154

I am using an Amazon S3 bucket for uploading and downloading of data using my .NET application. Now my question is: I want to access my S3 bucket using SSL. Is it possible to implement SSL for an Amazon s3 bucket?

Calvin Haworth
  • 49
  • 10
Syam kumar
  • 1,721
  • 3
  • 12
  • 5
  • 1
    Might help: [Implementing SSL on Amazon S3 Static Websites](https://knightlab.northwestern.edu/2015/05/21/implementing-ssl-on-amazon-s3-static-websites) – vsync Jun 11 '17 at 20:42

6 Answers6

154

You can access your files via SSL like this:

https://s3.amazonaws.com/bucket_name/images/logo.gif

If you use a custom domain for your bucket, you can use S3 and CloudFront together with your own SSL certificate (or generate a free one via Amazon Certificate Manager): http://aws.amazon.com/cloudfront/custom-ssl-domains/

Matt Beckman
  • 5,022
  • 4
  • 29
  • 42
reach4thelasers
  • 26,181
  • 22
  • 92
  • 123
  • 45
    That's not entirely true. You can use bucket names without dots: https://this-is-my-awesome-bucket.s3.amazonaws.com Amazon has a wildcard certificate. Since you can't use dots, you can't have a CNAME domain pointing to your bucket. – Docunext Apr 20 '13 at 19:18
  • 4
    watch out for bucket names containing periods! the SSL won't work on iOS devices but will work just fine in Chrome. See http://stackoverflow.com/questions/3048236/amazon-s3-https-ssl-is-it-possible – Simon_Weaver May 14 '14 at 20:47
  • 1
    Amazon CloudFront will do this for you. – Greg May 29 '15 at 10:36
  • 1
    @Docunext the problem is that a bucket name without dot makes it hard to use a custom DNS domain. See http://stackoverflow.com/questions/32714351/amazon-s3-using-dns-alias-to-bucket-https-at-the-same-time – Sebastien Lorber Sep 22 '15 at 10:23
  • 4
    To have dot notation bucket names (so you can use Route 53 alias) and you want to PUT objects in via REST, ensure the hostname matches the region. For example, my bucket is in `us-west-2` so the hostname is actually `s3-us-west-2.amazonaws.com` otherwise you get an error. – noetix Jun 09 '16 at 06:00
  • 1
    without cloudfront can we achieve this ? – Arun Kumar Mar 09 '18 at 12:46
27

Custom domain SSL certs were just added today for $600/cert/month. Sign up for your invite below: http://aws.amazon.com/cloudfront/custom-ssl-domains/

Update: SNI customer provided certs are now available for no additional charge. Much cheaper than $600/mo, and with XP nearly killed off, it should work well for most use cases.

@skalee AWS has a mechanism for achieving what the poster asks for, "implement SSL for an Amazon s3 bucket", it's called CloudFront. I'm reading "implement" as "use my SSL certs," not "just put an S on the HTTP URL which I'm sure the OP could have surmised.

Since CloudFront costs exactly the same as S3 ($0.12/GB), but has a ton of additional features around SSL AND allows you to add your own SNI cert at no additional cost, it's the obvious fix for "implementing SSL" on your domain.

Joseph Lust
  • 19,340
  • 7
  • 85
  • 83
  • 68
    CloudFront is not S3. – skalee Jul 18 '13 at 11:15
  • 6
    @skalee Correct, but if you want to access it via a domain with custom SSL certs, as the OP requests, you can set up custom CNAME SSL certs that this way and access it through CF. – Joseph Lust Jul 18 '13 at 16:30
  • 2
    For the time being, I've set up two CNAMEs: static-s3 and static-cf, the first one pointing straight to my S3, the second to CF. First can not support SSL, second can, but it's CF and not S3 as skalee points out. That's the best I think we can do as of now. – Danger Nov 12 '13 at 16:52
  • 2
    WOW I guess they have to make up for increasingly cheaper storage costs somehow. at least it's prorated though. if you only use your SSL certificate for 1 hour in a month it's only $20 ;-) – Simon_Weaver May 14 '14 at 19:26
  • I meant to say one day – Simon_Weaver May 15 '14 at 00:44
  • @Simon_Weaver one day of continuous use, or one day of user's requesting/connecting? I'm confused as to why it's so much money. – Elegant.Scripting May 16 '16 at 21:13
  • 2
    @Elegant.Scripting if you have a dedicated SSL certificate (not a SNI certificate) then that machine needs a dedicated IP which incurs costs. presumably a dedicated IP is needed for you for every location around the world where S3 is hosting your data. So that adds up. But I think it is mainly just that post people don't need it and they can jack the price up for those who do. If you don't need to support IE6 then you should be OK with SNI certificate under CloudFront. – Simon_Weaver May 16 '16 at 22:27
13

I found you can do this easily via the Cloud Flare service.

Set up a bucket, enable webhosting on the bucket and point the desired CNAME to that endpoint via Cloudflare... and pay for the service of course... but $5-$20 VS $600 is much easier to stomach.

Full detail here: https://www.engaging.io/easy-way-to-configure-ssl-for-amazon-s3-bucket-via-cloudflare/

Ralph Vugts
  • 425
  • 5
  • 14
4

It is not possible directly with S3, but you can create a Cloud Front distribution from you bucket. Then go to certificate manager and request a certificate. Amazon gives them for free. Ones you have successfully confirmed the certification, assign it to your Cloud Front distribution. Also remember to set the rule to re-direct http to https.

I'm hosting couple of static websites on Amazon S3, like my personal website to which I have assigned the SSL certificate as they have the Cloud Front distribution.

Gordon Leigh
  • 1,263
  • 2
  • 11
  • 23
Mika Kujapelto
  • 51
  • 3
  • and how did you assign the domain name? – netshark1000 Nov 15 '17 at 18:05
  • First go to the certificate manager and request a new certificate. Add your domain there and also include subdomains there, if necessary. Doesn't really hurt anything to put subdomains there, so might as well just put example.com and *.example.com there. – Mika Kujapelto Dec 04 '17 at 22:34
3

If you really need it, consider redirections.

For example, on request to assets.my-domain.example.com/path/to/file you could perform a 301 or 302 redirection to my-bucket-name.s3.amazonaws.com/path/to/file or s3.amazonaws.com/my-bucket-name/path/to/file (please remember that in the first case my-bucket-name cannot contain any dots, otherwise it won't match *.s3.amazonaws.com, s3.amazonaws.com stated in S3 certificate).

Not tested, but I believe it would work. I see few gotchas, however.

The first one is pretty obvious, an additional request to get this redirection. And I doubt you could use redirection server provided by your domain name registrar — you'd have to upload proper certificate there somehow — so you have to use your own server for this.

The second one is that you can have urls with your domain name in page source code, but when for example user opens the pic in separate tab, then address bar will display the target url.

skalee
  • 12,331
  • 6
  • 55
  • 57
1

As mentioned before, you cannot create free certificates for S3 buckets. However, you can create Cloud Front distribution and then assign the certificate for the Cloud Front instead. You request the certificate for your domain and then just assign it to the Cloud Front distribution in the Cloud Front settings. I've used this method to serve static websites via SSL as well as serve static files.

For static website creation Amazon is the go to place. It is really affordable to get a static website with SSL.

Gordon Leigh
  • 1,263
  • 2
  • 11
  • 23
Mika Kujapelto
  • 51
  • 3
  • 4
    For everybody who gets here using google: Remember to create your AWS certificate (also) in the N. Virginia region. Otherwise you wont be able to select it in your CF distribution – KLoozen Mar 21 '18 at 11:42