93

I want to host a HTTPS-only static website using Amazon S3 and CloudFront. Here's what I've done so far:

  1. Set up an S3 bucket for static website hosting and put my website files in it
  2. Created a CloudFront distribution and pointed it to the S3 bucket
  3. Added a CNAME record in my domain's nameservers for the www subdomain pointing to the CloudFront bucket.

So far, so good - I can access my website using the www.example.com address. However, I want the site to be available via HTTPS only, for which I bought an SSL certificate from GoDaddy.

Now, the question is:

  1. Is there a way to install this third-party SSL certificate on my S3-hosted website?
  2. Is there a way to have an automatic http to https redirect with this setup?
jamix
  • 5,484
  • 5
  • 26
  • 35

5 Answers5

63

Yes, as of today you can do it at no charge.

You can now use HTTPS with CNAMEs on CloudFront as it now supports custom SSL certificates using Server Name Indication (SNI): http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html

I managed to set up a free Class 1 StartSSL cert for my CloudFront distributed static site on S3 without too much trouble (see: CloudFront error when serving over HTTPS using SNI).

Community
  • 1
  • 1
wikichen
  • 2,253
  • 3
  • 18
  • 28
  • The caveat here is it doesn't work for some types of older browsers... but that's an awesome alternative to paying $600/month! – bchurchill Apr 10 '14 at 22:23
  • 7
    Detailed guide: https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/ – elado Oct 25 '14 at 06:19
  • 3
    Feedback: bryce fisher's guide was very good. – tresf May 30 '15 at 02:23
  • 6
    There's a subtlety here. You can have HTTPS for an S3 bucket [**if it is not configured for website hosting**](http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteEndpoints.html). See the Note that says "The website endpoints do not support https." – skeller88 Jul 31 '15 at 16:28
  • 6
    OK, to get past "subtlety" and describe in plain English, here's my shot at it. An S3 bucket with static web page content (html) can be turned into a web site with a few clicks. This web site can only use http. If you want https, you have to use AWS's Cloudfront service and configure it for SNI to get https for free. (A few very old or odd browsers do not support SNI.) The html and other resources can be stored on S3 at a low cost. Additionally, if you get the domain name from AWS, you must use their Elastic Load Balance service. Fees are a few cents per gig. – Mike_Laird Aug 04 '16 at 20:31
  • Doesn't CloudFront add costs even though custom ssl for SNI is free? They charge $0.01 per https request? – natronite Aug 09 '16 at 13:30
  • 5
    i find it amazing that this answer got awarded the right answer, when it simply doesn't address the question: as stated by @skeller88, s3 https doesn't work for website hosting. – abbood Mar 10 '17 at 20:03
  • StartSSL is dead, distrusted by Chrome, FF, Apple; and they do not issue certificates anymore. Consider LetsEncrypt if you want free certificates. – avs099 Jan 22 '18 at 09:28
  • @skeller88 - so, communication between CloudFront and S3 is not encrypted and can be attacked by the MITM, right? Isn't it a serious security issue for my website (even if it uses HTTPS with CloudFront)? – yerzhan7 Oct 18 '18 at 21:14
36

On 2016-01-21 AWS launched AWS Certificate Manager, which is a free service that allows you to issue a SSL certificate to be used with Elastic Load Balancer and Cloud Front (along with S3 too).

You can learn more at: https://aws.amazon.com/certificate-manager/

And you can check how to deploy your S3 + Cloudfront website with free SSL from AWS at: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

barbolo
  • 3,807
  • 1
  • 31
  • 31
  • 1
    I just set this up for my site this morning. It's a static site hosted in s3. It was _super_ easy. I simply went to the acm manager, requested a cert, putzed around with my email settings for a few hours (ended up making my WHOIS info public while I waited for the confirmation email), and then set up route53 to point at the cloudfront endpoint. Very happy I found this comment. – paranoid Aug 29 '16 at 19:04
  • 1
    @paranoid With this can I host my s3 website as https-only? – Piyush S. Wanare Nov 05 '16 at 07:45
  • 1
    @PiyushS.Wanare yes, you can! – barbolo Nov 11 '16 at 13:52
  • Put the HTTPS link in the CNAME record in Route53. – Costa Michailidis Nov 18 '16 at 18:02
  • @paranoid not sure what you mean by "cloudfront endpoint".. where do i get that information from? – abbood Mar 11 '17 at 08:16
  • @abbood If you go to your cloudfront distributions, select the distribution you want to use and click "distribution settings" (or just click the ID) and in the general tab you'll see "Domain Name". I used that in my route53 record - it's an A record with the alias target of the cloudfront domain name. More can be found here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-alias.html#rrsets-values-alias-alias-target – paranoid Mar 20 '17 at 02:58
17

As of today, Cloudfront offers custom SSL: http://aws.amazon.com/cloudfront/pricing/

Keep in mind, they are charging $600 / month. More details on the link above.

Christian Fazzini
  • 19,613
  • 21
  • 110
  • 215
  • 7
    600 / month...... – Pacerier Aug 13 '13 at 16:44
  • 11
    You only pay $600 if you want a dedicated IP address. If you are happy to use SNI (which is not supported by older browsers), no extra charges apply – Martin OConnor Mar 29 '14 at 13:38
  • 2
    If you're willing to support modern browsers only (through SNI), this is now much cheaper: http://aws.amazon.com/about-aws/whats-new/2014/03/05/amazon-cloudront-announces-sni-custom-ssl/ – Andrew Newdigate Jul 03 '14 at 09:48
  • This is FREE now! https://aws.amazon.com/certificate-manager/ Scroll down to the dollar sign icon. Plus I think they renew automatically. And setup is as easy as entering the domains you want on the cert and clicking the validation link in the email that follows. – Costa Michailidis Nov 18 '16 at 18:01
3

For me I had to upload a simple React website to S3. As barbolo describes you need a certificate to access site through SSL. If the static site that you want to deploy is simple enough you can:

  1. Upload to S3.
  2. Do not select "Static Website Hosting"
  3. Convert all relative links (to css, js, etc) to absolute links.

e.g. from /css/media.css you should convert it to https://s3-region-amazonaws.com/bucket-name/css/media.css (for me I had to change only links in index.html)

  1. Make only the contents of bucket public.

Thats it. You can access the index file through https.

A Simple site is a site with a main index.html file that points to some css and js pages.

alexopoulos7
  • 794
  • 7
  • 27
0

In addition to @wikichen's answer.

From: https://aws.amazon.com/cloudfront/custom-ssl-domains/

By default, you can deliver your content to viewers over HTTPS by using your CloudFront distribution domain name in your URLs, for example, https://dxxxxx.cloudfront.net/image.jpg.

If you want to deliver your content over HTTPS using your own domain name and your own SSL certificate, you can use one of our Custom SSL certificate support features.

Community
  • 1
  • 1
Jason
  • 9,408
  • 5
  • 36
  • 36