Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Supported
Protocols and Ciphers Between Viewers and CloudFrontSupported SSL/TLS Protocols and Ciphers
for Communication Between CloudFront and Your Origin
Supported Protocols and Ciphers
You can choose HTTPS settings both for communication between viewers and CloudFront, and between CloudFront and your origin:
-
Between viewers and CloudFront – If you require HTTPS between viewers and CloudFront, you also choose a security policy, which determines the protocols that viewers and CloudFront can use to communicate. In addition, a security policy determines which ciphers CloudFront can use to encrypt the content that it returns to viewers.
-
Between CloudFront and your origin – If you require HTTPS between CloudFront and your origin, you also choose the protocols that CloudFront and your origin use to communicate. The protocols that you choose determine which ciphers your origin can use to encrypt content that it returns to CloudFront.
Topics
Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront
To choose whether to require HTTPS between viewers and CloudFront, specify the applicable value for Viewer Protocol Policy.
If you choose to require HTTPS, you also choose the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:
-
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
-
The ciphers that CloudFront can use to encrypt the content that it returns to viewers.
We recommend that you specify TLSv1.2_2018 unless your viewers are using browsers or devices that don’t support TLSv1.2.
To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you’re using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL and RFC Cipher Names.
| Security Policy | |||||
|---|---|---|---|---|---|
| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | |
| SSL/TLS Protocols Supported | |||||
| TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLSv1.1 | ♦ | ♦ | ♦ | ♦ | |
| TLSv1 | ♦ | ♦ | ♦ | ||
| SSLv3 | ♦ | ||||
| Ciphers Supported | |||||
| ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | |
| ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | |
| AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |
| AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |
| AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |
| AES256-SHA | ♦ | ♦ | ♦ | ♦ | |
| AES128-SHA | ♦ | ♦ | ♦ | ♦ | |
| DES-CBC3-SHA | ♦ | ♦ | |||
| RC4-MD5 | ♦ | ||||
OpenSSL and RFC Cipher Names
OpenSSL and IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2
| OpenSSL Cipher Name | RFC Cipher Name |
|---|---|
|
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
ECDHE-RSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
AES128-GCM-SHA256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
AES256-GCM-SHA384 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
AES128-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
|
AES128-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
|
DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
|
RC4-MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
Supported SSL/TLS Protocols and Ciphers for Communication Between CloudFront and Your Origin
If you choose to require HTTPS between CloudFront and your origin, you can decide which SSL/TLS protocol to allow for the secure connection, and then pick any supported cipher for CloudFront (see the following tables) to establish an HTTPS connection to your origin.
CloudFront can forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers listed in this section. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin. To learn more about the two types of ciphers that CloudFront supports, see About RSA and ECDSA Ciphers.
The following curves are supported for elliptic-curve-based ciphers:
-
prime256v1
-
secp384r1
OpenSSL and IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2
Supported RSA Ciphers
CloudFront supports the following RSA ciphers for connections with an origin:
| OpenSSL Cipher Name | RFC Cipher Name |
|---|---|
|
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
|
AES128-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
|
DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
|
RC4-MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
Supported ECDSA Ciphers
CloudFront supports the following ECDSA ciphers for connections with an origin:
| OpenSSL Cipher Name | RFC Cipher Name |
|---|---|
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
ECDHE-ECDSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
ECDHE-ECDSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
ECDHE-ECDSA-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
ECDHE-ECDSA-AES128-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
