Webmaster Security

Setup AWS S3 static website hosting using SSL (ACM)

Submitted by B─░GSTAR-TR, , Thread ID: 46581

Thread Closed
11-09-2017, 01:15 AM
#1
I registered a new domain (ssml.io) and I want to use to it host a static website using S3 and Cloudfront. For this website I want an SSL connection using a AWS ACM certificate.

To finish this setup you have to go through these steps:
  1. Create an S3 bucket and upload your index.html file

  2. Create a cloudfront distribution pointing to this S3 bucket

  3. Setup Domain MX records using SES to receive the SSL certificate domain validation email

  4. Request a new SSL certificate in regionus-east-1(!)

  5. Assign the certificate to your Cloudfront distribution
I assume that you already have a (new) domain registered in Route 53 with no A or MX records setup.
1) Create a new S3 bucket for your staticfiles

[Image: 1*KYvrwuW_wv5lcL9dqi1Icg.png]

Create a new S3 bucket using the defaultsettings

Open the buckets properties and activate ?Static website hosting. Make note of the Endpoint URI.

[Image: 1*dZxgyIN5geikRMNr9qs6uA.png]

To save emails on your bucket from SES later, you need to grant permissions to SES to write to your bucket. Add the following bucket policy and replaceYOUR_BUCKET_NAMEandYOUR_ACCOUNT_IDwith your corresponding values.

[Image: 1*JCGv7Wwp91o5yvCpfryRow.png]

{
"Version": "20081017",
"Id": "GiveSESPermissionToWriteEmail",
"Statement": [
{
"Sid": "GiveSESPermissionToWriteEmail",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3TongueutObject",
"Resource": "arn:aws:s3:::ssml.io/*",
"Condition": {
"StringEquals": {
"aws:Referer": "123456789012"
}
}
}
]
}

Save the policy, upload your index.html file and your are done.
2) Create a cloudfront distribution using a customCNAME
SSL certificates can only be assigned to cloudfront distributions, so we need to create one to enable SSL for our static website.
Create a new Web distribution and select your S3 bucket asOrigin Domain Name. Select HTTPS Only forViewer Protocol Policy.

[Image: 1*Y7vZb419pZWbSsRbPqmQWA.png]

Select the S3 bucket as origin and set the viewer protocol to HTTPSonly

In the Distribution Settings section enter your domain name you want to host your static files on (My site ishttps://ssml.io).Do not change the SSL Certificate settings for now, as we did not setup our email address to receive the domain validation email for our certificate request.

[Image: 1*KUcrAQrctgs6tGpbLlh59w.png]

Beside that keep all the default settings and click ?Create distribution. Grab a cup of coffee or two and wait until the distribution is created
3) Setup Route53 MX records using SES to forward emails toS3
Go to AWS SES and verify a new domain. Generate DKIM Settings as well.

[Image: 1*um2xSVeLUxiIQwtB19XAwg.png]

Generate DKIM Settings for your domain to verify your emaildomain

Click ?Use Route53 to setup all necessary Domain Records in Route53. Amazon is handling everything for you:-)

[Image: 1*8oJwYl1ePuAj_t583k5yZQ.png]

AWS helps yout to setup all your domain records to verify a email sending and receiving domain

In the left navigation head to ?Rule sets, create a new one and a new ?Rule. Enter[email protected]to the receipients as this email address is used by default to receive SSL certificate domain verification emails.

[Image: 1*VYlmU0a0uAYrrDApLuS95g.png]

In the bottom part of the rule settings define a S3 Rule to save incoming email to a folder in your bucket.

[Image: 1*nGxKl8Qyr7Z6gt3MQCoVvw.png]

Save incoming email to a S3bucket

4) Request a free SSL certificate using AWSACM
Quote:Cloudfront only accepts certificates hosted in region us-east-1.Switch to that region NOW.
Enter one or more domain names, you want to create a SSL certificate for. You can even use a wildcard.

[Image: 1*1I0b12mvix0ongNi8l3Tvg.png]

Now you should have a new email on your S3 bucket containing the verification link. Download the email file open it in your favorite text editor and copy the verification link to your browser.

[Image: 1*cWK5M3ZJ1NTYfiPkv1cyqw.png]


[Image: 1*tVLVKTZ6aGfLQ2Ig1bef6g.png]

5) Assign the SSL certificate to your Cloudfront distribution
Youre almost done. Go back to Cloudfront and edit your distribution. Now you should be able to select your brand new SSL certificate.

[Image: 1*g2CiID_-QmcsTPzFLzZnwg.png]

Select a SSL certificate from AWS Certificate Manager

Congratulations. Youre done:-) Check it out:https://ssml.io

Users browsing this thread: 1 Guest(s)