aws · tiwari91 · Mar 14, 2026
diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
@@ -390,6 +390,20 @@ export class Distribution extends Resource implements IDistribution {
       }
     }
 
+    if (props.minimumProtocolVersion && !props.certificate) {
+      Annotations.of(this).addWarningV2(
+        '@aws-cdk/aws-cloudfront:minimumProtocolVersionWithoutCertificate',
+        'Setting \'minimumProtocolVersion\' without a \'certificate\' has no effect. The distribution will use the CloudFront default certificate with a fixed security policy.',
+      );
+    }
+
+    if (props.sslSupportMethod && !props.certificate) {
+      Annotations.of(this).addWarningV2(
+        '@aws-cdk/aws-cloudfront:sslSupportMethodWithoutCertificate',
+        'Setting \'sslSupportMethod\' without a \'certificate\' has no effect. The distribution will use the CloudFront default certificate.',
+      );
+    }
+
     this.httpVersion = props.httpVersion ?? HttpVersion.HTTP2;
     this.validateGrpc(props.defaultBehavior);
 

diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
@@ -534,6 +534,37 @@ describe('certificates', () => {
       },
     });
   });
+
+  test('warns when minimumProtocolVersion is set without a certificate', () => {
+    new Distribution(stack, 'Dist', {
+      defaultBehavior: { origin: defaultOrigin() },
+      minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2016,
+    });
+
+    Annotations.fromStack(stack).hasWarning('/Stack/Dist', Match.stringLikeRegexp('.*minimumProtocolVersion.*without.*certificate.*'));
+  });
+
+  test('warns when sslSupportMethod is set without a certificate', () => {
+    new Distribution(stack, 'Dist', {
+      defaultBehavior: { origin: defaultOrigin() },
+      sslSupportMethod: SSLMethod.SNI,
+    });
+
+    Annotations.fromStack(stack).hasWarning('/Stack/Dist', Match.stringLikeRegexp('.*sslSupportMethod.*without.*certificate.*'));
+  });
+
+  test('does not warn about minimumProtocolVersion when certificate is provided', () => {
+    const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
+
+    new Distribution(stack, 'Dist', {
+      defaultBehavior: { origin: defaultOrigin() },
+      domainNames: ['example.com'],
+      minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2016,
+      certificate,
+    });
+
+    Annotations.fromStack(stack).hasNoWarning('/Stack/Dist', Match.stringLikeRegexp('.*minimumProtocolVersion.*'));
+  });
 });
 
 describe('custom error responses', () => {