AWS CloudFront SSL and Custom Domains
Learn how to use ACM certificates, custom domains, HTTPS redirects, and minimum TLS settings with CloudFront.
AWS CloudFront SSL and Custom Domains makes CloudFront suitable for production websites by pairing edge caching with trusted HTTPS endpoints and branded domains. For DevOps teams, it matters because it lets teams terminate TLS at the edge and enforce secure access without operating their own certificate servers. Instead of relying on one fragile manual configuration, you can design a repeatable service boundary that stays stable while the workload behind it changes.
Core ideas
The main ideas to understand are ACM certificates used with CloudFront must be requested or imported in the us-east-1 region; custom domains are attached as alternate domain names and usually mapped from Route 53 alias records; viewer protocol policies can redirect HTTP to HTTPS so end users consistently reach the secure endpoint; and minimum TLS version settings allow you to balance compatibility with modern security expectations. These details shape architecture decisions, but they also shape day-to-day operations. When a team chooses defaults without understanding how the service behaves under failure, scale, or security review, the platform often becomes harder to debug than the application itself.
| Setting | Purpose | Good default |
|---|---|---|
| ACM certificate | Provides HTTPS identity | Issue in us-east-1 for CloudFront |
| Viewer protocol policy | Handles HTTP requests | Redirect HTTP to HTTPS |
| Minimum TLS version | Controls client security floor | Use a modern supported version |
From an operations perspective, the goal is to bind the correct certificate and domain names while avoiding weak TLS settings that create unnecessary exposure. The comparison below highlights the choices that usually matter first. It is often better to start with a simpler design and add sophistication only after metrics, incidents, or delivery requirements prove the change is necessary.
Practical commands
aws acm list-certificates --region us-east-1 --output table
aws cloudfront get-distribution --id EXAMPLE123 --query 'Distribution.DistributionConfig.ViewerCertificate'
Practical CLI checks make the service easier to support in real environments. Use the commands below to inspect the current state and confirm that automation matches intent. Before you promote a change, verify certificate coverage for every alternate domain name and redirect behaviour after DNS changes propagate. A safe default is testing older clients only when required, then setting the highest practical minimum TLS version for the audience. That discipline makes later troubleshooting, scaling, and security reviews far less painful.
Certificate region
In which region must an ACM certificate be available for CloudFront?
HTTPS behaviour
Which CloudFront setting redirects users from HTTP to HTTPS?