How can I configure CloudFront to serve my content using an alternate domain name over HTTPS?

4 minute read

I want to configure CloudFront to serve my content using an alternate domain name over HTTPS.

Short description

By default, you can use CloudFront domain names only to serve content over HTTPS. However, you can associate your own domain name with CloudFront to serve your content over HTTPS.

To associate your own domain name with CloudFront, add an alternate domain names (CNAME).


Request an SSL certificate in AWS Certificate Manager (ACM) or import your own certificate

To use an Amazon-issued certificate, see Requesting a public certificate.

When using a public certificate, keep in mind:

  • You must request the certificate in the US East (N. Virginia) Region.
  • You must have permission to use and request the ACM certificate.

To use an imported certificate, see Importing certificates into AWS Certificate Manager.

When using an imported certificate, keep in mind:

For more information, see Requirements for using SSL/TLS certificates with CloudFront.

Note: It is a best practice to import your certificate to ACM. However, you can also import your certificate in IAM certificate store.

Attach an SSL certificate and alternate domain names to your distribution

  1. Access the CloudFront console.
  2. Select the distribution that you want to update.
  3. On the General tab, choose Edit.
  4. For Alternate Domain Names (CNAMEs), add the applicable alternate domain names. Separate domain names with commas, or type each domain name on a new line.
    Note: The alternate domain that you are trying to add must not have a DNS record that points to a different CloudFront distribution.
  5. For SSL Certificate, choose Custom SSL Certificate. Then, choose a certificate from the list.
    Note: Up to 100 certificates are available in the dropdown list. If you have more than 100 certificates and the certificate that you want isn't listed, enter the certificate Amazon Resource Name (ARN). If you previously uploaded a certificate to the IAM certificate store but it isn't available in the dropdown list, confirm that you correctly uploaded the certificate.
  6. If you want CloudFront to serve your HTTPS content using dedicated IP addresses, turn on Legacy Client support.
    Note: When using Legacy Client support, you incur additional charges if you associate your SSL/TLS certificate with a distribution where the setting is turned on. For more information, see Amazon CloudFront Pricing.
  7. Choose Save changes.

Configure CloudFront to require HTTPS between viewers and CloudFront

  1. Access the CloudFront console.
  2. On the Behaviors tab, choose the cache behavior that you want to update. Then, choose Edit.
  3. For Viewer Protocol Policy, choose:
    Redirect HTTP to HTTPS. Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests.
    HTTPS Only. Viewers can access your content only if they're using HTTPS. If a viewer sends an HTTP request instead of an HTTPS request, CloudFront returns HTTP status code 403 (Forbidden) and does not return the file.
  4. Choose Save changes.
  5. Repeat steps 1-4 for each additional cache behavior that you want to require HTTPS for between viewers and CloudFront.

Create DNS records to point your domain to CloudFront distribution

Create an alias resource record set. With an alias resource record set, there are no charges for Route 53 queries. Additionally, you can create an alias resource record set for the root domain name (, which DNS doesn't allow for CNAMEs. For more information, see Configuring Amazon Route 53 to route traffic to a CloudFront distribution.

Using another DNS service provider

Use the method provided by your DNS service provider to add a CNAME record for your domain. The CNAME record will redirect DNS queries from your alternate domain name (for example: to the CloudFront domain name for your distribution (for example:

AWS OFFICIALUpdated 2 years ago