Free SSL with Amazon Certificate Manager and Cloudfront

Following my recent move to Amazon S3 I've now gone one step further and added Cloudfront to the mix. Cloudfront is a CDN; it puts web pages closer to the client so they're faster. Faster is better. However, my motivation for adding Cloudfront was not speed, it was SSL.

I'd already been toying with the idea of adding SSL to this site with Cloudflare when fellow Bath Ruby attendee Paul Leader told me that Amazon were offering free SSL through their recently announced Amazon Certificate Manager product. I decided to give it a try.

Why SSL?

Privacy and trust. Visitors to this site are getting the version of this page that I publish. No one can interfere or tamper with it. No ads or malware can be inserted. And why not? SSL is no longer expensive to implement. Gone are the days of being extorted by companies selling SSL certificates. SSL is now freely available from the likes of Cloudflare, Amazon and, perhaps more importantly, Let's Encrypt.

Amazon Certificate Manager?

As with all Amazon products it's often difficult to understand a) What it is; and b) What it's for. Amazon Certificate Manager allows you to create SSL certificates for free and easily use them with Amazon products. Currently, ELB and Cloudfront are supported. The best part is that they automatically handle renewals for you! Once setup, there is no maintenance to do.


Distribution setup

Cloudfront has a concept called Distributions. A distribution is a set of files that Amazon will distribute across the world to be served from it's edge locations meaning the files will be geographically closer to the client requesting them.

Setting up the distribution looks fairly complex but I went with the defaults and it seems to work well. You can point a distribution straight to an S3 bucket but I found that not all of my pages were picked up by Cloudfront if I did it that way. Index pages were missed for some reason. The fix was to point the distribution at the Amazon S3 URL instead. The pages were then all correctly picked up.

DNS changes

Like using S3 directly a very simple change is required. I already had an ALIAS record to point from to I've now changed that ALIAS to point to the Cloudfront address instead, which is

Invalidating the cache

Now that the site content is spread across Amazon's network and cached appropriately, the cache will need to be invalidated when new files are deployed to S3 or we'll be serving stale content. There is a Middleman extension to handle this but at the moment I'm manually invalidating the cache through the Amazon Cloudfront console. As I deploy infrequently it isn't a problem for me to do it manually at the moment but I might end up using that extension eventually.


I thought that the site was fairly speedy when served as a rack app on Heroku. The speed seemed to increase when I moved to S3 but now it's on Cloudfront it feels noticably faster! Combine those speed increases with free SSL and I'm very happy.