront and between CloudFront and your origin.
Your origin has an SSL certificate that was signed by a third-party certificate authority.
The process works basically the same way whether your origin server is an Amazon S3 bucket or an HTTP server.
CloudFront Process for Serving Objects Using HTTPS
A viewer submits an HTTPS request to CloudFront. There's some SSL negotiation here between the viewer and CloudFront. In the end, the viewer submits the request in an encrypted format.
If the object is in the CloudFront edge cache, CloudFront encrypts the object and returns it to the viewer, and the viewer decrypts it.
If the object is not in the CloudFront cache, CloudFront performs the SSL negotiation with your origin and, when the negotiation is complete, forwards the request to your origin in an encrypted format.
Your origin decrypts the request, encrypts the requested object, and returns the object to CloudFront.
CloudFront decrypts the object, re-encrypts it, and forwards the object to the viewer. CloudFront also saves the object in the edge cache so the object is available next time it's requested.
The viewer decrypts the object.
You can configure CloudFront to require HTTPS for communication between viewers and CloudFront and, optionally, between CloudFront and your origin.
To ensure that objects are encrypted from the origin to CloudFront edge caches and from edge caches to viewers, use only HTTPS. If you ever configure CloudFront to get objects from your origin using HTTP, CloudFront adds the objects to the edge cache and continues to serve them to viewers until the objects expire, or until you remove or replace them. For more information about removing or replacing objects in a distribution, see Adding, Removing, or Replacing Objects in a Distribution.
If you want to use alternate domain names (for example,
example.com) instead of the domain name that
CloudFront assigns to your distribution, also see Using Alternate Domain Names and HTTPS.
To Require HTTPS for Communication Between Viewers, CloudFront, and Your Origin
If you're using an HTTP server as your origin and if you don't already have an SSL certificate for the server, get and install an SSL certificate from a third-party certificate authority such as VeriSign or DigiCert.
If you're using an Amazon S3 bucket, Amazon S3 provides an SSL certificate.
For more information about getting and installing an SSL certificate, refer to the documentation for your HTTP server software and to the documentation for the third-party certificate authority.
To require that viewers use HTTPS when communicating with CloudFront, create or update one or more cache behaviors in your distribution to have the following settings:
CloudFront Console: For Viewer Protocol Policy, specify HTTPS Only.
CloudFront API: For
For information about using the CloudFront console to update a web distribution, see Listing, Viewing, and Updating CloudFront Distributions.
For information about using the CloudFront API to update a web distribution, go to PUT Distribution Config in the Amazon CloudFront API Reference.
Optional: To require that CloudFront uses HTTPS when communicating with your origin, create or update one or more origins in your distribution to have the following settings:
CloudFront Console: For Origin Protocol Policy, specify Match Viewer.
CloudFront API: For
When your origin is an Amazon S3 bucket, Match Viewer is the default setting and cannot be changed.
Confirm the following:
The path pattern in each cache behavior applies only to the requests for which you want viewers to use HTTPS.
The cache behaviors are listed in the desired order. For more information, see Path Pattern.
The cache behaviors are routing requests to the origins for which you have configured an Origin Protocol Policy of Match Viewer, if applicable.
The origins have valid certificates signed by a third-party certificate authority.
By default, you can deliver your content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs,
https://d111111abcdef8.cloudfront.net/image.jpg. For more information, see
How to Require HTTPS for Communication Between Viewers, CloudFront, and Your Origin.
If you want your viewers to use HTTPS and you want to use your own domain name in the URLs for your objects
https://www.example.com/image.jpg), you also need to do the following:
Upload your own SSL certificate to the AWS Identity and Access Management (IAM) certificate store.
Associate your SSL certificate in the IAM certificate store with your CloudFront distribution.
Add one or more alternate domain names to your distribution.
Add or update DNS records to route DNS queries to your CloudFront distribution.
You incur additional charges when you associate your SSL certificate with a distribution that is enabled. For more information, see http://aws.amazon.com/cloudfront/pricing.
When you add a certificate to your distribution, CloudFront immediately propagates the certificate to all of its edge locations. As new edge locations become available, CloudFront will propagate the certificate to those locations, too. You cannot restrict the edge locations to which CloudFront propagates your certificates.
Note the following requirements for your certificate:
Your certificate must be issued by a recognized Certificate Authority. Self-signed certificates are not accepted.
Your certificate must be in X.509 PEM format.
In the .pem file, list all of the intermediate certificates in the certificate chain, beginning with the certificate for the certificate authority that signed the certificate for your domain, for example:
CA public key certificate-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Intermediate certificate 2-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Intermediate certificate 1-----END CERTIFICATE-----
We recommend that the certificate chain not include the root certificate.
The private key must match the public key that is in the certificate, and must be an RSA private key in PEM format,
where the PEM header is
BEGIN RSA PRIVATE KEY and the footer is
END RSA PRIVATE KEY.
The private key cannot be encrypted with a password.
You must have permission to use and upload the SSL certificate, including permission from the certificate authority that issued the certificate to upload it onto a content delivery network.
The maximum size of the public key in an SSL certificate is 2048 bits. For information about how to determine the size of the public key, see Determining the Size of the Public Key in an SSL Certificate.
CloudFront supports all types of certificates including domain validated certificates, extended validation (EV) certificates,
high assurance certificates, wildcard certificates (
*.example.com), subject alternative name (SAN) certificates
example.net), and so on.
You are responsible for monitoring certificate expiration dates and for renewing SSL certificates that you upload and use with CloudFront.
In addition, note the following limits on using SSL certificates with CloudFront:
You can associate a maximum of one SSL certificate with each CloudFront distribution.
By default, if you associate an SSL certificate with more than one distribution that you created using the same AWS account, you must use the same certificate for every distribution. For more information, see Step 1 of To use alternate domain names with HTTPS.
If you already have been approved to use this feature but need to increase the number of custom SSL certificates that you can use, send an email to firstname.lastname@example.org. In this email, indicate how many certificates you want to use, and describe your circumstances. Note that this limit increase does not allow you to associate multiple certificates with the same distribution.
You can upload a maximum of 10 SSL certificates to the IAM certificate store for each AWS account. To request a higher limit, go to Request IAM limit increase.
If you want to use the same certificate with multiple CloudFront distributions that were created with different accounts, you must upload the certificate to the IAM certificate store once for each AWS account.
If you want to use the same certificate both for CloudFront and for other AWS services, you must upload the certificate twice: once for CloudFront and once for the other services. For information about how to upload the certificate for CloudFront, see the following procedure.
Request permission from AWS to use an alternate domain name with HTTPS for your AWS account. We'll update your account as soon as possible. For more information, go to Custom SSL Certificates for Amazon CloudFront.
By default, AWS enables your account to use one custom SSL certificate with your CloudFront distributions. If you need to associate more than one certificate with your distributions, indicate how many certificates you need and describe your circumstances in your request.
Use the AWS CLI to upload your SSL certificate to the IAM certificate store. If you don't already have your certificate, see Creating, Uploading, and Deleting Server Certificates in Using IAM.
If you already have your certificate, use the following AWS CLI command to upload a signed certificate:
aws iam upload-server-certificate --server-certificate-name
Note the following:
You must upload your certificate to the IAM certificate store using the same AWS account that you used to create your CloudFront distribution.
When you upload your certificate to IAM, the value of the
-path parameter (certificate path)
must start with
/cloudfront/, for example,
/cloudfront/test/. The path also must end with a /.
If you plan to use the CloudFront console to create or update your distribution, the value that you specify
--server-certificate-name parameter in the AWS CLI is the value that will appear in the
SSL Certificate list in the CloudFront console.
If you plan to use the CloudFront API to create or update your distribution, make note of the
alphanumeric string that the AWS CLI returns, for example
AS1A2M3P4L5E67SIIXR3J. This is the
value that you will specify in the
IAMCertificateId element. You don't need the IAM ARN, which is
also returned by the CLI.
Add the alternate domain name and your SSL certificate to your distribution, and add or update DNS records. For more information, see Using Alternate Domain Names (CNAMEs).
After you associate your SSL certificate with your CloudFront distribution, do not delete the certificate from the IAM certificate store until you remove the certificate from all distributions and until the status of the distributions has changed to Deployed.
When you're using CloudFront alternate domain names and HTTPS, the size of the public key in an SSL certificate cannot exceed 2048 bits. (This is not the number of characters in the public key.) You can determine the size of the public key by running the following OpenSSL command:
openssl x509 -in
path and filename of SSL certificate-text -noout
-in specifies the path and filename of your SSL certificate.
-text causes OpenSSL to display the length of the public key in bits.
-noout prevents OpenSSL from displaying the public key.
Public-Key: (2048 bit)
When you need to replace one SSL certificate with another, because, for example, the expiration date is approaching, the process depends on whether you have associated your SSL certificate with one CloudFront distribution under the same AWS account or with more than one:
SSL certificate associated with one distribution: You can just update your distribution and replace the old certificate with the new one. For more information, see Listing, Viewing, and Updating CloudFront Distributions.
SSL certificate associated with two or more distributions under the same AWS account: By default, you can only associate one SSL certificate with the CloudFront distributions under one AWS account. Because you can only update your CloudFront distributions one at a time, rotating certificates requires permission to associate two SSL certificates with your distributions: the old certificate for distributions that you haven't updated yet, and the new certificate for distributions that you have updated. Perform the following procedure.
To rotate SSL certificates for two or more CloudFront distributions
Request permission to associate a second SSL certificate with CloudFront distributions under your AWS account. Send an email to email@example.com, and explain that you are rotating certificates.
When you receive notification that your AWS account has been updated to allow you to associate two SSL certificates with your CloudFront distributions, update your distributions one at a time. For more information, see Listing, Viewing, and Updating CloudFront Distributions.
After you have updated all of your CloudFront distributions, you can optionally delete the old certificate from the IAM certificate store.
Do not delete an SSL certificate from the IAM certificate store until you remove it from all distributions and until the status of the distributions that you have updated has changed to Deployed.
If you configured CloudFront to use a custom SSL certificate and you want to change your configuration to use CloudFront's SSL certificate, follow these steps:
To revert to the default CloudFront certificate
Create a new CloudFront distribution with the desired configuration. For SSL Certificate, choose Default CloudFront Certificate (*.cloudfront.net).
For more information, see Creating Web Distributions.
For objects that you're distributing using CloudFront, update the URLs in your application to use the domain name
that CloudFront assigned to the new distribution. For example, change
Either delete the distribution that is associated with a custom SSL certificate, or update the distribution to change the value of SSL Certificate to Default CloudFront Certificate (*.cloudfront.net). For more information, see Listing, Viewing, and Updating CloudFront Distributions.
Until you complete this step, Amazon Web Services continues to charge you for using a custom SSL certificate.
Optional: Use the AWS CLI to delete your custom SSL certificate from the IAM certificate store. This is the same application that you used to add the custom SSL certificate to the IAM certificate store:
Run the AWS CLI command
list-signing-certificates to get the certificate ID of the certificate
that you want to delete. For more information, see
list-signing-certificates in the
AWS Command Line Interface Reference.
Run the AWS CLI command
delete-signing-certificateto delete the certificate. For more information, see
delete-signing-certificate in the
AWS Command Line Interface Reference.
You always incur a surcharge for HTTPS requests. For more information, see Amazon CloudFront Pricing.