WKLD.13 Require HTTPS for all public web endpoints
Require HTTPS to provide additional credibility to your web endpoints, allow your endpoints to use certificates to prove their identity, and confirm that all traffic between your endpoint and connected clients is encrypted. For public websites, this provides the additional benefit of higher search engine ranking.
Many AWS services provide public web endpoints for your resources, such as AWS Elastic Beanstalk, Amazon CloudFront, Amazon API Gateway, Elastic Load Balancing, and AWS Amplify. For instructions about how require HTTPS for each of these services, see the following:
-
Elastic Beanstalk (Elastic Beanstalk documentation)
-
CloudFront (CloudFront documentation)
-
Application Load Balancer
(AWS Knowledge Center) -
Classic Load Balancer
(AWS Knowledge Center) -
Amplify (Amplify documentation)
Static websites hosted on Amazon S3 do not support HTTPS. To require HTTPS for these websites, you can use CloudFront. Public access to S3 buckets that are serving content through CloudFront is not required.
To use CloudFront to serve a static website hosted on Amazon S3
-
Use CloudFront to serve a static website hosted on Amazon S3
(AWS Knowledge Center). -
If you are configuring access to a public S3 bucket, require HTTPS between viewers and CloudFront (CloudFront documentation).
If you are configuring access to a private S3 bucket, restrict access to Amazon S3 content by using an origin access identity (CloudFront documentation).
In addition, configure HTTPS endpoints to require modern Transport Layer Security (TLS)
protocols and ciphers, unless compatibility with older protocols is needed. For example, use
the ELBSecurityPolicy-FS-1-2-Res-2020-10
or the most recent policy available for
Application Load Balancer HTTPS listeners, instead of the default ELBSecurityPolicy-2016-08
. The most
current policies require TLS 1.2 at minimum, forward secrecy, and strong ciphers that are
compatible with modern web browsers.
For more information about the available security policies for HTTPS public endpoints, see:
-
Predefined SSL security policies for Classic Load Balancers (Elastic Load Balancing documentation)
-
Security policies for your Application Load Balancer (Elastic Load Balancing documentation)
-
Supported protocols and ciphers between viewers and CloudFront (CloudFront documentation)