class Aws::CloudFront::Types::ViewerCertificate

A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.

If the distribution doesn’t use `Aliases` (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net`—set `CloudFrontDefaultCertificate` to `true` and leave all other fields empty.

If the distribution uses `Aliases` (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:

All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use `ViewerProtocolPolicy` in the `CacheBehavior` or `DefaultCacheBehavior`. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use `CustomOriginConfig`.

For more information, see [Using HTTPS with CloudFront] and [ Using Alternate Domain Names and HTTPS] in the *Amazon CloudFront Developer Guide*.

[1]: en.wikipedia.org/wiki/Server_Name_Indication [2]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy [3]: docs.aws.amazon.com/acm/latest/userguide/acm-overview.html [4]: docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html [5]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html [6]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html

@note When making an API call, you may pass ViewerCertificate

data as a hash:

    {
      cloud_front_default_certificate: false,
      iam_certificate_id: "string",
      acm_certificate_arn: "string",
      ssl_support_method: "sni-only", # accepts sni-only, vip, static-ip
      minimum_protocol_version: "SSLv3", # accepts SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016, TLSv1.2_2018, TLSv1.2_2019, TLSv1.2_2021
      certificate: "string",
      certificate_source: "cloudfront", # accepts cloudfront, iam, acm
    }

@!attribute [rw] cloud_front_default_certificate

If the distribution uses the CloudFront domain name such as
`d111111abcdef8.cloudfront.net`, set this field to `true`.

If the distribution uses `Aliases` (alternate domain names or
CNAMEs), set this field to `false` and specify values for the
following fields:

* `ACMCertificateArn` or `IAMCertificateId` (specify a value for
  one, not both)

* `MinimumProtocolVersion`

* `SSLSupportMethod`
@return [Boolean]

@!attribute [rw] iam_certificate_id

If the distribution uses `Aliases` (alternate domain names or
CNAMEs) and the SSL/TLS certificate is stored in [Identity and
Access Management (IAM)][1], provide the ID of the IAM certificate.

If you specify an IAM certificate ID, you must also specify values
for `MinimumProtocolVersion` and `SSLSupportMethod`.

[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
@return [String]

@!attribute [rw] acm_certificate_arn

If the distribution uses `Aliases` (alternate domain names or
CNAMEs) and the SSL/TLS certificate is stored in [Certificate
Manager (ACM)][1], provide the Amazon Resource Name (ARN) of the ACM
certificate. CloudFront only supports ACM certificates in the US
East (N. Virginia) Region (`us-east-1`).

If you specify an ACM certificate ARN, you must also specify values
for `MinimumProtocolVersion` and `SSLSupportMethod`.

[1]: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
@return [String]

@!attribute [rw] ssl_support_method

If the distribution uses `Aliases` (alternate domain names or
CNAMEs), specify which viewers the distribution accepts HTTPS
connections from.

* `sni-only` – The distribution accepts HTTPS connections from only
  viewers that support [server name indication (SNI)][1]. This is
  recommended. Most browsers and clients support SNI.

* `vip` – The distribution accepts HTTPS connections from all
  viewers including those that don’t support SNI. This is not
  recommended, and results in additional monthly charges from
  CloudFront.

* `static-ip` - Do not specify this value unless your distribution
  has been enabled for this feature by the CloudFront team. If you
  have a use case that requires static IP addresses for a
  distribution, contact CloudFront through the [Amazon Web Services
  Support Center][2].

If the distribution uses the CloudFront domain name such as
`d111111abcdef8.cloudfront.net`, don’t set a value for this field.

[1]: https://en.wikipedia.org/wiki/Server_Name_Indication
[2]: https://console.aws.amazon.com/support/home
@return [String]

@!attribute [rw] minimum_protocol_version

If the distribution uses `Aliases` (alternate domain names or
CNAMEs), specify the security policy that you want CloudFront to use
for HTTPS connections with viewers. The security policy determines
two settings:

* The minimum SSL/TLS protocol that CloudFront can use to
  communicate with viewers.

* The ciphers that CloudFront can use to encrypt the content that it
  returns to viewers.

For more information, see [Security Policy][1] and [Supported
Protocols and Ciphers Between Viewers and CloudFront][2] in the
*Amazon CloudFront Developer Guide*.

<note markdown="1"> On the CloudFront console, this setting is called **Security
Policy**.

 </note>

When you’re using SNI only (you set `SSLSupportMethod` to
`sni-only`), you must specify `TLSv1` or higher.

If the distribution uses the CloudFront domain name such as
`d111111abcdef8.cloudfront.net` (you set
`CloudFrontDefaultCertificate` to `true`), CloudFront automatically
sets the security policy to `TLSv1` regardless of the value that you
set here.

[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy
[2]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers
@return [String]

@!attribute [rw] certificate

This field is deprecated. Use one of the following fields instead:

* `ACMCertificateArn`

* `IAMCertificateId`

* `CloudFrontDefaultCertificate`
@return [String]

@!attribute [rw] certificate_source

This field is deprecated. Use one of the following fields instead:

* `ACMCertificateArn`

* `IAMCertificateId`

* `CloudFrontDefaultCertificate`
@return [String]

@see docs.aws.amazon.com/goto/WebAPI/cloudfront-2020-05-31/ViewerCertificate AWS API Documentation

Constants

SENSITIVE