A while back I described how I secured the origin (AWS S3) of this website via bucket access policy and how this mitigated the four threats I was concerned with. It’s bothering me that I don’t have the content encrypted between AWS and Cloudflare, so this post sets out to highlight how I’ve enabled that. I’ve found this topic to be not very well documented, but I did find this post by Sam Becker as a resource.

Refresher - Current Config

As I previously wrote, this is the current setup for this site:

S3

This site is stored in an s3 bucket called www.chrislockard.net. This bucket has static website hosting enabled. There’s a second bucket, chrislockard.net that redirects to this bucket and serves requests made to the naked https://chrislockard.net domain.

CloudFlare

CloudFlare manages the DNS records for this site and its TLS settings (that is, the encryption of traffic between your browser and the content cached on CloudFlare).

Enter CloudFront

Back in 2016 I wrote about deploying this blog via CloudFront. I had just discovered the awesome AWS Certificate Manager and today this will be making a return along with CloudFront to ensure that this blog is delivered entirely via HTTPS, from source to destination.

I am re-using the CloudFront distribution I previously created back when I switched to using it for this site in 2016. I won’t recap the process for creating that here, see Sam Becker’s Post on Medium for a guide on configuring this part. Here are some refresher notes:

  • Set the CloudFront origin to the S3 website endpoint provided in the S3 bucket’s Static website hosting card. This should be of the form bucketname.net.s3-website-us-east-1.amazonaws.com
  • Distribution delivery method should be set to Web
  • Distribution alternate domain names (CNAMEs) should include the naked example.com and site subdomain www.example.com