Creating Secure HTTPS Connections

You can use CloudFront to restrict access to your distributions to HTTPS connections. CloudFront passes end-user requests to your Amazon S3 bucket or custom origin in the same format it receives them. When you configure your distribution to refuse non-secure HTTP requests, CloudFront only passes HTTPS requests to Amazon S3 or to your custom origin. The concept is illustrated in the following graphic.

Process for HTTP and HTTPS Requests When the Connection is Restricted

	In the preceding graphic there are two different end users sending requests to CloudFront. One user sends an HTTPS request; the other user sends an HTTP request.
	Because your distribution is configured to accept secure requests only, CloudFront refuses the non-secure HTTP request.
	CloudFront passes the HTTPS request to Amazon S3.

Caution

The only way to ensure that your end users retrieve an object using HTTPS is never to use any other protocol to fetch the object. If you have recently changed from HTTP to HTTPS, we recommend that you clear your objects' cache because cached objects are protocol agnostic. That means that an edge location will return an object from the cache irrespective of whether the current request protocol matches the protocol used previously. For information about expiring cached objects see Specifying How Long Objects Stay in a CloudFront Edge Cache (Object Expiration).

You can restrict access to your distribution using the CloudFront console or using the CloudFront API:

CloudFront doesn't support CNAMEs with HTTPS. If content is requested over HTTPS using CNAMEs, your end users' browsers will display the warning: This page contains both secure and non-secure items. To prevent this message from appearing, don't use CNAMEs with CloudFront HTTPS distributions.

You always incur a surcharge for HTTPS requests and bytes transferred. For information on billing rates, refer to the CloudFront pricing plan.