AWS offers multiple ways to add HTTPS depending on your architecture. The right approach depends on whether you use a load balancer, CloudFront, or a standalone EC2 instance.
Decision tree
Are you using an ALB, NLB, or CloudFront?
├── Yes → Use AWS Certificate Manager (ACM) — free, auto-renewing
└── No (standalone EC2)?
├── Can you install Certbot? → Certbot on EC2 (auto-renewing)
└── No root / quick setup? → GetHTTPS → manual install on EC2Option 1: AWS Certificate Manager (ACM) — for load balancers & CloudFront
ACM provides free SSL certificates that auto-renew. They only work with AWS services (ALB, NLB, CloudFront, API Gateway) — you can’t download the private key.
Request a certificate
- Open AWS Certificate Manager in the console
- Click Request a certificate → Request a public certificate
- Enter your domain(s):
example.com,*.example.com - Choose validation: DNS validation (recommended) or Email
- Click Request
DNS validation
ACM gives you a CNAME record to add to your DNS:
- Name:
_xxxx.example.com - Value:
_yyyy.acm-validations.aws
If your DNS is in Route 53, click “Create records in Route 53” — ACM adds it automatically.
Attach to ALB
- Go to EC2 → Load Balancers → select your ALB
- Listeners tab → Add listener (or edit existing)
- Protocol: HTTPS, Port: 443
- Default action: Forward to your target group
- Default SSL/TLS certificate: select your ACM certificate
- Save
Attach to CloudFront
- Go to CloudFront → select your distribution
- General tab → Edit
- Custom SSL certificate: select your ACM certificate (must be in
us-east-1) - Save
Option 2: Let’s Encrypt on EC2 (standalone instances)
If you run a single EC2 instance without a load balancer, install the certificate directly on the server.
Using GetHTTPS (no installation needed)
- Get a certificate from GetHTTPS
- Upload files to your EC2 instance:
scp fullchain.pem privkey.pem ec2-user@your-ec2-ip:/etc/ssl/ - Configure Nginx or Apache on the instance
Using Certbot (auto-renewal)
# Amazon Linux 2023
sudo dnf install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com
# Ubuntu on EC2
sudo snap install --classic certbot
sudo certbot --nginx -d example.comCertbot sets up auto-renewal automatically.
ACM vs Let’s Encrypt on AWS
| ACM | Let’s Encrypt (GetHTTPS/Certbot) | |
|---|---|---|
| Cost | Free | Free |
| Works with ALB/CloudFront | ✅ | ❌ (can’t import LE to ACM easily) |
| Works on EC2 directly | ❌ | ✅ |
| Auto-renewal | ✅ (AWS-managed) | ✅ (Certbot) or manual (GetHTTPS) |
| Private key access | ❌ (AWS holds it) | ✅ (you have it) |
| Wildcard | ✅ | ✅ |
| Non-AWS use | ❌ | ✅ (portable) |
Rule of thumb: Use ACM for anything behind an ALB or CloudFront. Use Let’s Encrypt for standalone EC2 instances.
Security group configuration
Make sure your EC2 or ALB security group allows inbound traffic on ports 80 and 443:
Type Protocol Port Source
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0Port 80 is needed for HTTP→HTTPS redirects and for Let’s Encrypt HTTP-01 challenges.
Frequently asked questions
Can I use ACM certificates on EC2 directly?
No. ACM certificates can only be attached to AWS-managed services (ALB, NLB, CloudFront, API Gateway). You cannot export the private key. For standalone EC2, use GetHTTPS or Certbot.
Can I import a Let’s Encrypt certificate into ACM?
Technically yes (aws acm import-certificate), but it won’t auto-renew through ACM. You’d need to re-import every 90 days. It’s simpler to use ACM’s native certificates for AWS services and Let’s Encrypt for EC2.
Which AWS region for ACM certificates?
For ALB/NLB: request the certificate in the same region as your load balancer. For CloudFront: the certificate must be in us-east-1 (N. Virginia), regardless of where your origin is.
Is ACM really free?
Yes. Public SSL/TLS certificates from ACM are free. There’s no charge per certificate and no charge for renewal. You only pay for the AWS resources that use the certificate (ALB, CloudFront, etc.).
How do I handle SSL for an ECS/Fargate service?
Put an ALB in front of your ECS service and attach an ACM certificate to the ALB listener. The ALB terminates TLS and forwards HTTP to your containers. This is the standard pattern for ECS.
How do I handle SSL for an S3 static website?
S3 static website hosting doesn’t support custom SSL certificates directly. Put CloudFront in front of S3 and attach an ACM certificate (from us-east-1) to the CloudFront distribution.
What about API Gateway?
AWS API Gateway includes free SSL by default on *.execute-api.region.amazonaws.com. For a custom domain (e.g., api.example.com), create an ACM certificate and configure a custom domain name in API Gateway.
Should I use ACM or GetHTTPS on AWS?
| Scenario | Use |
|---|---|
| ALB / NLB / CloudFront | ACM — free, auto-renewing, native integration |
| Standalone EC2 | GetHTTPS or Certbot — ACM can’t export keys to EC2 |
| EC2 behind ALB | ACM on ALB — EC2 doesn’t need its own cert |
| ECS / Fargate | ACM on ALB — standard pattern |
| Lightsail | Lightsail built-in — includes free Let’s Encrypt |
If you’re on pure EC2 without a load balancer, GetHTTPS is the fastest way to get a certificate — no AWS CLI needed.