AWS CloudFront
How to automatically deploy SSL certificates to AWS CloudFront distributions.
Overview
AutoSSL can automatically deploy SSL certificates directly to your Amazon CloudFront distributions. It handles the full flow of importing the certificate into ACM (in the us-east-1 region) and updating your distribution configuration.
For instructions on how to manage and run this deployment, please refer to the Deployment Management section.
Configuration Parameters
When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:
| Parameter | Description | Example |
|---|---|---|
| Distribution IDs | A list of CloudFront distribution IDs to which the certificate should be deployed. | ['EWH7HR80TDW90', 'EWH7HR81TDW87'] |
How it Works
When AutoSSL deploys a certificate to an AWS CloudFront distribution (e.g., EWH7HR80TDW90), it performs the following steps:
- Distribution Validation:
- Calls the AWS API (
GetDistributionConfigCommand) to retrieve the current configuration of the target CloudFront distribution (EWH7HR80TDW90). - Checks the Alternate Domain Names (CNAMEs) bound to the distribution and verifies that the provided certificate covers all of them. If any bound domain is not covered, deployment is skipped to prevent downtime.
- Calls the AWS API (
- ACM Import:
- Because CloudFront requires certificates to be hosted in
us-east-1, the certificate is imported into AWS ACM in theus-east-1region using theImportCertificateCommand. - If deploying to multiple distributions, the ACM import is done only once, and the resulting ARN is reused.
- Because CloudFront requires certificates to be hosted in
- Configuration Update:
- Calls the AWS API (
UpdateDistributionCommand) to update the CloudFront distribution (EWH7HR80TDW90). - Associates the newly imported ACM Certificate ARN with the distribution and configures SSL support to
sni-only.
- Calls the AWS API (
Access Key Requirement
To interact with the AWS API, this provider requires an AWS Access Key.
Required Permissions
The Access Key must belong to an AWS IAM user with permissions to read/update CloudFront distributions and import certificates into ACM.
You need to attach an IAM policy to your user with at least the following actions:
acm:ImportCertificatecloudfront:GetDistributionConfigcloudfront:UpdateDistribution
For more information on how to manage IAM permissions, please refer to the AWS IAM Documentation.