Class: Aws::CloudFront::Types::ViewerCertificate

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-cloudfront/types.rb

Overview

A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.

If the distribution doesn’t use ‘Aliases` (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as `d111111abcdef8.cloudfront.net`—set `CloudFrontDefaultCertificate` to `true` and leave all other fields empty.

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:

  • Which viewers the distribution accepts HTTPS connections from: only viewers that support [server name indication (SNI)] (recommended), or all viewers including those that don’t support SNI.

    • To accept HTTPS connections from only viewers that support SNI, set ‘SSLSupportMethod` to `sni-only`. This is recommended. Most browsers and clients support SNI.

    • To accept HTTPS connections from all viewers, including those that don’t support SNI, set ‘SSLSupportMethod` to `vip`. This is not recommended, and results in additional monthly charges from CloudFront.

  • The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for ‘MinimumProtocolVersion`. For more information, see

    Security Policy][2

    in the *Amazon CloudFront Developer Guide*.

  • The location of the SSL/TLS certificate, [Certificate Manager (ACM)] (recommended) or [Identity and Access Management (IAM)]. You specify the location by setting a value in one of the following fields (not both):

    • ‘ACMCertificateArn`

    • ‘IAMCertificateId`

All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use ‘ViewerProtocolPolicy` in the `CacheBehavior` or `DefaultCacheBehavior`. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use `CustomOriginConfig`.

For more information, see [Using HTTPS with CloudFront] and [ Using Alternate Domain Names and HTTPS] in the *Amazon CloudFront Developer Guide*.

[1]: en.wikipedia.org/wiki/Server_Name_Indication [2]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy [3]: docs.aws.amazon.com/acm/latest/userguide/acm-overview.html [4]: docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html [5]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html [6]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html

Constant Summary collapse

SENSITIVE =
[]

Instance Attribute Summary collapse

Instance Attribute Details

#acm_certificate_arnString

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [Certificate Manager (ACM)], provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (`us-east-1`).

If you specify an ACM certificate ARN, you must also specify values for ‘MinimumProtocolVersion` and `SSLSupportMethod`.

[1]: docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#certificateString

This field is deprecated. Use one of the following fields instead:

  • ‘ACMCertificateArn`

  • ‘IAMCertificateId`

  • ‘CloudFrontDefaultCertificate`

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#certificate_sourceString

This field is deprecated. Use one of the following fields instead:

  • ‘ACMCertificateArn`

  • ‘IAMCertificateId`

  • ‘CloudFrontDefaultCertificate`

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#cloud_front_default_certificateBoolean

If the distribution uses the CloudFront domain name such as ‘d111111abcdef8.cloudfront.net`, set this field to `true`.

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs), set this field to `false` and specify values for the following fields:

  • ‘ACMCertificateArn` or `IAMCertificateId` (specify a value for one, not both)

  • ‘MinimumProtocolVersion`

  • ‘SSLSupportMethod`

Returns:

  • (Boolean)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#iam_certificate_idString

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in [Identity and Access Management (IAM)], provide the ID of the IAM certificate.

If you specify an IAM certificate ID, you must also specify values for ‘MinimumProtocolVersion` and `SSLSupportMethod`.

[1]: docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#minimum_protocol_versionString

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:

  • The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.

  • The ciphers that CloudFront can use to encrypt the content that it returns to viewers.

For more information, see [Security Policy] and [Supported Protocols and Ciphers Between Viewers and CloudFront] in the *Amazon CloudFront Developer Guide*.

<note markdown=“1”> On the CloudFront console, this setting is called **Security Policy**.

</note>

When you’re using SNI only (you set ‘SSLSupportMethod` to `sni-only`), you must specify `TLSv1` or higher.

If the distribution uses the CloudFront domain name such as ‘d111111abcdef8.cloudfront.net` (you set `CloudFrontDefaultCertificate` to `true`), CloudFront automatically sets the security policy to `TLSv1` regardless of the value that you set here.

[1]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy [2]: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end

#ssl_support_methodString

If the distribution uses ‘Aliases` (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.

  • ‘sni-only` – The distribution accepts HTTPS connections from only viewers that support [server name indication (SNI)]. This is recommended. Most browsers and clients support SNI.

  • ‘vip` – The distribution accepts HTTPS connections from all viewers including those that don’t support SNI. This is not recommended, and results in additional monthly charges from CloudFront.

  • ‘static-ip` - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the [Amazon Web Services Support Center].

If the distribution uses the CloudFront domain name such as ‘d111111abcdef8.cloudfront.net`, don’t set a value for this field.

[1]: en.wikipedia.org/wiki/Server_Name_Indication [2]: console.aws.amazon.com/support/home

Returns:

  • (String)


13257
13258
13259
13260
13261
13262
13263
13264
13265
13266
13267
# File 'lib/aws-sdk-cloudfront/types.rb', line 13257

class ViewerCertificate < Struct.new(
  :cloud_front_default_certificate,
  :iam_certificate_id,
  :acm_certificate_arn,
  :ssl_support_method,
  :minimum_protocol_version,
  :certificate,
  :certificate_source)
  SENSITIVE = []
  include Aws::Structure
end