Hosting on AWS with (Free) SSL

It's possible to easily host on AWS with SSL from AWS ACM (Amazon Certificate Manager) that is free. This holds true regardless of who the domain registrar is.

• AWS S3 stores the index.html and other static files.
• AWS Cloudfront is the CDN that serves the site.
• AWS Cloudfront helps redirect HTTP to HTTPS (for www subdomain).
• AWS S3 helps redirect naked domain to www subdomain, always to HTTPS.
• AWS Route 53 Hosted Zone provides DNS.
• AWS ACM provides SSL.

This guide shows how to achieve the following setup for a given domain.

• http://example.com --redirects--> https://www.example.com
• https://example.com --redirects--> https://www.example.com
• http://www.example.com --redirects--> https://www.example.com
• https://www.example.com --serves--> index.html stored in S3 bucket, served and cached by CloudFront CDN.

Steps to Set Up

Once everything is setup, 2 Cloudfront distributions and 2 S3 buckets will exist.

Create AWS Route 53 Hosted Zone

The domain must have an AWS Route 53 Hosted Zone in order to serve DNS records.

1. Create the AWS Route 53 Hosted Zone.
2. If the domain is not registered with AWS as the domain registrar, update the domain registrar to use the Hosted Zone nameserver records as the nameservers.

Create AWS ACM SSL Certificate

To support SSL for HTTPS, an AWS ACM Certificate must exist.

1. Start requesting/creating a new ACM certificate.
2. Set all necessary names, eg:
   • example.com
   • www.example.com
   • *.example.com
3. Leave default option of DNS validation selected.
4. Click 'Request' to start the process of acquiring the certificate.
5. Open the certificate back up for editing.
6. Click Create records in Route 53.
7. Only once ACM certificate shows the status for each domain switching from 'Pending validation' to '' will the certificate be ready. If the nameservers were recently switched for this domain it may take some time.

Create S3 "Content Bucket"

To store the index.html and other static content/files that comprise the site, an S3 bucket is used.

1. Create an S3 bucket, with any desired name, eg: example.com-content.
2. Make publicly accessible with website hosting enabled.
3. Create Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example.com-content/*"
        }
    ]
}

4. Leave other options as defaults. Create the bucket.
5. Upload static files to the bucket.

Note that this bucket stores files but does not allow them to be accessed publicly directly.

Create CloudFront "Content Distribution"

To actually serve the static file stored in the content bucket (created previously), AWS Cloudfront will provide the CDN that does so.

1. Create a new Cloudfront distribution.
2. For Origin domain, use the previously created S3 bucket's website address, eg: example.com-content.s3-website-us-east-1.amazonaws.com
3. Under Viewer protocol policy Redirect HTTP to HTTPS.
4. Under Alternate domain name (CNAME) - optional click Add item and specify the desired domain name on which the site will be hosted. Eg: www.example.com
5. Under Custom SSL certificate - optional choose the certificate that was previously created for this domain.
6. Under Default root object - optional enter index.html.
7. Leave all other options as defaults.
8. Click Create distribution.

Create Route 53 Records for WWW Subdomain DNS

Create the DNS records to map www subdomain to CloudFront distribution.

1. Edit the Route 53 Hosted Zone for the domain.
2. Click Create record.
3. Enter www for Record name.
4. Leave default Record type of A record.
5. Under Value set Alias to true.
   1. Under Choose endpoint select Alias to CloudFront distribution.
   2. In Choose distribution field select the content distribution.
6. Leave other defaults.
7. Click Create records.
8. Click Create record to create a 2nd record for IPV6.
9. Enter www for Record name.
10. Choose Record type of AAAA record.
11. Under Value set Alias to true.
    1. Under Choose endpoint select Alias to CloudFront distribution.
    2. In Choose distribution field select the content distribution.
12. Leave other defaults.
13. Click Create records.

At this point the following observations should hold true:

• Accessing http://example.com will serve nothing.
• Accessing https://example.com will serve nothing.
• Accessing http://www.example.com will redirect to https://www.example.com.
• Accessing https://www.example.com will serve the index.html file from the S3 content bucket.

Create S3 "Redirect Bucket"

An S3 Bucket is capable of redirecting requests (as opposed to providing files). This redirect behavior is used to redirect from the naked domain to the www subdomain.

1. Create an S3 bucket, with any desired name, eg: example.com-redirect.
2. Deselect Block all public access.
3. Leave other options as defaults. Create the bucket.
4. Open the bucket back up for editing.
5. Go to the Properties tab.
6. Under Static website hosting click edit.
7. Under Static website hosting click Enable.
8. Under Hosting type select Redirect requests for an object.
9. In Hostname specify the www subdomain address. Eg: www.example.com
10. For Protocol - Optional select https. This will prevent an unnecessary extra intermediate redirect across the http-based address.

Create Cloudfront "Redirect Distribution"

To actually serve the redirect on HTTPS, the S3 redirect bucket must be served by a CloudFront distribution.

1. Create a new Cloudfront distribution.
2. For Origin domain, specify the website endpoint, eg: http://example.com-redirect.s3-website-us-east-1.amazonaws.com.
   • This website endpoint can be found under the bucket's properties, after enabling Static website hosting.
3. Under Viewer protocol policy leave the default HTTP and HTTPS. This is so that the S3 bucket can directly redirect http://example.com to https://www.example.com.
4. Under Alternate domain name (CNAME) - optional click Add item and specify the naked domain. Eg: example.com
5. Under Custom SSL certificate - optional choose the certificate that was previously created for this domain.
6. Under Default root object - optional leave it empty.
7. Leave all other options as defaults.
8. Click Create distribution.

Create Route 53 Records for WWW Subdomain DNS

Create the DNS records to map www subdomain to CloudFront distribution.

1. Edit the Route 53 Hosted Zone for the domain.
2. Click Create record.
3. Leave Record name empty.
4. Leave default Record type of A record.
5. Under Value set Alias to true.
   1. Under Choose endpoint select Alias to CloudFront distribution.
   2. In Choose distribution field select the redirect distribution.
6. Leave other defaults.
7. Click Create records.
8. Click Create record to create a 2nd record for IPV6.
9. Leave Record name empty.
10. Choose Record type of AAAA record.
11. Under Value set Alias to true.
    1. Under Choose endpoint select Alias to CloudFront distribution.
    2. In Choose distribution field select the redirect distribution.
12. Leave other defaults.
13. Click Create records.

At this point all desired hosting and redirect behavior should be functioning.