if i remember correctly this was roughly the process... First you need an SSL certificate for your Prisma server public loadbalancer listener (the URL where you access the playground). The difficulty I experienced was that AWS woudn't issue an SSL cert directly for the public loadbalancer listener URL. To get around this, you need to 1) create a separte custom domain name (with your DNS hosting provider, e.g. Route 53); 2) point this custom name to your public loadbalancer listener URL; 3) go to the Certificate Manager and create an SSL cert for the custom domain name; finally 4) in the cloudformation tempate, you need to associate the cert with the listener. This sounds like a lot, but each step is fairly straigtforward, especially if you have any experience with DNS. More detail: 1. Create a custom domain name, like: prisma.api.my-domain.com. 2. In your domain hosting provider, point this new domain to your prisma server public loadbalaancer listener URL by creating an A record alias for your domain name with the value of your listener URL. For me this is configured in Route 53, so the process/requirements may be different for your hosting provider. In route 53 the alias option is a radio button in the A record configuration settings when you’re creating the new record. Interestingly Route 53 automatically added a prefix "dualstack" to the (listener) URL when i pasted in the value of the new A record alias. This was unexpected (although it works) - so don't be surprised if this happens. Triple check everything here. 3. In the Certificate Manager, create an SSL certificate for the custom domain you just created in 1 above following the instructions they provide. This must be done in the same region (e.g., us-east-1) as your prisma server. To expedite the process, choose DNS validation as the validation method. This requires adding an additional DNS validation C record per the validation instructions they provide. Not a huge deal if you’ve successfully added the A record. Once you add the DNS validation record to your host and complete the certificate request process in the Certificate Manger, the certificate should be issued in my experience within a few minutes. Once you have a domain name pointing to the listener and a valid cert in the Certificate Manager, then you just need to associate the cert with your public loadbalancer listener in the Prisma Fargate cloudformation template by making a few edits. AFTER the following in the template (“mysql” may be something else in your template if you're using a different db): DbConnector: Type: String Default: mysql add this (substituting the full ARN of the certificate you created): Certificate: Type: String # Update with the certificate ARN from Certificate Manager, which must exist in the same region. Default: "arnawsacmus east 1YOUR-AWS-ACCOUNT-NUMBER:certificate/CERTIFICATE-NUMBER" This part of the template should now look something like: DbConnector: Type: String Default: mysql Certificate: Type: String # Update with the certificate ARN from Certificate Manager, which must exist in the same region. Default: "arnawsacmus east 1YOUR-AWS-ACCOUNT-NUMBER:certificate/CERTIFICATE-NUMBER" Next, edit the PublicLoadBalancerListener section as follows (note the new “Certificates” array and new values for the Port and Protocol - everything else is the same): PublicLoadBalancerListener: Type: AWS:ElasticLoadBalancingV2:Listener DependsOn: - PublicLoadBalancer Properties: DefaultActions: - TargetGroupArn: !Ref 'PrismaTargetGroup' Type: 'forward' LoadBalancerArn: !Ref 'PublicLoadBalancer' Port: 443 Protocol: HTTPS Certificates: - CertificateArn: !Ref Certificate Now you should be able to update your Prisma server stack with the modified cf template and hopefully have a working HTTPS endpoint with a custom domain.