diff --git a/keyserver/src/session/cookies.js b/keyserver/src/session/cookies.js
--- a/keyserver/src/session/cookies.js
+++ b/keyserver/src/session/cookies.js
@@ -336,7 +336,7 @@
   let ipAddress;
   if (proxy === 'none') {
     ipAddress = req.socket.remoteAddress;
-  } else if (proxy === 'apache') {
+  } else if (proxy === 'apache' || proxy === 'aws') {
     ipAddress = req.get('X-Forwarded-For');
   }
   invariant(ipAddress, 'could not determine requesting IP address');
diff --git a/keyserver/src/utils/security-utils.js b/keyserver/src/utils/security-utils.js
--- a/keyserver/src/utils/security-utils.js
+++ b/keyserver/src/utils/security-utils.js
@@ -6,12 +6,14 @@
 
 function assertSecureRequest(req: $Request) {
   const { https, proxy } = getAppURLFactsFromRequestURL(req.originalUrl);
+
   if (!https) {
     return;
   }
   if (
     (proxy === 'none' && req.protocol !== 'https') ||
-    (proxy === 'apache' && req.get('X-Forwarded-SSL') !== 'on')
+    (proxy === 'apache' && req.get('X-Forwarded-SSL') !== 'on') ||
+    (proxy === 'aws' && req.get('X-Forwarded-Proto') !== 'https')
   ) {
     throw new Error('insecure request');
   }
diff --git a/keyserver/src/utils/urls.js b/keyserver/src/utils/urls.js
--- a/keyserver/src/utils/urls.js
+++ b/keyserver/src/utils/urls.js
@@ -10,9 +10,9 @@
   +basePath: string,
   +https: boolean,
   +baseRoutePath: string,
-  +proxy?: 'apache' | 'none', // defaults to apache
+  +proxy?: 'apache' | 'none' | 'aws', // defaults to apache
 };
-const validProxies = new Set(['apache', 'none']);
+const validProxies = new Set(['apache', 'none', 'aws']);
 const sitesObj = Object.freeze({
   a: 'landing',
   b: 'webapp',
diff --git a/services/terraform/self-host/keyserver_primary.tf b/services/terraform/self-host/keyserver_primary.tf
--- a/services/terraform/self-host/keyserver_primary.tf
+++ b/services/terraform/self-host/keyserver_primary.tf
@@ -89,8 +89,8 @@
             "baseDomain" : "https://${var.domain_name}",
             "basePath" : "/",
             "baseRoutePath" : "/",
-            "https" : false,
-            "proxy" : "none"
+            "https" : true,
+            "proxy" : "aws"
           })
         },
         {
diff --git a/services/terraform/self-host/keyserver_secondary.tf b/services/terraform/self-host/keyserver_secondary.tf
--- a/services/terraform/self-host/keyserver_secondary.tf
+++ b/services/terraform/self-host/keyserver_secondary.tf
@@ -79,8 +79,8 @@
             "baseDomain" : "https://${var.domain_name}",
             "basePath" : "/",
             "baseRoutePath" : "/",
-            "https" : false,
-            "proxy" : "none"
+            "https" : true,
+            "proxy" : "aws"
           })
         },
         {