diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
index d35ffdce..ba5a44a2 100644
--- a/terraform/aws/main.tf
+++ b/terraform/aws/main.tf
@@ -121,12 +121,20 @@ resource "aws_elb" "web" {
   ]
 
   listener {
-    instance_port     = 80
+    instance_port     = var.faucet_port
     instance_protocol = "http"
-    lb_port           = 80
+    lb_port           = var.faucet_port
     lb_protocol       = "http"
   }
 
+  listener {
+    instance_port     = var.faucet_port
+    instance_protocol = "http"
+    lb_port           = var.faucet_https_port
+    lb_protocol       = "https"
+    ssl_certificate_id = aws_acm_certificate_validation.faucet.certificate_arn
+  }
+
   listener {
     instance_port     = var.insight_port
     instance_protocol = "http"
@@ -156,6 +164,33 @@ resource "aws_elb" "web" {
   }
 }
 
+resource "aws_acm_certificate" "faucet" {
+  domain_name       = "faucet.${var.public_network_name}.${var.main_domain}"
+  validation_method = "DNS"
+}
+
+resource "aws_route53_record" "faucet_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.faucet.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  zone_id         = data.aws_route53_zone.main_domain[0].zone_id
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+}
+
+resource "aws_acm_certificate_validation" "faucet" {
+  certificate_arn         = aws_acm_certificate.faucet.arn
+  validation_record_fqdns = [for record in aws_route53_record.faucet_validation : record.fqdn]
+}
+
 resource "aws_route53_record" "faucet" {
   zone_id = data.aws_route53_zone.main_domain[count.index].zone_id
   name    = "faucet.${var.public_network_name}.${var.main_domain}"
diff --git a/terraform/aws/security_groups.tf b/terraform/aws/security_groups.tf
index 403ec652..e2188b7c 100644
--- a/terraform/aws/security_groups.tf
+++ b/terraform/aws/security_groups.tf
@@ -343,12 +343,24 @@ resource "aws_security_group" "elb" {
   name   = "${terraform.workspace}-elb"
   vpc_id = aws_vpc.default.id
 
-  # HTTP access from anywhere
+  # Faucet
   ingress {
-    from_port   = 80
-    to_port     = 80
+    from_port   = var.faucet_port
+    to_port     = var.faucet_port
+    protocol    = "tcp"
+    description = "Faucet"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  # Faucet HTTPS
+  ingress {
+    from_port   = var.faucet_https_port
+    to_port     = var.faucet_https_port
     protocol    = "tcp"
-    description = "HTTP"
+    description = "Faucet HTTPS"
 
     cidr_blocks = [
       "0.0.0.0/0",
@@ -367,7 +379,7 @@ resource "aws_security_group" "elb" {
     ]
   }
 
-  # Insight Explorer
+  # Insight Explorer HTTPS
   ingress {
     from_port   = var.insight_https_port
     to_port     = var.insight_https_port
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
index 9d5671f5..8c00f2ea 100644
--- a/terraform/aws/variables.tf
+++ b/terraform/aws/variables.tf
@@ -16,6 +16,16 @@ variable "dashd_zmq_port" {
   default     = 29998
 }
 
+variable "faucet_port" {
+  description = "Faucet port"
+  default     = 80
+}
+
+variable "faucet_https_port" {
+  description = "Faucet HTTPS port"
+  default     = 443
+}
+
 variable "insight_port" {
   description = "Insight port"
   default     = 3001