class Aws::CloudFront::Types::ViewerCertificate
A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.
If the distribution doesn’t use `Aliases` (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront
domain name such as `d111111abcdef8.cloudfront.net`—set `CloudFrontDefaultCertificate` to `true` and leave all other fields empty.
If the distribution uses `Aliases` (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:
-
Which viewers the distribution accepts HTTPS connections from: only viewers that support [server name indication (SNI)] (recommended), or all viewers including those that don’t support SNI.
-
To accept HTTPS connections from only viewers that support SNI, set `SSLSupportMethod` to `sni-only`. This is recommended. Most browsers and clients support SNI.
-
To accept HTTPS connections from all viewers, including those that don’t support SNI, set `SSLSupportMethod` to `vip`. This is not recommended, and results in additional monthly charges from
CloudFront
.
-
-
The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for `MinimumProtocolVersion`. For more information, see
- Security Policy][2
-
in the *Amazon
CloudFront
Developer Guide*.
-
The location of the SSL/TLS certificate, [Certificate Manager (ACM)] (recommended) or [Identity and Access Management (IAM)]. You specify the location by setting a value in one of the following fields (not both):
-
`ACMCertificateArn`
-
`IAMCertificateId`
-
All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use `ViewerProtocolPolicy` in the `CacheBehavior` or `DefaultCacheBehavior`. To specify how CloudFront
should use SSL/TLS to communicate with your custom origin, use `CustomOriginConfig`.
For more information, see [Using HTTPS with CloudFront] and [ Using Alternate Domain Names and HTTPS] in the *Amazon CloudFront
Developer Guide*.
[1]: en.wikipedia.org/wiki/Server_Name_Indication [2]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy [3]: docs.aws.amazon.com/acm/latest/userguide/acm-overview.html [4]: docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html [5]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html [6]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
@note When making an API call, you may pass ViewerCertificate
data as a hash: { cloud_front_default_certificate: false, iam_certificate_id: "string", acm_certificate_arn: "string", ssl_support_method: "sni-only", # accepts sni-only, vip, static-ip minimum_protocol_version: "SSLv3", # accepts SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016, TLSv1.2_2018, TLSv1.2_2019, TLSv1.2_2021 certificate: "string", certificate_source: "cloudfront", # accepts cloudfront, iam, acm }
@!attribute [rw] cloud_front_default_certificate
If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net`, set this field to `true`. If the distribution uses `Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields: * `ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both) * `MinimumProtocolVersion` * `SSLSupportMethod` @return [Boolean]
@!attribute [rw] iam_certificate_id
If the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [Identity and Access Management (IAM)][1], provide the ID of the IAM certificate. If you specify an IAM certificate ID, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod`. [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html @return [String]
@!attribute [rw] acm_certificate_arn
If the distribution uses `Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [Certificate Manager (ACM)][1], provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (`us-east-1`). If you specify an ACM certificate ARN, you must also specify values for `MinimumProtocolVersion` and `SSLSupportMethod`. [1]: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html @return [String]
@!attribute [rw] ssl_support_method
If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from. * `sni-only` – The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)][1]. This is recommended. Most browsers and clients support SNI. * `vip` – The distribution accepts HTTPS connections from all viewers including those that don’t support SNI. This is not recommended, and results in additional monthly charges from CloudFront. * `static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Amazon Web Services Support Center][2]. If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net`, don’t set a value for this field. [1]: https://en.wikipedia.org/wiki/Server_Name_Indication [2]: https://console.aws.amazon.com/support/home @return [String]
@!attribute [rw] minimum_protocol_version
If the distribution uses `Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings: * The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers. * The ciphers that CloudFront can use to encrypt the content that it returns to viewers. For more information, see [Security Policy][1] and [Supported Protocols and Ciphers Between Viewers and CloudFront][2] in the *Amazon CloudFront Developer Guide*. <note markdown="1"> On the CloudFront console, this setting is called **Security Policy**. </note> When you’re using SNI only (you set `SSLSupportMethod` to `sni-only`), you must specify `TLSv1` or higher. If the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true`), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here. [1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy [2]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers @return [String]
@!attribute [rw] certificate
This field is deprecated. Use one of the following fields instead: * `ACMCertificateArn` * `IAMCertificateId` * `CloudFrontDefaultCertificate` @return [String]
@!attribute [rw] certificate_source
This field is deprecated. Use one of the following fields instead: * `ACMCertificateArn` * `IAMCertificateId` * `CloudFrontDefaultCertificate` @return [String]
@see docs.aws.amazon.com/goto/WebAPI/cloudfront-2020-05-31/ViewerCertificate AWS API Documentation
Constants
- SENSITIVE