Configure the Viewer Protocol Policy for your CloudFront cache to redirect HTTP requests to HTTPS requests or to require that viewers use only the HTTPS protocol to access your objects in the CloudFront cache. You should also configure one or more cache behaviors in the same distribution to allow both HTTP and HTTPS, so you can require HTTPS for some objects but not for others.
In order to use HTTPS, a SSLTLS certificate must be attached.
This depends on your data classification policy and needs to be configured according to your encryption policy.
Using the Amazon unified command line interface: