Can someone explain why, when Amazon S3 uses a wildcard SSL certificate, you can not access the static website through https?
For accessing static website over https you would need to user cloudfront on top of your bucket.
for installing a SSL certificate you would need a server, well S3 is just for storage, you cannot install SSL certificate over S3.
https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/
Related
I have a static website on AWS S3 and it requests various APIs of a backend server which has a self signed certificate. The static website is HTTPS enabled with AWS certificate and running using cloudfront.
I want to enable this connection of real SSL certificate with my self signed certificate backend.
So is it possible to store this self signed certificate as a trusted certificate for S3 static website server?
There is no trusted certificate store in an S3 bucket. S3 just stores your website files, it doesn't run the actual website code. When a person visits your website, their web browser downloads the files from S3/CloudFront, and then executes your website inside the local web browser.
You would have to add your self-signed certificate to the trusted store of each visitor's computer. Unless you only have a few users, and you have administrator access to their laptops, the better solution is to use a real SSL certificate on your server.
We are running a static website in S3 using CloudFront for distribution. CloudFront has an SSL Certificate assigned, so we are receiving HTTPS traffic and redirecting HTTP to HTTPS.
What I'm trying to determine is that does mean that TLS is enforced from CloudFront to the S3 Static Site?
If so, I am looking for a reference stating that - we need to have end to end encryption applied for compliance and I need to be able to verify/prove that this is in place.
Thanks !!!
does mean that TLS is enforced from CloudFront to the S3 Static Site?
No its not. Static S3 websites are HTTP only. Docs explain that:
If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration.
we need to have end to end encryption applied for compliance
For end-to-end ssl you have to setup setup origin access identity (OAI) for your CF. This means that the bucket can't be in website mode. Instead, it has to be configured for OAI access as explained in the docs. To enforce HTTPS between CF and S3 you must ensure that your "Viewer Protocol Policy to Redirect HTTP to HTTPS or HTTPS Only".
I am currently experiencing an issue with AWS S3 Buckets. I've successfully managed to set the roles and permission for specific objects and make some of them downloadable for everyone via a specific link.
https://<sub-domain>.s3.eu-central-1.amazonaws.com/path/path/a87cd6a9-a2d9-4231-beb3-6b1e76d90490/8e958264-4baf-4fbe-918b-c30d9d450671.jpg
This link is a download link for an image and when I click it the browser recommends me to "Stay Safe" and the connection to this Server is not privat / secure.
Any ideas how I can verify the SSL Certificate?
You can't use https for downloading objects from S3. Its only available through http, thus there are no certificates to validate. For ssl you need to use CloudFront with S3:
How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?
Setup AWS S3 static website hosting using SSL (ACM)
Documentation
Offers only HTTP, how to make it to work on HTTPS? Is it possible?
I configured and it is working fine for HTTP, but for HTTPS I'm getting
This site can’t be reached
Even though I created certificates to my domain in AWS Certificate Manager.
CloudFront can be used to serve HTTPS request for static website hosted on S3.
Here is some AWS documentation https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-requests-s3/
Also, i found this blog very explanatory - https://medium.com/#sbuckpesch/setup-aws-s3-static-website-hosting-using-ssl-acm-34d41d32e394
Hope this helps.
To configure HTTPS for Static website hosted using S3 as Web site feature, you have to configure AWS CloudFront to serve the website from the CDN locations and ACM can be configured on CloudFront distribution.
Create the Route 53 record set pointing to CloudFront Distribution Endpoint
This way you can server the S3 website on HTTPS and also it will reduce latency as well to your end users request.
Hope this helps
I've got a static S3 website. When I log in, I can see that the endpoint is http://www.example.com.s3-website.eu-west-2.amazonaws.com, but I've seen answers claiming that the site should be accessible via HTTPS at https://www.example.com.s3-website.eu-west-2.amazonaws.com. This doesn't work though.
Did AWS used to support HTTPS for static sites and have now stopped it, or do I need to enable it somehow?
The website hosting section on S3 now has this note at the bottom of the page:
The Amazon S3 website endpoints do not support HTTPS. For information about using HTTPS with an Amazon S3 bucket, see How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket? and Requiring HTTPS for Communication Between CloudFront and Your Amazon S3 Origin.
Seems the only option now is to use CloudFront. Quite disappointing when you just want a quick and dirty HTTPS website and would happily use https://examplebucket.s3-website-us-west-2.amazonaws.com/ as the URL, which would work fine with a wildcard SSL certificate.
So the answer is no, it's not possible to use HTTPS for S3 static websites directly like I'm trying to do. From the docs:
Note the following about using HTTPS when the origin is an Amazon S3
bucket:
* If your Amazon S3 bucket is configured as a website endpoint, you can't
configure CloudFront to use HTTPS to communicate with your
origin because Amazon S3 doesn't support HTTPS connections in that
configuration.
You cannot use periods in the bucket name. If you do use periods, Amazon's wildcard certificate won't work.
Quoting the BucketRestrictions documentation:
When you use virtual hosted–style buckets with Secure Sockets Layer (SSL), the SSL wildcard certificate only matches buckets that don't contain periods. To work around this, use HTTP or write your own certificate verification logic. We recommend that you do not use periods (".") in bucket names when using virtual hosted–style buckets.