A "rival" application has admitted that they are scraping all of my static content (images/audio files) that are hosted on AWS Cloudfront.
Is it possible to put a block on the content being accessed unless it is requested from my web domain?
For example - https://d2z2xv99psdbxu.cloudfront.net/audio/SF697497-01-01-01.mp3 can only be played if it is played from xyz.com
I had thought about only allowing access from my server IP but I am also using Cloudflare CDN. Is there a work around?
AWS CloudFront supports custom ACLs (Access Control List) via AWS WAF.
You should be able to limit requests to your own domain in the ACL.
Here are a couple of similar scenarios:
https://aws.amazon.com/blogs/security/how-to-prevent-hotlinking-by-using-aws-waf-amazon-cloudfront-and-referer-checking/
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-cloudfront-distribution.html
Hope it helps!
Related
I have an AWS api that I created which is accessible through a URL. I wanted to make this API accessible only to my front end which is hosted on a static S3 bucket. Is there any way I could add the front ends IP (S3 buckets IP) to the API IP whitelist?
So far I have tried using the "Access-Control-Allow-Origin" CORS policy and set it to my website's url but this didn't seem to work and I was still able to call the API with postman.
S3 buckets don't have static IP addresses. Besides, the S3 bucket doesn't make the requests to your API. S3 just serves files up to your user's web browsers. Those web browsers render the web page and run the JavaScript code in those files. The JavaScript code making API requests to your API is running in each of your user's web browsers. The IP address that the API request is coming from is the IP of each of your users' laptop or desktop PC.
So no, your idea of white-listing the S3 bucket's IP address will not work.
I have a domain hosted through Google. I'm using Google Workspace for a lot of my day-to-day operations (e.g. Drive, Gmail, etc). I'm using AWS as my infrastructure and business logic for my application. I'm having trouble making my site support TLS. If you visit it now, you get this on chrome and I can't seem to make HTTPS requests work.
I have my domain pointing to AWS via Custom Name Server.
My route 53 has the NS type records listed under the hosted zone
I've tried to request a Certificate from AWS to make it work.
My problem is I don't know how to tell Google about it. How do you let Google know about the certificate so I can make my site HTTPS?
I believe approaching Google is not going to solve your issue as in the above case Google is only responsible to host your domain . So DNS setup is only responsible to route requests to your site and not making your site more secured.
I also found that you are exposing your site as http rather than https and thats why your site is unsecured.
Is your site is running on a web server or is it hosted on S3 as static web site ?
Note: you cant enable https on S3 static website.
The workaround to above problem is below :
Route53 has A record to pointing to ALB (configured with ACM) distributing traffic to Ec2 instances running your web application.
If anyone is still looking. I wanted to keep it cheap with a simple S3 static website. If you want to maintain the S3 part, make a CloudFront distribution (if you haven't already.
Inside the CloudFront under the main settings, use a Certificate you made from Certificate Manager.
Then head over to Route53 (even if the domain is hosted via Google) and route the "A" name record to the CloudFront. NOTE: make sure the "Alternate Domain" name is filled in or else it won't see it.
Let it update for about a minute or two and it will show https
I'm moving my domain names from CloudFlare's DNS to AWS Route53 and in some cases I'm using CloudFlare's redirects for project that are dead so that their domains go to a page in another domain, so https://projectx.com goes to https://example.com/projectx-is-no-more.
I want to replicate this in AWS and what I found so far is this:
Set up an S3 bucket with the redirect to the desired URL, https://example.com/projectx-is-no-more
Set up CloudFront for the domain, projectx.com
Generate the TLS cert for projectx.com and add it to CloudFront so it can serve both https and http.
Set up Route53 to resolve the domain name to CloudFront.
I set it up, it's working, I'm even using CDK so I'm not doing it manually. But I'm wondering if there's a way of setting up these redirects that requires less moving pieces. It sounds like such a redirect would be a common enough problem that maybe Route53 or CloudFront would have a shortcut. Are there any?
Update: using only S3 doesn't work because S3 cannot serve https://projectx.com. S3 has no method by which it can respond to HTTPS request for arbitrary domains, there's no way of adding a TLS certificate (and keys) for another domain.
I checked for information and see only three possible solutions:
Set up CloudFront + S3 *
Set up Application Load Balancer
Set up API Gateway + Lambda (mock integration may be used instead of Lambda, that should reduce service cost)
Use GitHub pages with custom domain
※ S3 support only HTTP traffic so we need to add CloudFront for HTTPS:
Amazon S3 does not support HTTPS access to the website. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.
In my opinion the ②nd way is super easy to set up but running 24/7 ALB is little bit expensive. In other way Lambda and API Gateway price depending on requests count. CloudFront seems to be cheaper than ALB too.
So the better solution is depending on how many requests you have
The ④th solution is depends on GitHub platform (wider than AWS only scope), but it is absolutely free and support custom domain and Let's Encrypt certificates out of the box.
You just need to create repository with static index.html file that will do redirects
You can do it without including CloudFront.
What you need to do is create S3 bucket projectx.com. In Properties go to Static website hosting. Enable static website hosting and choose Redirect as a hosting type (add the redirection URL).
You will still need to set up Route53, but you will now add alias to this projectx.com bucket, instead of going to CloudFront
We currently want to start hosting all our assets through AWS S3 and we also want to server everything over https. I understand I can use the Amazon Certificate Manager (ACM) with Cloudfront to server assets over https. The problem is that we are in the medical industry and we are legally prohibited to host anything outside the EU. With S3 I can choose a location (Frankfurt for us), but with Cloudfront I just get this option:
So I thought that I could maybe use Letsencrypt to generate my own certs. But I think I then still need to use ACM which only works with Cloudfront, which means I still can't use it.
Does anybody know if I can somehow setup S3 with https but without cloudfront?
Unfortunately you can't use an SSL certificate with your custom domain with S3. You can use the S3 domain with the Amazon SSL certificate like: https://my-example-bucket.s3-website-us-east-1.amazonaws.com.
If you want to use a custom domain with SSL, and you can't use CloudFront, then you will need to look into placing some other proxy in front of S3 like your own Nginx server or something.
In AWS API Gateway, you can create a proxy resource /{proxy+} that maps to s3-website.
Be sure to map not to s3 alone, but s3-website, so you get PATH/TO/DIR/index.html returned for PATH/TO/DIR, and possibly other things working as desired.
API Gateway is served over HTTPS, optionally under your own domain.
This is not very good option though, because you have to manually add all allowed HTTP return codes, and there's a limit of 10MB payload in a request, as this service is aimed at REST APIs.
Below is a useful resource schedule. Both S3 and CloudFront are available in the EU. You can certainly present S3 via CloudFront.
I understand the requirements to host within a territorial boundary. The req'ts for that you will achieve with S3 in the EU region. CloudFront is not a hosting service it is a CDN (Content Delivery network) using high performance leased lines and manageable endpoint caching. The issue you are looking at is the price options, not the hosting location. If you want to serve content in the EU you would want 'Price Class 100' or 'Price Class All'.
When using CloudFront you can control both which IP ranges that can access your material, and the encryption of both front-end and back-end traffic. Check out some of the design patterns
There are some excellent white papers and design patterns for setting up secure CloudFront. I think you will find that you can do what you want and stay well within the legal requirements.
http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
https://aws.amazon.com/compliance/eu-data-protection/
Also check out AWS doco 'using-https-cloudfront-to-s3-origin' & 'custom-ssl-domains'
P.S. Ensure that you set the bucket permissions to only be available via the CloudFront channel.
RL
CloudFront has a feature for white/blacklisting countries. I would try using any of the 3 CDN options you listed along with a whitelist of EU countries. I'm not sure what the easiest way to verify that other countries (e.g. US) are denied though.
I try access to Amazon AWS S3 with https.
This link with http works: http://sc-st01.s3-website-eu-west-1.amazonaws.com/
But this not: https://sc-st01.s3-website-eu-west-1.amazonaws.com/
Is there any setting to enable it?
I use CNAME also but i think the problem is in access to https.
Thank you for any advice.
UPDATE: This refers to using S3 to host static web content.
If you are using your S3 bucket to host static web content, then HTTPS isn't supported. To quote the AWS doc, it says under the Test your website section:
Note
HTTPS access to the website is not supported.
Not very helpful. If you are interested in learning how S3 virtual hosting works, you can read more about it here.
To serve your static web content over HTTPS, you will need to set up an AWS CloudFront distribution, which is quite straight forward via the AWS Management Console. The only configurations that will require special attentions are:
Origin Domain Name: This should refer to the URI of your S3 bucket. In your case, it will be sc-st01.s3-website-eu-west-1.amazonaws.com
Viewer Protocol Policy: Default to HTTP and HTTPS Only
Alternate Domain Names (CNAMEs): CNAME you set up in your DNS.
SSL Certificate: Either Default CloudFront Certificate or Custom SSL Certificate if you have one. Note that setting up custom SSL certificate is more involved as it needs to be uploaded to the IAM.
Default Root Object: The default file you want to serve when your user visits your static web site.
Once you're done with setting up the configurations, it will usually take 5 to 10 minutes for the new distribution to be fully configured and set up. Refer the Status field on the CloudFront management dashboard for progress. When ready, you will see the new Domain Name of your distribution. You should be able to access the static web content in your S3 bucket (assuming that the permissions of the content is granted to Everyone) by navigating to the http: or https:// URL of your distribution Domain Name.
I will also recommend checking out the CloudFront pricing to ensure if you are aware of what is free, and what isn't.