// TOM WARSOP

Add HTTPS to Website Hosted in S3

2025/02/11
Tags: Website Hosting HTTPS AWS S3

Introduction

This post goes over the steps to add HTTPS to a website hosted in S3. It's assumed that you have already hosted a static website in S3 and have acquired the domain via Route 53. For information on how to do this see Hosting a Static Website in AWS S3. It is also assumed that you have a route domain (e.g. example.com) and a subdomain (e.g. www.example.com).

There are three steps to this process: requesting a certificate, creating a CloudFront distribution, and updating the A records in Route 53.

Step 1: Requesting a Certificate

The following set of steps need to be performed in the US East (N. Virginia) region (us-east-1). If this region isn't selected then you won't be able to select the certificate when creating the CloudFront distribution in the next step.

  • Go to Certificate Manager
  • Make sure the region is US East (N. Virginia) (us-east-1)
  • Click on Request
  • Select Request a public certificate
  • In the Fully qualified domain name box enter the root domain e.g. example.com
  • Select Add another name to this certificate and enter a wildcard for the subdomains e.g. *.example.com
  • Make sure DNS validation is selected for the Validation method
  • Click Request
  • Navigate to the certificate entry (you will probably already be taken there after selecting Request in the previous step) and select the Create records in Route 53 option
  • The certificate will be have a Pending validation status, after a few minutes this should change to Issued, the you can carry on to the next step

Step 2: Creating a CloudFront Distribution

These steps need to be done for both the www and non-www (root) domains.

  • Go to CloudFront
  • Click Create distribution
  • Under Origin for Origin Domain choose the S3 bucket for the static website
  • A warning box appears about using the S3 website endpoint, select Use website endpoint
  • Under Default cache behaviour set Viewer protocol policy to Redirect HTTP to HTTPS
  • Under Web Application Framework (WAF) choose to either enable or disable AWS WAF security protections
  • Under Settings:
    • For Alternate domain name (CNAME) - optional click Add item and enter the subdomain (root or non-root)
    • For Custom SSL certificate choose the certificate created
  • Click Create distribution
  • After CloudFront creates the distribution it will deploy, this can be take a few minutes

Step 3: Update A Records in Route 53

  • Go to Route 53
  • Go to Hosted zones
  • Click on the domain in the list
  • For each of the A records (there will be one for the root domain and one for the subdomain):
    • Select the checkbox for the record
    • Click Edit record
    • Update Route traffic to to Alias to CloudFront distribution
    • For Choose distribution select the distribution created in the previous step
    • Click Save

The End