[nitrogen]

If the origin is an S3 static website, the link is unencrypted but should run over Amazon's own network. Since Amazon has your S3 and CloudFront data anyway, assuming all CF endpoints are under Amazon's control, you don't lose much by having the S3 origin load over http.

[philsnow]

What makes you think that when cloudfront requests objects internally from s3, it's using http?

It could just as easily be connecting with s2n and authenticating both endpoints of the connection.

[colinbartlett]

This article[1] states the following, though it doesn't cite any specific source:

> CloudFront will use encryption when retrieving data from its storage service S3 (Simple Storage Service), so the content is protected all the way from where it is stored to the user's computer, according to Amazon.

1. http://www.computerworld.com/article/2518747/data-center/use...

[nitrogen]

It says so in the CloudFront distribution setup, when you point it at an s3-website-[region] URL instead of directly at an S3 bucket.

[nightcracker]

That's just naive with the information we have today. Google thought this too, and the NSA happily used that to eavesdrop.

[nitrogen]

Eavesdropping on the connection between CF and S3 doesn't say too much about a public static website, though. If you're serving private data, use an S3 bucket directly instead of the S3 static website hosting HTTP server.