Saturday 4 May 2019

AWS - S3 + CloudFront + AWS Certificate Manager = http + https site (or redirect)

To host a static page in an S3 bucket with https you need to use 'Certificate Manager' in the N.Virginia zone or the certs it makes will not be detected/usable in cloudfront

While the certs are being generated/validated, pop over to the 'S3 Management Console' and make a bucket that has the same name as the domain you want to host the site/redirect on. Once the bucket generates go to the properties tab of the bucket and click on the tile labeled 'Static Web Hosting' and enable it by filling out the requested info and clicking save.

Once you have the bucket ready and the certs have been generated/validated, you can then go to the 'CloudFront Management' page. From here click 'create distribution' and then the 'get started' button on the 'web' section.
Select your S3 bucket in the 'Origin Domain Name' box, then select restrict bucket access and then create new identity and name the id as you see fit.
Select 'Yes, Update Bucket Policy', to get the config wizard to sort the needed access to the bucket.
Set Viewer Protocol Policy to 'Redirect HTTP to HTTPS'.
Set Alternate Domain Names (CNAMEs) to match your domain.
Set SSL cert to custom and select your cert generated/issued by Certificate Manager

Ensure 'Custom SSL Client Support' is not set to Legacy Clients Support ..... unless you want a $600/month extra charge on your bill

Set Security Policy to TLSv1.2_2018
click create distribution and then wait for the page to say it is in 'deployed' state


Note: if your pages are not loading or you get a error along the lines of
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>689B26545A8F9DC0</RequestId>
<HostId>
bv5SHfYTOu6wjgFGJHa0qhNAUDVSrcMth1ZJ1l/TFVuiSd2dRBNlsGBIxcw8P6/6
</HostId>
</Error>
Its most likely that your S3 buckets are not correctly linked up, to check this get the S3 bucket URL from the 'Static website hosting' section of your bucket's properties page and compare it to what is set in the 'CloudFront Management' page for the distribution you created.