Access to https on Amazon AWS S3 (5GB free) - Virtual Hosting - amazon-web-services

I try access to Amazon AWS S3 with https.
This link with http works: http://sc-st01.s3-website-eu-west-1.amazonaws.com/
But this not: https://sc-st01.s3-website-eu-west-1.amazonaws.com/
Is there any setting to enable it?
I use CNAME also but i think the problem is in access to https.
Thank you for any advice.
UPDATE: This refers to using S3 to host static web content.

If you are using your S3 bucket to host static web content, then HTTPS isn't supported. To quote the AWS doc, it says under the Test your website section:
Note
HTTPS access to the website is not supported.
Not very helpful. If you are interested in learning how S3 virtual hosting works, you can read more about it here.
To serve your static web content over HTTPS, you will need to set up an AWS CloudFront distribution, which is quite straight forward via the AWS Management Console. The only configurations that will require special attentions are:
Origin Domain Name: This should refer to the URI of your S3 bucket. In your case, it will be sc-st01.s3-website-eu-west-1.amazonaws.com
Viewer Protocol Policy: Default to HTTP and HTTPS Only
Alternate Domain Names (CNAMEs): CNAME you set up in your DNS.
SSL Certificate: Either Default CloudFront Certificate or Custom SSL Certificate if you have one. Note that setting up custom SSL certificate is more involved as it needs to be uploaded to the IAM.
Default Root Object: The default file you want to serve when your user visits your static web site.
Once you're done with setting up the configurations, it will usually take 5 to 10 minutes for the new distribution to be fully configured and set up. Refer the Status field on the CloudFront management dashboard for progress. When ready, you will see the new Domain Name of your distribution. You should be able to access the static web content in your S3 bucket (assuming that the permissions of the content is granted to Everyone) by navigating to the http: or https:// URL of your distribution Domain Name.
I will also recommend checking out the CloudFront pricing to ensure if you are aware of what is free, and what isn't.

Related

HTTP redirects in the AWS world, anything better than S3+CloudFront?

I'm moving my domain names from CloudFlare's DNS to AWS Route53 and in some cases I'm using CloudFlare's redirects for project that are dead so that their domains go to a page in another domain, so https://projectx.com goes to https://example.com/projectx-is-no-more.
I want to replicate this in AWS and what I found so far is this:
Set up an S3 bucket with the redirect to the desired URL, https://example.com/projectx-is-no-more
Set up CloudFront for the domain, projectx.com
Generate the TLS cert for projectx.com and add it to CloudFront so it can serve both https and http.
Set up Route53 to resolve the domain name to CloudFront.
I set it up, it's working, I'm even using CDK so I'm not doing it manually. But I'm wondering if there's a way of setting up these redirects that requires less moving pieces. It sounds like such a redirect would be a common enough problem that maybe Route53 or CloudFront would have a shortcut. Are there any?
Update: using only S3 doesn't work because S3 cannot serve https://projectx.com. S3 has no method by which it can respond to HTTPS request for arbitrary domains, there's no way of adding a TLS certificate (and keys) for another domain.
I checked for information and see only three possible solutions:
Set up CloudFront + S3 *
Set up Application Load Balancer
Set up API Gateway + Lambda (mock integration may be used instead of Lambda, that should reduce service cost)
Use GitHub pages with custom domain
※ S3 support only HTTP traffic so we need to add CloudFront for HTTPS:
Amazon S3 does not support HTTPS access to the website. If you want to use HTTPS, you can use Amazon CloudFront to serve a static website hosted on Amazon S3.
In my opinion the ②nd way is super easy to set up but running 24/7 ALB is little bit expensive. In other way Lambda and API Gateway price depending on requests count. CloudFront seems to be cheaper than ALB too.
So the better solution is depending on how many requests you have
The ④th solution is depends on GitHub platform (wider than AWS only scope), but it is absolutely free and support custom domain and Let's Encrypt certificates out of the box.
You just need to create repository with static index.html file that will do redirects
You can do it without including CloudFront.
What you need to do is create S3 bucket projectx.com. In Properties go to Static website hosting. Enable static website hosting and choose Redirect as a hosting type (add the redirection URL).
You will still need to set up Route53, but you will now add alias to this projectx.com bucket, instead of going to CloudFront

Encryption between S3 Static Web Site and CloudFront

We are running a static website in S3 using CloudFront for distribution. CloudFront has an SSL Certificate assigned, so we are receiving HTTPS traffic and redirecting HTTP to HTTPS.
What I'm trying to determine is that does mean that TLS is enforced from CloudFront to the S3 Static Site?
If so, I am looking for a reference stating that - we need to have end to end encryption applied for compliance and I need to be able to verify/prove that this is in place.
Thanks !!!
does mean that TLS is enforced from CloudFront to the S3 Static Site?
No its not. Static S3 websites are HTTP only. Docs explain that:
If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration.
we need to have end to end encryption applied for compliance
For end-to-end ssl you have to setup setup origin access identity (OAI) for your CF. This means that the bucket can't be in website mode. Instead, it has to be configured for OAI access as explained in the docs. To enforce HTTPS between CF and S3 you must ensure that your "Viewer Protocol Policy to Redirect HTTP to HTTPS or HTTPS Only".

AWS - cannot access S3 bucket via HTTPS endpoint due to location constraint

The following services are activated:
a S3 bucket in ap-east-1 where my static web pages are saved,
a domain name registered on Route 53,
a SSL certificate requested via Certification Manager at us-east-1,
a CloudFront distribution for enabling HTTPS access to my web pages.
It is stated in this page that a single SSL certificate should suffice if CloudFront is used.
When I navigate to my URL https://www.example.com in Chrome, the following error is returned.
How to make my pages globally accessible via HTTPS?
Update
It seems that the behavior of S3 buckets in ap-east-1 is different from the buckets located in other regions as stated in my follow up question.
It is saying that the URL provided for S3 included the wrong (or no) region.
You should use the format:
bucket-name.s3.region.amazonaws.com
You are probably missing the region.
See: Using Amazon S3 Origins, MediaPackage Channels, and Custom Origins for Web Distributions - Amazon CloudFront

Enabling SSL on a subdomain with AWS S3 and ACM

I have a site example.com that lives on S3. I have set up HTTP -> HTTPS forwarding successfully for this site.
I also have a subdomain, blog.example.me that also lives on S3, which I want to enable SSL with. Right now, it only supports HTTP. I am using Route 53 for routing and Cloudfront as a CDN.
I have looked for documentation on this issue, but have yet to find something that works. Do I have to create a new certificate, or can I use the same cert that example.com uses? If I can use the same certificate, which piece of AWS should I start with?
For the certificate it depends if its a wildcard certificate that covers the whole domain example of a wildcard certificate would be *.example.com the you can use the same certificate for your sub domain(s)
A typical hosted secured site with S3 and Cloudfront would follow the following steps
Create an S3 Bucket
Bucket name - your domain name
Select your bucket, go to Properties -> Static Website Hosting, then Enable
Website Hosting
Grant public read access to allow cloudfront to read from your bucket.
Get SSL certficate/ Use existing if applies
AWS provides free SSL certificates, which work with browsers that support SNI. You can import your own SSL certificate.
CloudFront configuration
Create a new Web distribution. Under Origin Settings, use the Endpoint
you copied from your S3 bucket’s static hosting setup. Many other
guides instruct this without explaining why — this is because if you
have redirect rules configured with your S3 bucket and you specify the
internal AWS S3 resource, the redirects will no longer work.
Therefore, you must specify the website endpoint domain to ensure
redirection functionality works.
Under Default Cache Behavior Settings, it’s worth selecting Redirect
HTTP to HTTPS and narrowing down the Allowed HTTP Methods — for a
static website, GET and HEAD will do.
Under cloudfront distribution settings configure:
Set your domain names under Alternate Domain Names (yourdomain.com,
and optionally, www.yourdomain.com)
Configure SSL by selecting Custom SSL Certificate, then choosing the
certificate generated or imported in to Certificate Manager.
Finally, specify the Default Root Object. This should match your S3
bucket’s Index Document, usually index.html. This is simply where all
requests are redirected to when a client requests your website URL
without a path
Route 53 configuration:
Head over to hosted zones
Select the hosted zone for the domain or subdomain you wish to use
Create a record for your site: select Alias and in the dropdown you should see your cloudfront distribution, select it as your alias target and save it.
For more detailed info check: https://medium.com/#willmorgan/moving-a-static-website-to-aws-s3-cloudfront-with-https-1fdd95563106

Routing example.at to S3 bucket and *.example.at to load balancer with HTTPS

I have set up a multi tenant application which should be available to clients via a subdomain (e.g. https://client1.example.at). Requests to *.example.at are routed to a load balancer via Route 53. The load balancer has an AWS signed wildcard certificate (e.g. supporting example.at and *.example.at). From this side, everything is working as expected and I can access https://client1.example.at, https://client2.example.at, etc.
Based on this setup, I wanted to route specific request without subdomain (except www) such as https://www.example.at or https://example.at to a bucket (which is also named www.example.com) and not to the load balancer (I just want to serve a static site for requests to the "main domain"). It works but I can only access www.example.at and example.at without using HTTPS. My setup can be seen below:
I then found out that I have to use Cloudfront in order to use HTTPS for a custom domain with S3 buckets (if that is correct?). Now I have a few questions:
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
Generally speaking, is my Route 53 setup valid at all?
I wanted to route specific request without subdomain (except www) such as https://www.example.com or https://example.com to a bucket (which is also named www.example.com)
Each of those "domains" must route to a different bucket unless you are using a proxy (which reroutes the hostname passed from the browser) in front of S3, the domain name must match the bucket name. If they don't then your requests are going to a bucket matching the DNS name you routed from, the routing has nothing to do with the hostname of the S3 bucket endpoint.
In other words, let's say your hostname was www.example.com, and you set the CNAME to example.com.s3.amazonaws.com (or you could use the website endpoint, it doesn't matter for this example).
When a request hits the DNS name www.example.com it then is sent to the S3 server which is behind the S3 hostname. That request from the browser is for hostname "www.example.com", the actual CNAME referenced which pointed to the S3 endpoint is irrelevant because S3 never knows what actual CNAME was used to by your browser to connect to S3. So S3 will attempt to pull the requested object from the www.example.com bucket.
URL -> S3 Bucket
https://www.example.com -> s3://www.example.com
https://example.com -> s3://example.com
It works but I can only access www.example.at and example.at without using HTTPS.
CNAME DNS routing like this when using SSL to an S3 bucket does not work. The reason for this is that the S3 wild card certificates are 1 level deep (*.s3.amazonaws.com) so your bucket www.example.com.s3.amazonaws.com will fail to match it because it has 2 extra levels above the wild card. So your browser rejects the certificate as invalid for the hostname.
To accomplish this you must use a proxy of some sort in front of S3 with your own certificates for the domain in question.
Is it necessary to use Cloudfront to serve content from my S3 bucket for www.example.at and example.at via HTTPS?
CloudFront is an excellent option for addressing the HTTPS with CNAME routed DNS to an S3 bucket issue we just mentioned.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
I can't answer that one, I can only suggest you try and find out what happens. If it doesn't work then it's not an option. It shouldn't take much time to figure this one out.
Is it ok to use *.example.at as A type record with alias to the load balancer at all?
To clarify, an A Record can only ever be an IP address, an A Alias is similar to a CNAME (but is Route53 specific).
I highly recommend CNAMES (or ALIASES, they are similar). Pointing directly at one of S3's A-Records is a bad idea because you don't know if or when that IP will be removed from service. By referencing the hostname with a CNAME/ALIAS you don't have to worry about that. Unless you can be 100% sure that the IP will remain available then you shouldn't reference it.
Generally speaking, is my Route 53 setup valid at all?
I don't see any issues with it, based on what you described it sounds like like things are working as expected.
If Cloudfront is necessary then I have to request a new certificate for www.example.at and example.at in region US EAST according to the official AWS docs. Is it possible to create two certificates for the same domain with AWS certificate manager or can I get some conflicts with this setup?
As suggested by #JoshuaBriefman I simply tried to create another certificate for the same domain in another region now and it worked. I could also use the certificate for the CloudFront distribution (additional certificate was created in US EAST) and all works now without any problems so far.