https on S3 WITHOUT cloudfront possible?

Question

We currently want to start hosting all our assets through AWS S3 and we also want to server everything over https. I understand I can use the Amazon Certificate Manager (ACM

Answer 1

Below is a useful resource schedule. Both S3 and CloudFront are available in the EU. You can certainly present S3 via CloudFront.

I understand the requirements to host within a territorial boundary. The req'ts for that you will achieve with S3 in the EU region. CloudFront is not a hosting service it is a CDN (Content Delivery network) using high performance leased lines and manageable endpoint caching. The issue you are looking at is the price options, not the hosting location. If you want to serve content in the EU you would want 'Price Class 100' or 'Price Class All'.

When using CloudFront you can control both which IP ranges that can access your material, and the encryption of both front-end and back-end traffic. Check out some of the design patterns

There are some excellent white papers and design patterns for setting up secure CloudFront. I think you will find that you can do what you want and stay well within the legal requirements.

http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region https://aws.amazon.com/compliance/eu-data-protection/

Also check out AWS doco 'using-https-cloudfront-to-s3-origin' & 'custom-ssl-domains'

P.S. Ensure that you set the bucket permissions to only be available via the CloudFront channel.

RL

Answer 2

CloudFront has a feature for white/blacklisting countries. I would try using any of the 3 CDN options you listed along with a whitelist of EU countries. I'm not sure what the easiest way to verify that other countries (e.g. US) are denied though.

Answer 3

In AWS API Gateway, you can create a proxy resource /{proxy+} that maps to s3-website.

Be sure to map not to s3 alone, but s3-website, so you get PATH/TO/DIR/index.html returned for PATH/TO/DIR, and possibly other things working as desired.

API Gateway is served over HTTPS, optionally under your own domain.

This is not very good option though, because you have to manually add all allowed HTTP return codes, and there's a limit of 10MB payload in a request, as this service is aimed at REST APIs.

Answer 4

Unfortunately you can't use an SSL certificate with your custom domain with S3. You can use the S3 domain with the Amazon SSL certificate like: https://my-example-bucket.s3-website-us-east-1.amazonaws.com.

If you want to use a custom domain with SSL, and you can't use CloudFront, then you will need to look into placing some other proxy in front of S3 like your own Nginx server or something.