Securing AWS CloudFront: Enabling HTTPS and Restricting Access

Welcome back to another chapter of our AWS journey! In this installment, we’ll dive deep into securing your resources with AWS CloudFront. Security is paramount when it comes to serving your content and ensuring that your users have a safe and seamless experience. In this article, we will explore how to enable HTTPS with CloudFront and how to restrict access to files in Amazon S3 buckets.

Enabling HTTPS with CloudFront

HTTPS, or HyperText Transfer Protocol Secure, is a critical protocol for ensuring the secure transmission of data between your users and your web resources. CloudFront allows you to easily enable HTTPS for your content distribution, adding an extra layer of security to your web applications.

To enable HTTPS with CloudFront, follow these steps:

1. Create a CloudFront Distribution: Start by navigating to the AWS Management Console and selecting CloudFront. Click on “Create Distribution” and choose the “Web” distribution type.
2. Configure Distribution: Enter the origin domain name for your web resources. This can be an Elastic Load Balancer or an S3 bucket that holds your content. Choose your preferred protocols for both viewer (client) and origin (server).
3. Choose SSL Certificate: If you have an SSL certificate, you can choose it here. This certificate must be located in the AWS Certificate Manager (ACM) and created in the North Virginia region.
4. Alternate Domain Names (CNAMEs): If you want to use a custom domain name with CloudFront, add it as an alternate domain name.
5. Configure Additional Settings: You can configure caching behavior, cookies, and other settings as per your requirements.
6. Create Distribution: Once you’re satisfied with your settings, click “Create Distribution.” This might take some time to propagate.

Once your CloudFront distribution is created and deployed, your content will be accessible via HTTPS, enhancing the security of your users’ interactions.

Restricting Access to S3 Files with CloudFront

In some cases, you may want to ensure that users can only access files through CloudFront, rather than accessing them directly from the S3 bucket. This adds an extra layer of control and security to your content distribution. To achieve this, you can use Origin Access Identity (OAI).

Here’s how you can do it:

1. Create a CloudFront Distribution: Follow the same steps as mentioned above to create a CloudFront distribution, this time using an S3 bucket as the origin.
2. Restrict Bucket Access: When configuring the distribution, select “Restrict Bucket Access.” This will create an Origin Access Identity (OAI) that CloudFront will use to access your S3 bucket.
3. Set Permissions: CloudFront will provide options to either update your bucket policy or set the permissions manually. It’s generally recommended to let CloudFront update the bucket policy.
4. Configure Other Settings: Configure viewer protocols, caching, and other settings as needed.
5. Create Distribution: Once again, click “Create Distribution.”

With this setup, users will only be able to access your S3 content through CloudFront, ensuring that your content remains secure and controlled.

Hands-On Implementation

Now, let’s put theory into practice and walk through the steps in AWS:

1. Setting Up HTTPS with CloudFront:
   • Navigate to the CloudFront service in the AWS Management Console.
   • Create a new web distribution, specifying your origin server (Elastic Load Balancer, for instance).

     on Cache based on selected request headers : select All Query String Forwarding and Caching : Forward all, cache based on all on Distribution Settings on the field Alternate Domain Names (CNAMEs) : enter the domain name you want to map to this cloud distribution. For more information refer this

   • Configure SSL settings, including protocols and certificates.
   • Set up additional options as required.
   • Create the distribution and wait for it to propagate.
2. Restricting S3 Access with CloudFront:
   • Again, create a new web distribution, but this time use an S3 bucket as the origin.
   • Choose “Restrict Bucket Access” to create an Origin Access Identity (OAI).
   • Configure permissions for the OAI to access your S3 bucket.
   • Complete the distribution setup.
3. Testing:
   • Access your custom domain or CloudFront URL over HTTPS to verify the SSL configuration.
   • Access content from your S3 bucket via CloudFront to confirm restricted access.

By following these steps, you’ll have successfully secured your resources using AWS CloudFront, enabling HTTPS and controlling access to your S3 bucket content.

In conclusion, AWS CloudFront offers robust security features that enable you to serve your content securely and control access to your resources. By configuring HTTPS and utilizing Origin Access Identity, you can provide a safe and reliable experience for your users while maintaining control over your content distribution. Remember, security is an ongoing effort, so stay updated with AWS best practices to ensure your infrastructure remains protected.