Information
Configure the Viewer Protocol Policy for your CloudFront cache to redirect HTTP requests to HTTPS requests or to require that viewers use only the HTTPS protocol to access your objects in the CloudFront cache. You should also configure one or more cache behaviors in the same distribution to allow both HTTP and HTTPS, so you can require HTTPS for some objects but not for others.
In order to use HTTPS, a SSL\TLS certificate must be attached.
This depends on your data classification policy and needs to be configured according to your encryption policy.
To ensure that objects are encrypted from edge locations to viewers using HTTP or HTTPS depending on your data classification and encryption policies, use only HTTPS.
Solution
Using the Amazon unified command line interface:
* For configuring "ViewerProtocolPolicy" first save locally the current distribution config:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "DistributionConfig" > /tmp/cf-distribution.json
* Edit and replace "ViewerProtocolPolicy" element in /tmp/cf-distribution.json with the below section:
"ViewerProtocolPolicy": "redirect-to-https",
* Retrieve the current ETag of your CloudFront distribution:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "ETag"
* Update the CloudFront distribution using the edited config and the above Etag:
aws cloudfront update-distribution --id <application_cfn_distribution_id> --distribution-config file:///tmp/cf-distribution.json --if-match <application_cfn_distribution_etag>