The goal was to change the “Not secure” banner to the little lock (aka enable https) for timtiemens.com.
Previously, that site was hosted using only AWS S3 – which does not support “https”.
This is the documentation for the final configurations for AWS S3, AWS CloudFront. AWS Certificate Manager, and AWS Route 53.
The basic idea is to put a CloudFront distribution in front of your AWS S3 website, create a certificate, and then make sure all of the configuration settings between S3/CloudFront/Route53 agree and work with each other.
AWS S3
| Bucket Name | Public | Static website | Notes |
| www.timtiemens.com | Yes | Disabled | No longer used |
| cftimtiemensdotcom | Yes | Enabled/Bucket hosting | Bucket policy set to allow access to S3GetObject from Cloudfront |
Since all of the files in AWS S3 are auto-deployed from a github repository using “aws s3 sync”, it was simple for me to change the target bucket from “s3://www.timtiemens.com” to “s3://cftimtiemensdotcom”. Note that for AWS S3 static websites, the bucket name has to match (www.timtiemens.com) but for CloudFront, the bucket name can be anything (cftimtiemensdotcom).
AWS CloudFront
| Configuration Item | Value | Notes |
| General | ||
| Price Class | Use all edge locations | If there is ever a bill for this, switch to “Use only North America and Europ” |
| Custom SSL Certificate | ARN of certificate | Selected from dropdown list |
| Alternate domain names | 2 | |
| timtiemens.com | ||
| www.timtiemens.com | ||
| Origins | ||
| Origin Domain | cftimtiemens.com | From dropdown choices |
| HTTP only, port 80 | ||
| “Name” | is greyed-out, no edit | |
| Behavior | ||
| Path pattern | * | |
| Origin and origin groups | cftimtiemensdotcom.s3.us-east-1.amazonaws.com | |
| View | Redirect HTTP to HTTPS | |
| Allowed HTTP methods | GET, HEAD |
AWS Certificate Manager
| Configuration Item | Value | Notes |
| Domains | 2 | |
| timtiemens.com | Requires DNS CNAME confirmation | |
| *.timtiemens.com | Requires same DNS CNAME confirmation | |
| Status | Issued | |
| In Use | Yes |
After created, pushed the “Create records in Route 53” button. This creates the required CNAME records in the hosted zone.
AWS Route 53
| Record | Type | Value |
| timtiemens.com | A | Alias, to abcdefghijk.cloudfront.net |
| www.timtiemens.com | A | Alias, to abcdefghijk.cloudfront.net |
| various “_xxyyzz” | CNAME | as set by AWS Certificate Manager, for various certificates to be validated by DNS |
| blog.timtiemens.com | A | 34.236.123.127 (separate webserver, not under this CloudFront distribution) |