How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?

3 minute read

I want to configure an Amazon CloudFront distribution to serve HTTPS requests for my Amazon Simple Storage Service (Amazon S3).


For the following steps, your S3 bucket can use either your Amazon S3 website endpoint or a REST API endpoint. For information on using your distribution with Amazon S3, see Using an Amazon S3 bucket. When you use the Amazon S3 static website endpoint, connections between CloudFront and Amazon S3 are available only over HTTP.

  1. Open the CloudFront console.
  2. Choose Create Distribution.
  3. Under Origin, for Origin domain, choose your S3 bucket's REST API endpoint from the dropdown list. Or, enter your S3 bucket's website endpoint. For more information, see Key differences between a website endpoint and a REST API endpoint.
  4. Under Default cache behavior, Viewer, for Viewer Protocol Policy, select HTTP and HTTPS or Redirect HTTP to HTTPS.
    Note: Choosing HTTPS Only blocks all HTTP requests.

If you don't use an Alternate domain name (CNAME) with CloudFront, then choose Create Distribution to complete the process. If you use a CNAME, then follow these additional steps before you create the distribution:

  1. For Alternate Domain Names (CNAMEs), choose Add item, and then enter your alternate domain name.
  2. For Custom SSL Certificate, choose the custom SSL certificate from the dropdown list that covers your CNAME to assign it to the distribution.
    Note: For more information on installing a certificate, see How do I configure my CloudFront distribution to use an SSL/TLS certificate?
  3. Choose Create distribution.
    Note: After you choose Create distribution, it might take 20 or more minutes for your distribution to deploy.

Be sure to update the DNS for your domain to a CNAME record that points to the CloudFront distribution's provided domain. You can find your distribution's domain name in the CloudFront console.

If you use Amazon Route 53 as your DNS provider, then see Configuring Amazon Route 53 to route traffic to a CloudFront distribution. If you use another DNS provider, then you can create a CNAME record ( CNAME to point to the distribution's domain.

Important: DNS standards require that an apex domain ( use an authoritative (A) record that maps to an IP address. You can point your apex domain to your CloudFront distribution only if you're using Route 53. If you're using another DNS provider, then you must use a subdomain (

For additional troubleshooting based on your endpoint type, see the following articles:

Related information

How do I use CloudFront to serve a static website hosted on Amazon S3?

Amazon CloudFront pricing

Requiring HTTPS for communication between CloudFront and your Amazon S3 origin

Website endpoints

Create a CloudFront distribution

AWS OFFICIALUpdated 10 months ago

How should the S3 bucket be configured prior to this? Should it have enabled static website hosting?

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 10 months ago

Hi, Tried this and its not working. As soon as I input my S3's http static website endpoint (it only has an http endpoint) it defaults to HTTP for Cloudfront and doesn't give you the option to change it to https.

Any other solution for this? We aim to host the S3 static webhosting endpoint via Cloudfront but using only HTTPS in cloudfront.

replied 10 months ago