AWS::CloudFront::Distribution ViewerCertificate
A complex type that specifies the following:
-
Whether you want viewers to use HTTP or HTTPS to request your objects.
-
If you want viewers to use HTTPS, whether you're using an alternate domain name, such as
example.com
, or the CloudFront domain name for your distribution, such asd111111abcdef8.cloudfront.net
. -
If you're using an alternate domain name, whether AWS Certificate Manager (ACM) provided the certificate, or you purchased a certificate from a third-party certificate authority and imported it into ACM or uploaded it to the IAM certificate store.
Specify only one of the following values:
For more information, see Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "AcmCertificateArn" :
String
, "CloudFrontDefaultCertificate" :Boolean
, "IamCertificateId" :String
, "MinimumProtocolVersion" :String
, "SslSupportMethod" :String
}
YAML
AcmCertificateArn:
String
CloudFrontDefaultCertificate:Boolean
IamCertificateId:String
MinimumProtocolVersion:String
SslSupportMethod:String
Properties
AcmCertificateArn
-
If you want viewers to use HTTPS to request your objects and you're using an alternate domain name, you must choose the type of certificate that you want to use. If ACM provided your certificate, specify the Amazon Resource Name (ARN) for the ACM certificate that you want to use for this distribution. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (us-east-1).
If you specify an ACM certificate ARN, you must also specify an SSL support method (
sni-only
orvip
).Required: No
Type: String
Update requires: No interruption
CloudFrontDefaultCertificate
-
If you're using the CloudFront domain name for your distribution, such as
d111111abcdef8.cloudfront.net
, specify this value astrue
.Required: Conditional
Type: Boolean
Update requires: No interruption
IamCertificateId
-
If you want viewers to use HTTPS to request your objects and you're using an alternate domain name, you must choose the type of certificate that you want to use. If you purchased your certificate from a third-party certificate authority and uploaded it to the IAM certificate store, specify the certificate ID that you want to use for this distribution.
If you specify a certificate ID, you must also specify an SSL support method (
sni-only
orvip
).Required: No
Type: String
Update requires: No interruption
MinimumProtocolVersion
-
Specify the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:
-
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
-
The cipher that CloudFront uses to encrypt the content that it returns to viewers.
Note
On the CloudFront console, this setting is called Security Policy.
We recommend that you specify
TLSv1.1_2016
unless your viewers are using browsers or devices that do not support TLSv1.1 or later.When both of the following are true, you must specify
TLSv1
or later for the security policy:-
You're using a custom certificate; that is, you specified a value for
ACMCertificateArn
or forIAMCertificateId
. -
You're using SNI; that is, you specified
sni-only
forSSLSupportMethod
.
If you specify
true
forCloudFrontDefaultCertificate
, CloudFront automatically sets the security policy toTLSv1
regardless of the value that you specify here.For information about the relationship between the security policy that you choose and the protocols and ciphers that CloudFront uses to communicate with viewers, see Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
Required: Conditional
Type: String
Allowed Values:
SSLv3 | TLSv1 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1_2016
Update requires: No interruption
-
SslSupportMethod
-
If you specify a value for ACMCertificateArn or for IAMCertificateId, you must also specify how you want CloudFront to serve HTTPS requests: using a method that works for browsers and clients released after 2010, or one that works for all clients.
-
sni-only
: CloudFront can respond to HTTPS requests from viewers that support Server Name Indication (SNI). All modern browsers support SNI, but there are a few that don't. For a current list of the browsers that support SNI, see the Wikipedia entry Server Name Indication. To learn about options to explore if you have viewers with browsers that don't include SNI support, see Choosing How CloudFront Serves HTTPS Requests in the Amazon CloudFront Developer Guide. -
vip
: CloudFront uses dedicated IP addresses for your content and can respond to HTTPS requests from any viewer. However, there are additional monthly charges. For details, including specific pricing information, see Custom SSL options for Amazon CloudFront on the AWS marketing site.
Don't specify a value here if you specified
CloudFrontDefaultCertificate
astrue
.For more information, see Choosing How CloudFront Serves HTTPS Requests in the Amazon CloudFront Developer Guide.
Required: Conditional
Type: String
Allowed Values:
sni-only | vip
Update requires: No interruption
-
See Also
-
ViewerCertificate in the Amazon CloudFront API Reference