https on S3 WITHOUT cloudfront possible?

https amazon-web-services amazon-s3 ssl-certificate lets-encrypt

We currently want to start hosting all our assets through AWS S3 and we also want to server everything over https. I understand I can use the Amazon Certificate Manager (ACM) with Cloudfront to server assets over https. The problem is that we are in the medical industry and we are legally prohibited to host anything outside the EU. With S3 I can choose a location (Frankfurt for us), but with Cloudfront I just get this option:

enter image description here

So I thought that I could maybe use Letsencrypt to generate my own certs. But I think I then still need to use ACM which only works with Cloudfront, which means I still can't use it.

Does anybody know if I can somehow setup S3 with https but without cloudfront?


Solution 1:

Unfortunately you can't use an SSL certificate with your custom domain with S3. You can use the S3 domain with the Amazon SSL certificate like: https://my-example-bucket.s3-website-us-east-1.amazonaws.com.

If you want to use a custom domain with SSL, and you can't use CloudFront, then you will need to look into placing some other proxy in front of S3 like your own Nginx server or something.

Solution 2:

In AWS API Gateway, you can create a proxy resource /{proxy+} that maps to s3-website.

Be sure to map not to s3 alone, but s3-website, so you get PATH/TO/DIR/index.html returned for PATH/TO/DIR, and possibly other things working as desired.

API Gateway is served over HTTPS, optionally under your own domain.

This is not very good option though, because you have to manually add all allowed HTTP return codes, and there's a limit of 10MB payload in a request, as this service is aimed at REST APIs.

Solution 3:

Below is a useful resource schedule. Both S3 and CloudFront are available in the EU. You can certainly present S3 via CloudFront.

I understand the requirements to host within a territorial boundary. The req'ts for that you will achieve with S3 in the EU region. CloudFront is not a hosting service it is a CDN (Content Delivery network) using high performance leased lines and manageable endpoint caching. The issue you are looking at is the price options, not the hosting location. If you want to serve content in the EU you would want 'Price Class 100' or 'Price Class All'.

When using CloudFront you can control both which IP ranges that can access your material, and the encryption of both front-end and back-end traffic. Check out some of the design patterns

There are some excellent white papers and design patterns for setting up secure CloudFront. I think you will find that you can do what you want and stay well within the legal requirements.

http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region https://aws.amazon.com/compliance/eu-data-protection/

Also check out AWS doco 'using-https-cloudfront-to-s3-origin' & 'custom-ssl-domains'

P.S. Ensure that you set the bucket permissions to only be available via the CloudFront channel.

RL

Related

Good Silverlight-MVVM Practice Example
How to send a pdf file directly to the printer using JavaScript?
Python socket.error: [Errno 111] Connection refused
Testing Storm Bolts and Spouts
ReactJS - Call One Component Method From Another Component
Why can't I use a try block around my super() call?
What is the current state of Unit testing support in the R language
Coroutines in C#
How to describe JSON data in a spec?
Does the "Set next statement" feature exist in Chrome's Dev Tools or in Firebug?
What is a good, unlimited alternative to Google Places API? [closed]
ASP.NET Web API social authentication for Web and Mobile