Information
Configure the Origin Protocol Policy for the Web tier ELB origin either to require that CloudFront fetches objects from your origin by using HTTPS or to require that CloudFront uses the protocol that the viewer used to request the objects. For example, if you choose Match Viewer for the Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.
In order to use HTTPS, an SSL\TLS certificate must be attached.
To ensure that objects are encrypted from edge locations to the Web-Tier ELB origin according to the data classification policy, use Match Viewer.
Solution
Using the Amazon unified command line interface:
* For configuring "OriginProtocolPolicy"first save locally the current distribution config:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "DistributionConfig" > /tmp/cf-distribution.json
* Edit and replace "OriginProtocolPolicy"element in /tmp/cf-distribution.json with the below section:
"OriginProtocolPolicy": "https-only",
* Retrieve the current ETag of your CloudFront distribution:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "ETag"
* Update the CloudFront distribution using the edited config and the above Etag:
aws cloudfront update-distribution --id <application_cfn_distribution_id> --distribution-config file:///tmp/cf-distribution.json --if-match <application_cfn_distribution_etag>