Hosting a secure AWS CloudFront Distribution via AWS Route 53

[A step by step guide to secure your CloudFront endpoints using AWS Certification Manager]

In part 01 and part 02 of AWS Route53 blog series, we discussed all possible routing policies with AWS Route 53. This blog will take this discussion further by integrating a secure CloudFront endpoint to a Route 53 registered domain.

The discussion will be explained using five (05) main tasks.

Task 1: Host a dummy web site in S3

Task 2: Create a CloudFront distribution and route to the web site hosted in S3

Task 3: Generate a public certificate using AWS Certification Manager (ACM)

Task 4: Route the CloudFront Distribution via AWS Route 53

Task 5: Connect Route 53 to CloudFront

So lets, get our hands dirty by implementing each task now.

Task 1 : Host a dummy web site in S3

• Create a S3 bucket similar to the name of the registered domain (e.g. create a S3 bucket called mydomain.com if your registered domain is mydomain.com) and host a dummy web site in it. (Hint: Use the “properties” tab within the S3 bucket to enable web site hosting)

Figure 01 — Enabling a web site hosting within the S3 bucket

• Create another S3 bucket for the “www” sub domain (e.g. create a S3 bucket called www.mydomain.com if the registered domain is mydomain.com) and route all requests to the mydomain.com S3 bucket.

Figure 02 — Routing the “www” traffic to the main domain (mydomain.com)

Task 2: Create a CloudFront distribution and route to the web site hosted in S3

1. Go to CloudFront
2. Select Create Distribution
3. Select Web as the delivery method
4. Select the Original Domain Name as the Web hosting URL of the S3 bucket-name
5. Key in index.html as the Default root object (optional)
6. Set all the other values to their default values and click Create Distribution button
7. The above will create a CloudFront distribution.
8. Now, select the CloudFront Distribution that you have created and get the Domain Name (See Figure 03) from the panel and paste it on a web browser and see whether it shows the S3 hosted web site. If all fine you may see the hosted web site with the CloudFront DNS.

Figure 03 — Extracting the CloudFront Domain Name

Task 3 : Generate a public certificate using AWS Certification Manager (ACM)

1. Go to AWS Certificate Manager (AWS ACM). Make sure to create the certificate in the us-east-1 (N. Virginia) region due to the fact that it is the most stable region for this to work for the moment.
2. Select Request a Public Certificate
3. Add Domain Names (P.Note: You may add your domain (mydomain.com) and your sub domains (www.mydomain.com) to this. Use add another name to this certificate button to add more sub domains)
4. Select Validation Method. You may use DNS validation / Email Validation here. The DNS Validation is pretty straight forward.
5. Review and Confirm the Certificate Request.
6. Once confirmed, the Certificate Request will be on the pending validation state, which needs to be confirmed by us in order to proceed. You may click the side arrow (2nd column) to see the validation requests. If you have requested the certificate for domains such as mydomain.com and www.mydomain.com, you will have to confirm two validation requests under this.
7. In this process, two CNAME entries will be added to Route 53 hosted zone (if you have already setup a domian under a hosted zone in Route 53)
8. Finally a public certificate (Amazon) will be generated for you for the requested domain(s).

Task 4: Route the CloudFront Distribution via AWS Route 53

1. Move back to CloudFront
2. Select the CloudFront Distribution
3. Add Alternate Domain Name(s) — You may define both the domain and your sub domains here. (mydomain.com and www.mydomain.com)
4. Adding an Alternate Domain will require you to add a Certificate. You may use the certificate that you have created under Task 3 as a custom SSL certificate.
5. Click Yes to save the changes.
6. Then Select Behaviors tab and select the available behavior.
7. Change the Viewer Protocol Policy to Redirect HTTP to HTTPS and then save the changes

P.Note: As a result of adding a certificate to this process, you may change the www.mydomian.com S3 bucket redirect setting to have HTTPS protocol. This is required for the above Viewer Protocol Policy Change which we did in this step (See Figure 04).

Figure 04

Task 5: Connect Route 53 to CloudFront

Create two “A” records with Alias for both domain (mydomain.com) and the sub domain (www.mydomain.com).

1. Create “A” record for the domain (mydomain.com)

Name: mydomain.com

Type: “A” Record

Alias: “Yes”

Alias Target: <Select the CloudFront Alias Target from the drop down>

Routing Policy: Simple

2. Create “A” record for the sub domain (www.mydomain.com)

Name: www.mydomain.com

Type: “A” Record

Alias: “Yes”

Alias Target: <Select the CloudFront Alias Target from the drop down>

Routing Policy: Simple

After completing all above tasks, now it is the time to test the domain and sub domain URL on a web browser to see whether the S3 web hosted content is visible in a secure manner (via HTTPS).

Congratulations! Now you have developed a web site in S3 (which cached its content using AWS CloudFront) and routed them via a HTTPS endpoint using a public certificate created using AWS Certificate Manager (ACM).

References

1. https://crishantha.medium.com/aws-route-53-and-routing-scenarios-671d12991260
2. https://crishantha.medium.com/aws-route-53-and-routing-policies-b7dc67e74516