Configuring alternate domain names and HTTPS - Amazon CloudFront

Configuring alternate domain names and HTTPS

To use alternate domain names in the URLs for your files and to use HTTPS between viewers and CloudFront, perform the applicable procedures.

Getting an SSL/TLS certificate

Get an SSL/TLS certificate if you don’t already have one. For more information, see the applicable documentation:

  • To use a certificate provided by AWS Certificate Manager (ACM), see the AWS Certificate Manager User Guide. Then skip to Updating your CloudFront distribution.


    We recommend that you use ACM to provision, manage, and deploy SSL/TLS certificates on AWS managed resources. You must request an ACM certificate in the US East (N. Virginia) Region.

  • To get a certificate from a third-party certificate authority (CA), see the documentation provided by the certificate authority. When you have the certificate, continue with the next procedure.

Importing an SSL/TLS certificate

If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store:

ACM (recommended)

ACM lets you import third-party certificates from the ACM console, as well as programmatically. For information about importing a certificate to ACM, see Importing Certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide. You must import the certificate in the US East (N. Virginia) Region.

IAM certificate store

(Not recommended) Use the following AWS CLI command to upload your third-party certificate to the IAM certificate store.

aws iam upload-server-certificate \ --server-certificate-name CertificateName \ --certificate-body file://public_key_certificate_file \ --private-key file://privatekey.pem \ --certificate-chain file://certificate_chain_file \ --path /cloudfront/path/

Note the following:

  • AWS account – You must upload the certificate to the IAM certificate store using the same AWS account that you used to create your CloudFront distribution.

  • --path parameter – When you upload the certificate to IAM, the value of the --path parameter (certificate path) must start with /cloudfront/, for example, /cloudfront/production/ or /cloudfront/test/. The path must end with a /.

  • Existing certificates – You must specify values for the --server-certificate-name and --path parameters that are different from the values that are associated with existing certificates.

  • Using the CloudFront console – The value that you specify for the --server-certificate-name parameter in the AWS CLI, for example, myServerCertificate, appears in the SSL Certificate list in the CloudFront console.

  • Using the CloudFront API – Make note of the alphanumeric string that the AWS CLI returns, for example, AS1A2M3P4L5E67SIIXR3J. This is the value that you will specify in the IAMCertificateId element. You don't need the IAM ARN, which is also returned by the CLI.

For more information about the AWS CLI, see the AWS Command Line Interface User Guide and the AWS CLI Command Reference.

Updating your CloudFront distribution

To update settings for your distribution, perform the following procedure:

To configure your CloudFront distribution for alternate domain names
  1. Sign in to the AWS Management Console and open the CloudFront console at

  2. Choose the ID for the distribution that you want to update.

  3. On the General tab, choose Edit.

  4. Update the following values:

    Alternate domain name (CNAME)

    Choose Add item to add the applicable alternate domain names. Separate domain names with commas, or type each domain name on a new line.

    Custom SSL certificate

    Select a certificate from the dropdown list.

    Up to 100 certificates are listed here. If you have more than 100 certificates and you don't see the certificate that you want to add, you can type a certificate ARN in the field to choose it.

    If you uploaded a certificate to the IAM certificate store but it's not listed, and you can't choose it by typing the name in the field, review the procedure Importing an SSL/TLS certificate to confirm that you correctly uploaded the certificate.


    After you associate your SSL/TLS certificate with your CloudFront distribution, do not delete the certificate from ACM or the IAM certificate store until you remove the certificate from all distributions and all the distributions are deployed.

  5. Choose Save changes.

  6. Configure CloudFront to require HTTPS between viewers and CloudFront:

    1. On the Behaviors tab, choose the cache behavior that you want to update, and choose Edit.

    2. Specify one of the following values for Viewer Protocol Policy:

      Redirect HTTP to HTTPS

      Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests. CloudFront returns HTTP status code 301 (Moved Permanently) along with the new HTTPS URL. The viewer then resubmits the request to CloudFront using the HTTPS URL.


      CloudFront doesn't redirect DELETE, OPTIONS, PATCH, POST, or PUT requests from HTTP to HTTPS. If you configure a cache behavior to redirect to HTTPS, CloudFront responds to HTTP DELETE, OPTIONS, PATCH, POST, or PUT requests for that cache behavior with HTTP status code 403 (Forbidden).

      When a viewer makes an HTTP request that is redirected to an HTTPS request, CloudFront charges for both requests. For the HTTP request, the charge is only for the request and for the headers that CloudFront returns to the viewer. For the HTTPS request, the charge is for the request, and for the headers and the file returned by your origin.

      HTTPS Only

      Viewers can access your content only if they're using HTTPS. If a viewer sends an HTTP request instead of an HTTPS request, CloudFront returns HTTP status code 403 (Forbidden) and does not return the file.

    3. Choose Yes, Edit.

    4. Repeat steps a through c for each additional cache behavior that you want to require HTTPS for between viewers and CloudFront.

  7. Confirm the following before you use the updated configuration in a production environment:

    • The path pattern in each cache behavior applies only to the requests that you want viewers to use HTTPS for.

    • The cache behaviors are listed in the order that you want CloudFront to evaluate them in. For more information, see Path pattern.

    • The cache behaviors are routing requests to the correct origins.