https on S3 WITHOUT cloudfront possible?
We currently want to start hosting all our assets through AWS S3 and we also want to server everything over https. I understand I can use the Amazon Certificate Manager (ACM) with Cloudfront to server assets over https. The problem is that we are in the medical industry and we are legally prohibited to host anything outside the EU. With S3 I can choose a location (Frankfurt for us), but with Cloudfront I just get this option:
So I thought that I could maybe use Letsencrypt to generate my own certs. But I think I then still need to use ACM which only works with Cloudfront, which means I still can't use it.
Does anybody know if I can somehow setup S3 with https but without cloudfront?
Solution 1:
Unfortunately you can't use an SSL certificate with your custom domain with S3. You can use the S3 domain with the Amazon SSL certificate like: https://my-example-bucket.s3-website-us-east-1.amazonaws.com
.
If you want to use a custom domain with SSL, and you can't use CloudFront, then you will need to look into placing some other proxy in front of S3 like your own Nginx server or something.
Solution 2:
In AWS API Gateway, you can create a proxy resource /{proxy+}
that maps to s3-website
.
Be sure to map not to s3
alone, but s3-website
, so you get PATH/TO/DIR/index.html
returned for PATH/TO/DIR
, and possibly other things working as desired.
API Gateway is served over HTTPS, optionally under your own domain.
This is not very good option though, because you have to manually add all allowed HTTP return codes, and there's a limit of 10MB payload in a request, as this service is aimed at REST APIs.
Solution 3:
Below is a useful resource schedule. Both S3 and CloudFront are available in the EU. You can certainly present S3 via CloudFront.
I understand the requirements to host within a territorial boundary. The req'ts for that you will achieve with S3 in the EU region. CloudFront is not a hosting service it is a CDN (Content Delivery network) using high performance leased lines and manageable endpoint caching. The issue you are looking at is the price options, not the hosting location. If you want to serve content in the EU you would want 'Price Class 100' or 'Price Class All'.
When using CloudFront you can control both which IP ranges that can access your material, and the encryption of both front-end and back-end traffic. Check out some of the design patterns
There are some excellent white papers and design patterns for setting up secure CloudFront. I think you will find that you can do what you want and stay well within the legal requirements.
http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region https://aws.amazon.com/compliance/eu-data-protection/
Also check out AWS doco 'using-https-cloudfront-to-s3-origin' & 'custom-ssl-domains'
P.S. Ensure that you set the bucket permissions to only be available via the CloudFront channel.
RL