Cloud Confusing

Explaining hosting, AWS, project management, and all manner of cloud solutions.

So you setup build a static website hosted on Amazon S3 and you gave it a custom domain name. What’s next? HTTPS of course! Here’s a guide on how to do it in about 5 minutes. AWS makes SSL both free and easy, but it can be a little confusing the first time around.

The prerequisites for this process are: an S3 hosted site and working Route 53 DNS. With those things in place you should be all set. Having an Amazon Route 53 domain will help as well, and since we’re using end-t0-end AWS, we’ll assume that as well.

First, it’s worth know that AWS handles SSL through the Certificate Manager. Under some circumstances, including those for an S3-hosted static site, SSL is free, so no need or Let’s Encrypt or any of the other free SSL offerings.

In the Amazon Certificate Manager (ACM) click “Request a Certificate” and then type in the name of the site the required it, say, “”. Don’t include the subdomain.

create ssl

Next we have to determine sub-domain handling. Amazon was nice enough to included wildcard handling, which means instead of specifically concerning ourselves with and (etc.) you can just put in “*” and you are all set. Hit “Next” and then choose your validation type. The easiest way to go at this point is email validation. You could use DNS to validate your SSL,but frankly it’s a more complex process and I haven’t yet had to resort to that. With email, Amazon will set you a validation email, you hit “Approve” and then you can move on to the next step.

And, yes, there is a next step. Simply creating the certificate is not enough!

Setting Up SSL in CloudFront

A lot of the heavy lifting of AWS S3 hosting strategies is done in CloudFront. As a CDN it becomes a handy manipulation layer manipulating how people get to the underlying content. This is no different with Akamai. CloudFlare, and others… but no one let’s me change the settings on those!

With your SSL certificate validated, move over to CloudFront. Here, you can find your site’s distribution (it definitely has one) and click into it. Go to the General tab and click Edit. Under your “Alternate Domain Names (CNAMEs)” you are going to want it to list all the variations on your domain you want to run, each on their own line. Typically that will look something like:

Next, under “SSL Certificate” make sure you have “Custom SSL Certificate (” selected and then go to the dropdown and choose your domain. In the dropdown you’ll see a list of all the certificate’s you’ve created in the Certificate Manager.

After that you are actually all set! You should make sure that all the proper configuration options are chosen for your needs, but if you haven’t made any changes, you should be all good. The most important ones to confirm are that you’ve selected “Only Clients that Support Server Name Indication (SNI)” so you dodge a potentially painful $600 a month charge, and that you have Distribution State set to “Enabled”. As for the rest — HTTP1.0 or HTTP2.0, etc. — pick the option that best suits your need. Or, as with anything else in AWS, if you don’t know what it does, you should probably leave it alone!

Now you should have a with working SSL on both the raw domain and www.

Don’t forget: Google Search Console (the tool formerly known as Webmaster Tools) sees HTTP and HTTPS as two different properties, so you’ll want to hop on over there and create the HTTPS version of your property. You don’t need to go this for Google Analytics, it doesn’t care so much about the protocol.

December 7th, 2017

Posted In: AWS

Tags: , , , , , ,