Configure S3 + Cloudflare + SSL
Darshan Patil on March 31, 2022
Fronting your S3 buckets with Cloudlflare is a great way to reduce your AWS bandwidth bills. 


Cloudflare only allows you to configure SSL globally for a domain. S3 does not support custom certificates, so we need to rely on the default S3 SSL certificate and cannot achieve Full (strict) mode.
Full mode is the best we can achieve. 
What you will achieve
Full mode means browsers connect to Cloudflare over HTTPS and Cloudflare connects to your web-servers over HTTPS. The connection between Cloudflare and your servers can use any certificate.
Flexible mode is where client browsers connect to Cloudflare over HTTPS and Cloudflare in turn connects to your web-servers over HTTP. 
Wryttr is built on Rails and we use Fargate behind an ALB. Full mode was the least intrusive option for us.


1. Create a bucket that matches your fully qualified domain name

If you want your resources accessible at, create a bucket named

2. Disable static web hosting for your S3 bucket

3. Add a CNAME entry in Cloudlflare:

Name: cdn Target:
Note: Replace us-east-1 with your region.

Join the conversation

Darshan Patil

Darshan Patil


Principal Engineer @ Amazon Ads | Ex Bloomberg. Opinions are my own and not the views of my employer

Stay up to date

Get notified when I publish something new, and unsubscribe at any time.