How to Set Up Your S3 Bucket with HTTPS in an Hour
Amazon Web Services (AWS) has great resources for issuing and using SSL certificates, but the process of migrating existing resources to HTTPS can be complex — and it can also require many intermediate steps.
But as this tutorial shows, you can get your S3 bucket set up in just an hour or two.
Why is this necessary, anyway?
Reason 1: Google is Forcing the Issue
The big driver for this need is Google, which is phasing support for HTTP connections out of Google Chrome.
Currently, Chrome warns users when they’re accessing a site HTTP, but doesn’t prevent it altogether.
The recently rollout out labeling.
It won’t be long before accessing almost any site via HTTP will prompt a full-screen warning.
This is a site with bad HTTPS, but it gives you a notion of how HTTP might look in the near future.
Reason 2: It’s the Right Thing to Do
HTTP connections reveal, at a minimum, full information about the routing and content of requests to everyone else on the local network. If your users are accessing your site in a coffee shop, no amount of server-side security will prevent you from leaking information in the stage between the user (and their router) and your site.
Step 1: Get a Certificate
To get started, you’ll need an SSL certificate. On anything but AWS, the best option is Let’s Encrypt SSL certificates, which issues free certificates to all.
A great free service, but a confusing name
On AWS, there’s a cert manager included that will issue certificates for AWS services.
When you add a domain to a certificate, you’ll be required to verify ownership by one of two methods:
- DNS
DNS verification has a number of advantages over email verification. Most notably, you only need to verify once for multiple subdomains, and you won’t have to check your email to renew the certificate. Verification via DNS requires you to add a CNAME record with the registrar for some long random domains (e.g., _3639ac514e785e898d2646601fa951d5.example.com). AWS checks at that location, gets redirected back to its own server and knows everything is hooked up.
This can take up to an hour for the CNAME record to populate and AWS to validate, but it’s more durable than email validation and worth the effort.
Link with CloudFront
You’ll want to use your new SSL certificate with your S3 bucket by linking them with CloudFront, a content delivery network (CDN) service that can also add HTTPS to your S3 resources.To activate CloudFront,go to the CloudFront Dashboard and click “Create Distribution,” — you’ll then be taken to a few pages of settings. Most of these can be left at default, except:
- Origin Settings — select your S3 bucket
- SSL certificate — select “Custom SSL” and then the one you created above
Pointing Your URL to CloudFront
From the Route 53 dashboard, you can create an alias that points from your domain to the CloudFront Distribution you just created.
Clicking into “Alias Target” loads a drop-down where you can select your CloudFront distribution and create your recordset.
These settings will take 45 minutes or so to promulgate, but after that you should be able to enter the URL of any S3 object and see it loading via HTTPS.
As mentioned above, Google has some very good reasons for asserting its influence to make the shift to HTTPs. The steps above, we hope, will help to make the process as short and painless as possible.
