Skip to content

Create a CloudFront Distribution

This section describes how to create an Amazon CloudFront distribution that securely delivers content from your S3 bucket using HTTPS. CloudFront will serve as the global CDN and enforce secure access to the bucket.

  1. Sign in to the AWS Management Console and open the CloudFront console.

  2. Choose Create distribution.

  3. Select the appropriate pricing class based on your expected traffic and geographic coverage.

  4. Enter a distribution name and set the type to Single website or app.

  5. Under Specify origin, configure the following:

    Setting Value
    Origin type Amazon S3
    Origin Select your S3 bucket
    Allow private S3 bucket access to CloudFront Enabled
    Origin settings Use recommended settings

  6. Under Cache settings, choose Customize cache settings, then configure:

    Setting Value
    Viewer protocol policy Redirect HTTP to HTTPS
    Allowed HTTP methods GET, HEAD
    Cache policy CachingOptimized
    Origin request policy None
    Response headers policy SimpleCORS or SecurityHeadersPolicy

    These settings enforce HTTPS, optimize caching performance, and apply essential security headers.

  7. (Optional) Enable AWS WAF if you want to apply firewall protections.

  8. Review the settings and choose Create distribution.
    The distribution will enter In progress status and may take 10–15 minutes to deploy globally.

Add alternate domains

  1. After the distribution is created and deployed, open it in the CloudFront console.

  2. On the General tab, choose Add a domain.

  3. Enter the domain names you want to serve (for example: example.com, www.example.com).

  4. Select your ACM SSL certificate, choose a security policy, choose allowed HTTP versions, and select Save.

Configure error pages

  1. In your distribution, open the Error pages tab.

  2. Choose Create custom error response, then configure:

    Field Value
    HTTP error code 403
    Error caching minimum TTL 10 (default)
    Customize error response Yes
    Response page path Path to your error.html
    HTTP response code 200

    This prevents users from seeing XML “AccessDenied” messages.

  3. (Optional) Add similar rules for other HTTP status codes as needed.

Verification checklist

Before moving on, confirm the following:

Setting Expected
Origin access OAC
Viewer protocol policy Redirect HTTP to HTTPS
SSL certificate Correct ACM certificate selected
Alternate domain names Added and saved
Custom error page Configured (recommended)