HTTPS for Amazon S3 static website
Solution 1
Yes, as of today you can do it at no charge.
You can now use HTTPS with CNAMEs on CloudFront as it now supports custom SSL certificates using Server Name Indication (SNI): http://aws.typepad.com/aws/2014/03/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront.html
I managed to set up a free Class 1 StartSSL cert for my CloudFront distributed static site on S3 without too much trouble (see: CloudFront error when serving over HTTPS using SNI).
Solution 2
On 2016-01-21 AWS launched AWS Certificate Manager, which is a free service that allows you to issue a SSL certificate to be used with Elastic Load Balancer and Cloud Front (along with S3 too).
You can learn more at: https://aws.amazon.com/certificate-manager/
And you can check how to deploy your S3 + Cloudfront website with free SSL from AWS at: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Solution 3
As of today, Cloudfront offers custom SSL: http://aws.amazon.com/cloudfront/pricing/
Keep in mind, they are charging $600 / month. More details on the link above.
Solution 4
For me I had to upload a simple React website to S3. As barbolo describes you need a certificate to access site through SSL. If the static site that you want to deploy is simple enough you can:
- Upload to S3.
- Do not select "Static Website Hosting"
- Convert all relative links (to css, js, etc) to absolute links.
e.g. from /css/media.css you should convert it to https://s3-region-amazonaws.com/bucket-name/css/media.css (for me I had to change only links in index.html)
- Make only the contents of bucket public.
Thats it. You can access the index file through https.
A Simple site is a site with a main index.html file that points to some css and js pages.
jamix
Passionate about Natural Language Processing. Founder of a VC-backed video conferencing startup. Drupal developer and equity sales in the past. Jazz piano and DJing aficionado. Father of three.
Updated on May 04, 2020Comments
-
jamix almost 4 years
I want to host a HTTPS-only static website using Amazon S3 and CloudFront. Here's what I've done so far:
- Set up an S3 bucket for static website hosting and put my website files in it
- Created a CloudFront distribution and pointed it to the S3 bucket
- Added a CNAME record in my domain's nameservers for the
www
subdomain pointing to the CloudFront bucket.
So far, so good - I can access my website using the
www.example.com
address. However, I want the site to be available via HTTPS only, for which I bought an SSL certificate from GoDaddy.Now, the question is:
- Is there a way to install this third-party SSL certificate on my S3-hosted website?
- Is there a way to have an automatic http to https redirect with this setup?
-
Pacerier over 10 years600 / month......
-
Martin OConnor about 10 yearsYou only pay $600 if you want a dedicated IP address. If you are happy to use SNI (which is not supported by older browsers), no extra charges apply
-
bchurchill about 10 yearsThe caveat here is it doesn't work for some types of older browsers... but that's an awesome alternative to paying $600/month!
-
tiberghien Jeffrey almost 10 yearsIf you're willing to support modern browsers only (through SNI), this is now much cheaper: aws.amazon.com/about-aws/whats-new/2014/03/05/…
-
elado over 9 yearsDetailed guide: bryce.fisher-fleig.org/blog/…
-
tresf almost 9 yearsFeedback: bryce fisher's guide was very good.
-
skeller88 over 8 yearsThere's a subtlety here. You can have HTTPS for an S3 bucket if it is not configured for website hosting. See the Note that says "The website endpoints do not support https."
-
Mike_Laird over 7 yearsOK, to get past "subtlety" and describe in plain English, here's my shot at it. An S3 bucket with static web page content (html) can be turned into a web site with a few clicks. This web site can only use http. If you want https, you have to use AWS's Cloudfront service and configure it for SNI to get https for free. (A few very old or odd browsers do not support SNI.) The html and other resources can be stored on S3 at a low cost. Additionally, if you get the domain name from AWS, you must use their Elastic Load Balance service. Fees are a few cents per gig.
-
natronite over 7 yearsDoesn't CloudFront add costs even though custom ssl for SNI is free? They charge $0.01 per https request?
-
paranoid over 7 yearsI just set this up for my site this morning. It's a static site hosted in s3. It was super easy. I simply went to the acm manager, requested a cert, putzed around with my email settings for a few hours (ended up making my WHOIS info public while I waited for the confirmation email), and then set up route53 to point at the cloudfront endpoint. Very happy I found this comment.
-
Piyush S. Wanare over 7 years@paranoid With this can I host my s3 website as https-only?
-
barbolo over 7 years@PiyushS.Wanare yes, you can!
-
Costa Michailidis over 7 yearsThis is FREE now! aws.amazon.com/certificate-manager Scroll down to the dollar sign icon. Plus I think they renew automatically. And setup is as easy as entering the domains you want on the cert and clicking the validation link in the email that follows.
-
Costa Michailidis over 7 yearsPut the HTTPS link in the CNAME record in Route53.
-
abbood about 7 yearsi find it amazing that this answer got awarded the right answer, when it simply doesn't address the question: as stated by @skeller88, s3 https doesn't work for website hosting.
-
abbood about 7 years@paranoid not sure what you mean by "cloudfront endpoint".. where do i get that information from?
-
paranoid about 7 years@abbood If you go to your cloudfront distributions, select the distribution you want to use and click "distribution settings" (or just click the ID) and in the general tab you'll see "Domain Name". I used that in my route53 record - it's an A record with the alias target of the cloudfront domain name. More can be found here: docs.aws.amazon.com/Route53/latest/DeveloperGuide/…
-
avs099 over 6 yearsStartSSL is dead, distrusted by Chrome, FF, Apple; and they do not issue certificates anymore. Consider LetsEncrypt if you want free certificates.
-
user1874634 over 5 yearsAwesome. Thanks
-
yerzhan7 over 5 years@skeller88 - so, communication between CloudFront and S3 is not encrypted and can be attacked by the MITM, right? Isn't it a serious security issue for my website (even if it uses HTTPS with CloudFront)?
-
Sébastien about 5 yearsIf your app targets production this is a bad idea.
-
alexopoulos7 about 5 yearssébastien please share with us more details why this is bad idea. We give public read access to objects not to bucket.
-
Nitesh B. almost 5 yearsIts a good and simplest way but remember, for every single file in your application the request will travel on internet which will reduce performance of your application. Using CloudFront is the best idea in this scenarios.
-
Dustin Sun almost 5 years@NiteshB.CloudFront is ass-pain when you need update your S3 objects often