How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?

Last updated: 2021-09-16

How can I configure an Amazon CloudFront distribution to serve HTTPS requests for my Amazon Simple Storage Service (Amazon S3)?


  1. Open the CloudFront console.
  2. Choose Create Distribution.
  3. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list. Or, enter your S3 bucket's website endpoint. For more information, see Key differences between a website endpoint and a REST API endpoint.
  4. Under Default cache behavior, Viewer, for Viewer Protocol Policy, select HTTP and HTTPS or Redirect HTTP to HTTPS.
    Note: Choosing HTTPS Only blocks all HTTP requests.

If you're not using a custom domain with CloudFront, then choose Create Distribution to complete the process. If you are using a custom domain, then follow these additional steps before you create the distribution:

  1. For Alternate Domain Names (CNAMEs), choose Add item and enter your custom domain.
  2. For Custom SSL Certificate, choose the custom SSL certificate to assign to the distribution from the dropdown list.
    Note: For more information on installing a certificate, see How do I configure my CloudFront distribution to use an SSL/TLS certificate?
  3. Choose Create distribution.

Note: After you choose Create distribution, 20 or more minutes can elapse for your distribution to be deployed.

Be sure to update the DNS for your domain to a CNAME record that points to the CloudFront distribution's provided domain. You can find your distribution's domain name in the CloudFront console.

If you're using Amazon Route 53 as your DNS provider, then see Configuring Amazon Route 53 to route traffic to a CloudFront web distribution. If you're using another DNS provider, then you can create a CNAME record ( CNAME to point to the distribution's domain.

Important: DNS standards require that an apex domain ( use an authoritative (A) record that maps to an IP address. You can point your apex domain to your CloudFront distribution only if you're using Route 53. If you're using another DNS provider, then you must use a subdomain (