It has never been easier than it is today to configure HTTPS access for our websites. What once use to be a painful task is now done in a few clicks of a button and often free.
In this article I will explain how we can configure static websites living in AWS to leverage 100% free SSL.
- Your static website must be hosted out of an S3 bucket. You can learn how to do so here.
- To leverage AWS Certificate Manager (ACM) you must be serving your static website via CloudFront. This is easy to get setup via my guide here.
AWS Certificate Manager (ACM)
When it comes to Amazon Web Services, ACM is one of those services that few people know they can leverage. It isn't a hot service like Lambda, S3, or Rekognition. But, it is powerful and very easy to get started with. It integrates with other services like Elastic Load Balancing, API Gateway, and CloudFront.
With ACM you can request, renew, and deploy SSL/TLS certificates. These certificates are then used with ELB, API Gateway, or CloudFront. They are easy to get, 100% free, and managed by AWS. Meaning you never have to worry about a certificate expiring when using ACM.
In this post we are going to leverage ACM to get a SSL certificate for our static website domain. We will then be able to attach this certificate to our CloudFront distribution. By doing so users will be able to access our site over HTTPS.
Requesting and Approving A New SSL Certificate
Before we can begin we need to request and approve a new SSL certificate. This certificate is for the domain of our static website. To request a certificate via the AWS Console follow these steps.
- Switch into the N.Virginia region in the AWS Console.
- Navigate to Certificate Manager in the AWS Console.
- Click Request a Certificate.
- In the Domain name input enter www.your-site.com
- Click Add another name to this certificate.
- In the second Domain name input enter your-site.com
- Click Next.
- Select Email validation.
- Click Review.
- Click Confirm and request.
We can do all 10 of these steps with one AWS CLI call as well.
$ aws acm request-certificate --domain-name www.my-awesome-site.com --validation-method EMAIL --subject-alternative-names my-awesome-site.com --region us-east-1
ACM then sends the domain owner, which should be you in this case, an email to approve the new certificate. This email typically has a subject line like "Certificate approval for ...". Click the approval link in the email.
Important Note To leverage our new certificate in CloudFront it must be created and approved in the us-east-1 region (N. Virginia).
Attaching A SSL Certificate To A CloudFront Distribution
With our new certificate approved and issued we can now hook it up to our static website distribution.
- Navigate to CloudFront in the AWS Console.
- Click the ID of our static website Distribution.
- Click Edit.
- Select Custom SSL Certificate.
- From the dropdown select the new certificate we created.
- Click Yes, Edit.
If you do not see the certificate on step five, then the certificate was likely not created in us-east-1.
Most changes made to CloudFront distribution can take a minute or two to propagate. Once the change is complete we can then access our static website via HTTPS: https://www.your-site.com.
Because our static website lives in a S3 bucket we can leverage other AWS services to enhance it. CloudFront provides us with a great extension point. Using it we can provide low latency delivery of resources to our end users. We can also add ACM certificates to our distribution to get free SSL connections.
This is the power AWS provides. Individual services are often great and worth learning. But the power is the ability to produce better solutions via easy integrations.
It is worth noting that AWS Certificate Manager allows you to bring in your own SSL certificates. So if you already own a certificate that you paid for, you can import it into ACM. Keep in mind that imported certificates are not managed by ACM, so they will not auto-renew.