We are running a static website in S3 using CloudFront for distribution. CloudFront has an SSL Certificate assigned, so we are receiving HTTPS traffic and redirecting HTTP to HTTPS.
What I'm trying to determine is that does mean that TLS is enforced from CloudFront to the S3 Static Site?
If so, I am looking for a reference stating that - we need to have end to end encryption applied for compliance and I need to be able to verify/prove that this is in place.
Thanks !!!
does mean that TLS is enforced from CloudFront to the S3 Static Site?
No its not. Static S3 websites are HTTP only. Docs explain that:
If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration.
we need to have end to end encryption applied for compliance
For end-to-end ssl you have to setup setup origin access identity (OAI) for your CF. This means that the bucket can't be in website mode. Instead, it has to be configured for OAI access as explained in the docs. To enforce HTTPS between CF and S3 you must ensure that your "Viewer Protocol Policy to Redirect HTTP to HTTPS or HTTPS Only".
Related
I did a search in the aws docs and couldn't find anything that could help me to setup a cloudfront distribution for a non aws origin server to secure my domain with https. I'm using route 53 to manage my dns for the domain, I'd like to setup https for the domain but it is not hosted with aws. How can I use aws to create a secure domain with https?
Update: I've created the cloudfront distribution and set the alternative cnames to the domain (example.com and www.example.com). In Route 53 I updated the A record for the domain - example.com - to be an alias and pointed it to the cloudfront distribution, but when I try to access the site I get page not working error. The domain does now have he secure padlock, but I can't access the site. Here is the error that I get when I access the site:
The simplest way is to use a CloudFront distribution in front of your non AWS endpoint. This endpoint would be configured as a custom origin endpoint.
You would need to generate or upload a certificate to ACM to attach to the resource. This must be done before you can use the distribution on your own domain, if you don't have it when you create the distribution you will need to edit it later.
The AWS documentation includes documentation for Creating a Distribution. If you follow this and reference your endpoint as the custom origin you will be able to create the host.
You will need to ensure you configure the Origins Origin Protocol Policy option to be HTTP Only if your host does not have a HTTPS certificate.
Be aware that as the CloudFront distribution communicates with your endpoint over the internet, any traffic between CloudFront and your endpoint will still not be encrypted.
The following services are activated:
a S3 bucket in ap-east-1 where my static web pages are saved,
a domain name registered on Route 53,
a SSL certificate requested via Certification Manager at us-east-1,
a CloudFront distribution for enabling HTTPS access to my web pages.
It is stated in this page that a single SSL certificate should suffice if CloudFront is used.
When I navigate to my URL https://www.example.com in Chrome, the following error is returned.
How to make my pages globally accessible via HTTPS?
Update
It seems that the behavior of S3 buckets in ap-east-1 is different from the buckets located in other regions as stated in my follow up question.
It is saying that the URL provided for S3 included the wrong (or no) region.
You should use the format:
bucket-name.s3.region.amazonaws.com
You are probably missing the region.
See: Using Amazon S3 Origins, MediaPackage Channels, and Custom Origins for Web Distributions - Amazon CloudFront
I've got a static S3 website. When I log in, I can see that the endpoint is http://www.example.com.s3-website.eu-west-2.amazonaws.com, but I've seen answers claiming that the site should be accessible via HTTPS at https://www.example.com.s3-website.eu-west-2.amazonaws.com. This doesn't work though.
Did AWS used to support HTTPS for static sites and have now stopped it, or do I need to enable it somehow?
The website hosting section on S3 now has this note at the bottom of the page:
The Amazon S3 website endpoints do not support HTTPS. For information about using HTTPS with an Amazon S3 bucket, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket? and Requiring HTTPS for Communication Between CloudFront and Your Amazon S3 Origin.
Seems the only option now is to use CloudFront. Quite disappointing when you just want a quick and dirty HTTPS website and would happily use https://examplebucket.s3-website-us-west-2.amazonaws.com/ as the URL, which would work fine with a wildcard SSL certificate.
So the answer is no, it's not possible to use HTTPS for S3 static websites directly like I'm trying to do. From the docs:
Note the following about using HTTPS when the origin is an Amazon S3
bucket:
* If your Amazon S3 bucket is configured as a website endpoint, you can't
configure CloudFront to use HTTPS to communicate with your
origin because Amazon S3 doesn't support HTTPS connections in that
configuration.
You cannot use periods in the bucket name. If you do use periods, Amazon's wildcard certificate won't work.
Quoting the BucketRestrictions documentation:
When you use virtual hosted–style buckets with Secure Sockets Layer (SSL), the SSL wildcard certificate only matches buckets that don't contain periods. To work around this, use HTTP or write your own certificate verification logic. We recommend that you do not use periods (".") in bucket names when using virtual hosted–style buckets.
I try access to Amazon AWS S3 with https.
This link with http works: http://sc-st01.s3-website-eu-west-1.amazonaws.com/
But this not: https://sc-st01.s3-website-eu-west-1.amazonaws.com/
Is there any setting to enable it?
I use CNAME also but i think the problem is in access to https.
Thank you for any advice.
UPDATE: This refers to using S3 to host static web content.
If you are using your S3 bucket to host static web content, then HTTPS isn't supported. To quote the AWS doc, it says under the Test your website section:
Note
HTTPS access to the website is not supported.
Not very helpful. If you are interested in learning how S3 virtual hosting works, you can read more about it here.
To serve your static web content over HTTPS, you will need to set up an AWS CloudFront distribution, which is quite straight forward via the AWS Management Console. The only configurations that will require special attentions are:
Origin Domain Name: This should refer to the URI of your S3 bucket. In your case, it will be sc-st01.s3-website-eu-west-1.amazonaws.com
Viewer Protocol Policy: Default to HTTP and HTTPS Only
Alternate Domain Names (CNAMEs): CNAME you set up in your DNS.
SSL Certificate: Either Default CloudFront Certificate or Custom SSL Certificate if you have one. Note that setting up custom SSL certificate is more involved as it needs to be uploaded to the IAM.
Default Root Object: The default file you want to serve when your user visits your static web site.
Once you're done with setting up the configurations, it will usually take 5 to 10 minutes for the new distribution to be fully configured and set up. Refer the Status field on the CloudFront management dashboard for progress. When ready, you will see the new Domain Name of your distribution. You should be able to access the static web content in your S3 bucket (assuming that the permissions of the content is granted to Everyone) by navigating to the http: or https:// URL of your distribution Domain Name.
I will also recommend checking out the CloudFront pricing to ensure if you are aware of what is free, and what isn't.
I'm about to launch a static website using S3/Cloudfront. I don't need HTTPS for the site, but the current iteration of the website is served over HTTPS and has hundreds of links and indexed URLs that are HTTPS.
I've been searching for hours and can't find a way to redirect our HTTPS URLs to HTTP when only using S3/Cloudfront. Currently the HTTPS URL will refuse the connection instead of redirecting to the HTTP version of the page.
With no Apache it seems it is not possible to do this. Any hints?
Static website hosting on S3 does not support HTTPS unless you use the full domain path, i.e. example.com.s3-website-us-east-1.amazonaws.com. Since you want to keep your URL, you'll have to use a CloudFront distribution to handle SSL.
Upload your SSL certificate to CloudFront:
aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file --path /cloudfront/path/ [1]
Create a cloudfront distribution and configure as so:
Origin Domain Name: your s3 bucket's public static website hosting endpoint (not the endpoint that CloudFront autocompletes)
Alternate Domain Names (CNAMEs): desired location for your website, e.g. example.com or www.example.com
SSL Certificate: Select the SSL certificate you uploaded in step 1.
Custom SSL Client Support: Unless you need compatibility for really old clients, select "Only Clients that support Server Name Indication" and save $600.
If you are redirecting https to s3 redirect, the origin domain should not be the autocomplete bucket, but the static redirect endpoint s3 gives you
Save your distribution. It should show Status "In Progress". It generally takes ~15 minutes before a distribution is "Deployed"; don't move on to step 4 until your distribution is "Deployed".
Verify the distribution works: navigate to the CloudFront distribution via the domain name in the list, e.g. "https//d111111abcdef8.cloudfront.net/". You should see your website.
Change your DNS records to point to the CloudFront distribution instead of the S3 bucket.
[1] if you have trouble adding your certificate to CloudFront check out this article for further information: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-and-https-procedure