{"id":1411,"date":"2023-06-27T01:08:39","date_gmt":"2023-06-27T01:08:39","guid":{"rendered":"http:\/\/tiemensfamily.com\/timoncs\/?p=1411"},"modified":"2023-06-27T04:09:44","modified_gmt":"2023-06-27T04:09:44","slug":"add-https-lock-to-aws-s3","status":"publish","type":"post","link":"https:\/\/tiemensfamily.com\/timoncs\/2023\/06\/27\/add-https-lock-to-aws-s3\/","title":{"rendered":"Add HTTPS lock to AWS S3"},"content":{"rendered":"\n

The goal was to change the “Not secure” banner to the little lock (aka enable https) for timtiemens.com<\/a>. <\/p>\n\n\n\n

Previously, that site was hosted using only AWS S3 – which does not support “https”.<\/p>\n\n\n\n

This is the documentation for the final configurations for AWS S3<\/a>, AWS CloudFront<\/a>. AWS Certificate Manager<\/a>, and AWS Route 53<\/a>.<\/p>\n\n\n\n

The basic idea is to put a CloudFront distribution in front of your AWS S3 website, create a certificate, and then make sure all of the configuration settings between S3\/CloudFront\/Route53 agree and work with each other.<\/p>\n\n\n\n

AWS S3<\/h2>\n\n\n\n
Bucket Name<\/strong><\/td>Public<\/strong><\/td>Static website<\/strong><\/td>Notes<\/strong><\/td><\/tr>
www.timtiemens.com<\/td>Yes<\/td>Disabled<\/td>No longer used<\/td><\/tr>
cftimtiemensdotcom<\/td>Yes<\/td>Enabled\/Bucket hosting<\/td>Bucket policy set to allow access to S3GetObject from Cloudfront<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Since all of the files in AWS S3 are auto-deployed from a github <\/a>repository using “aws s3 sync”, it was simple for me to change the target bucket from “s3:\/\/www.timtiemens.com” to “s3:\/\/cftimtiemensdotcom”. Note that for AWS S3 static websites, the bucket name has to match (www.timtiemens.com) but for CloudFront, the bucket name can be anything (cftimtiemensdotcom).<\/p>\n\n\n\n

AWS CloudFront<\/h2>\n\n\n\n

<\/p>\n\n\n\n

Configuration Item<\/strong><\/td>Value<\/strong><\/td>Notes<\/strong><\/td><\/tr>
General<\/strong><\/td><\/td><\/td><\/tr>
Price Class<\/td>Use all edge locations<\/td>If there is ever a bill for this, switch to “Use only North America and Europ”<\/td><\/tr>
Custom SSL Certificate<\/td>ARN of certificate<\/td>Selected from dropdown list<\/td><\/tr>
Alternate domain names<\/td>2<\/td><\/td><\/tr>
<\/td>timtiemens.com<\/td><\/td><\/tr>
<\/td>www.timtiemens.com<\/td><\/td><\/tr>
Origins<\/strong><\/td><\/td><\/td><\/tr>
Origin Domain<\/td>cftimtiemens.com<\/td>From dropdown choices<\/td><\/tr>
<\/td>HTTP only, port 80<\/td><\/td><\/tr>
“Name” <\/td>is greyed-out, no edit<\/td><\/td><\/tr>
Behavior<\/strong><\/td><\/td><\/td><\/tr>
Path pattern<\/td>*<\/td><\/td><\/tr>
Origin and origin groups<\/td>cftimtiemensdotcom.s3.us-east-1.amazonaws.com<\/td><\/td><\/tr>
View<\/td>Redirect HTTP to HTTPS<\/td><\/td><\/tr>
Allowed HTTP methods<\/td>GET, HEAD<\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

AWS Certificate Manager<\/h2>\n\n\n\n
Configuration Item<\/strong><\/td>Value<\/strong><\/td>Notes<\/strong><\/td><\/tr>
Domains<\/strong><\/td>2<\/td><\/td><\/tr>
timtiemens.com<\/td><\/td>Requires DNS CNAME confirmation<\/td><\/tr>
*.timtiemens.com<\/td><\/td>Requires same DNS CNAME confirmation<\/td><\/tr>
Status<\/strong><\/td>Issued<\/td><\/td><\/tr>
In Use<\/strong><\/td>Yes<\/td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

After created, pushed the “Create records in Route 53” button. This creates the required CNAME records in the hosted zone.<\/p>\n\n\n\n

AWS Route 53<\/h2>\n\n\n\n
Record<\/strong><\/td>Type<\/strong><\/td>Value<\/strong><\/td><\/tr>
timtiemens.com<\/td>A<\/td>Alias, to abcdefghijk.cloudfront.net<\/td><\/tr>
www.timtiemens.com<\/td>A<\/td>Alias, to abcdefghijk.cloudfront.net<\/td><\/tr>
various “_xxyyzz”<\/td>CNAME<\/td>as set by AWS Certificate Manager, for various certificates to be validated by DNS<\/td><\/tr>
blog.timtiemens.com<\/td>A<\/td>34.236.123.127 (separate webserver, not under this CloudFront distribution)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The goal was to change the “Not secure” banner to the little lock (aka enable https) for timtiemens.com. Previously, that site was hosted using only AWS S3 – which does not support “https”. This is the documentation for the final … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/posts\/1411"}],"collection":[{"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/comments?post=1411"}],"version-history":[{"count":4,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/posts\/1411\/revisions"}],"predecessor-version":[{"id":1415,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/posts\/1411\/revisions\/1415"}],"wp:attachment":[{"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/media?parent=1411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/categories?post=1411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tiemensfamily.com\/timoncs\/wp-json\/wp\/v2\/tags?post=1411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}