I am using Amazon AWS as a back-end for my application development. I am mainly using the 2 resources of AWS -
S3 bucket storage
AppSync (With DynamoDB as Data Source)
I want to use or 'apply' SSL certificates for security on above 2 resources. I know I can create certificate from AWS Certificate Manager.
The problem is the documention mentions that certificates can only be applied to the below 6 resources:
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
Load Balancer
CloudFront
Elastic Beanstalk
API Gateway
Cloud Formation
Nitro Enclaves
I have already mentioned that I am using S3 and AppSync. These 2 resources are not in the above list. How do I apply certificates on the 2 resources - S3 and AppSync ?
Do I need to do some kind of workaround ?
You can create an AppSync api with the graphql (something like: https://abc.appsync.us-east-1.amazonaws.com/graphql) and mention that api endpoint as the origin in cloudfront distribution.
Please check this blog from AWS which explains better for AWS AppSync :
https://aws.amazon.com/blogs/mobile/use-a-custom-domain-with-aws-appsync-amazon-cloudfront-and-amazon-route-53/
Related
Currently I have a website that calls a lambda to perform CRUD operations. In AWS the website is hosted in an S3 bucket and the lambda in an EC2 instance. The website locally would refer to something like localhost:8080/parcelUpdate. How would this type of communication occur with an AWS VPC?
An AWS Lambda Function is not hosted on EC2†
You can put a Lambda Function behind an Application Load Balancer or API Gateway, and call it from there
https://docs.aws.amazon.com/lambda/latest/dg/services-alb.html
† Actually, it is deep down, but not YOUR EC2. It's hosted on AWS's own serverless framework in an AWS-managed VPC. It does technically run on an EC2 instance, but that's not something you need to manage
I am new to aws, I have hosted all UI in s3 bucket and used cloudfont too. Now i have hosted all the restApi in EC2 instance.
angular UI -> s3 bucket (example.com)
backend SpringBoot restApi -> EC2 instance (api.exaple.com)
But can someone tell how to consume the API calls hosted in EC2 (api.example.com) from S3 (example.com) bucket/ cloud front.
I have hosted sprint boot rest api in EC2 instance (api.example.com:8080).
s3 bucket says method not allowed for (GET, POST, PUT, DELETE) methods.
For the above reason i hard coded the api.example.com in the code, so all my requests will redirect to api.example.com -> here the issue is browser will not allow cross origin.
Now i want to know how to make it work.
You need to enable CORS (Cross-Origin Resource Sharing) on your S3 bucket.
Cross-origin resource sharing (CORS) defines a way for client web
applications that are loaded in one domain to interact with resources
in a different domain. With CORS support, you can build rich
client-side web applications with Amazon S3 and selectively allow
cross-origin access to your Amazon S3 resources.
Is there a way to retrieve a certificate from Amazon Certificate Manager in the .ebextensions file for a single beanstalk instance without a load balancer?
The documentation only shows a way to retrieve a certificate from an S3 Bucket. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html
I'm considering rebuilding my app environment with an 'application' load balancer for this cert manager convenience even though I don't need it for this lightly used internal app. We don't have an S3 Bucket set up and I think the cost of that would be almost the same as a load balancer.
Unfortunately, there is no way to export the ACM private key for use outside of the service.
Please see How do I retrieve the private key for a certificate generated on AWS Certificate Manager? and https://serverfault.com/questions/822035/download-ssl-certificate-from-aws-certificate-manager
like #Rodrigo said, it's not possible to use the ACM cert on a single instance setup.
You can use the ACM certificate with only certain AWS services. as of today, here is the list of services that supports ACM certs.
• Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
• Amazon CloudFront – Refer to the CloudFront documentation
• Amazon API Gateway – Refer to the API Gateway documentation
• AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
Reference:
With which AWS services can I use ACM certificates?
We are using AWS and using the Kong API gateway hosted in AWS.
Do you think we would need a CDN in front this API gateway?
We don't need much caching, as well as we can attach the WAF in AWS to the alb.
Yes, this is a common pattern for API Protection in AWS.
Here is a good article by AWS in setting up CloudFront and WAF with AWS API Gateway, though the same principals apply to any API Gateway:
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/
I have purchased a domain from godaddy provider and I launched an application with AWS route 53 service.
My questions:
Where to get a SSL certificate? GoDaddy or AWS
How to setup SSL certificate?
Please tell me
This depends upon your use case or where are you running your application like ECS or EC2 or some static website over s3?
If you are using load balancer on the top of your application then the certificate from AWS is best. you don't need to worry about renewal etc and any other configuration just create load balancer with AWS Certificate Manager.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html
CloudFront:
Here is the link how you can configure with CloudFront.
If you to configure directly on your EC2 instance then it's not possible.
Although you install your website on an Amazon EC2 instance, you
cannot directly deploy an ACM Certificate on that instance source AWS Doc
Here is the list on which you can AWS certificate.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway
AWS CloudFormation
Services Integrated with AWS Certificate Manager
You mention that you launched application with Route53 so want to clear one thing
Amazon Route 53 is a highly available and scalable cloud Domain Name
System (DNS) web service.
So Route 53 in DNS and it can be configured with
Amazon Route 53 effectively connects user requests to infrastructure
running in AWS – such as Amazon EC2 instances, Elastic Load Balancing
load balancers, or Amazon S3 buckets – and can also be used to route
users to infrastructure outside of AWS.
Amazon Route 53
As we are using AWS certificate and we feel good with AWS services, far better than any other service provider in our case.
Let me know if you need further details.