WKLD.13 – Require HTTPS for all public web endpoints - AWS Prescriptive Guidance

WKLD.13 – Require HTTPS for all public web endpoints

Require HTTPS to provide additional credibility to your web endpoints, allow your endpoints to use certificates to prove their identity, and confirm that all traffic between your endpoint and connected clients is encrypted. For public websites, this provides the additional benefit of higher search engine ranking.

Many AWS services provide public web endpoints for your resources, such as AWS Elastic Beanstalk, Amazon CloudFront, Amazon API Gateway, Elastic Load Balancing, and AWS Amplify. For instructions about how require HTTPS for each of these services, see the following:

Static websites hosted on Amazon S3 do not support HTTPS. To require HTTPS for these websites, you can use CloudFront. Public access to S3 buckets that are serving content through CloudFront is not required.

To use CloudFront to serve a static website hosted on Amazon S3

  1. Use CloudFront to serve a static website hosted on Amazon S3 (AWS Knowledge Center).

  2. If you are configuring access to a public S3 bucket, require HTTPS between viewers and CloudFront (CloudFront documentation).

    If you are configuring access to a private S3 bucket, restrict access to Amazon S3 content by using an origin access identity (CloudFront documentation).

In addition, configure HTTPS endpoints to require modern Transport Layer Security (TLS) protocols and ciphers, unless compatibility with older protocols is needed. For example, use the ELBSecurityPolicy-FS-1-2-Res-2020-10 or the most recent policy available for Application Load Balancer HTTPS listeners, instead of the default ELBSecurityPolicy-2016-08. The most current policies require TLS 1.2 at minimum, forward secrecy, and strong ciphers that are compatible with modern web browsers.

For more information about the available security policies for HTTPS public endpoints, see: