Create AWS SSL Certificates in Amazon Certificate Manager |Video upload date:  · Duration: PT53S  · Language: EN

Step by step guide to request an ACM TLS certificate validate via Route53 and serve an S3 static site over HTTPS using CloudFront and DNS updates

Why this exists and why you should care

Want your static website to stop freaking out browsers with scary not secure warnings and actually use HTTPS like a grown up? This guide walks you through requesting a public TLS certificate in AWS Certificate Manager using DNS validation in Route53 and then wiring that certificate to CloudFront so your S3 hosted site serves over HTTPS. It is practical, repeatable and mildly sarcastic when AWS decides to nap during a deployment.

Request a public certificate in ACM

Head to ACM in us east 1 because CloudFront will only accept certificates from that region. Request a public TLS certificate for the apex domain and any subdomains you care about such as www. Choose DNS validation when prompted. If your domain is managed in Route53 you can ask ACM to create the validation records automatically or copy the CNAME values and paste them into the hosted zone yourself.

Key points to remember

  • Request the certificate in us east 1 for CloudFront compatibility
  • Add both the bare domain and common subdomains like www
  • Use DNS validation so AWS provides CNAME records you can add to Route53

Prepare the S3 bucket for static hosting

Create an S3 bucket named for the domain you plan to use. You can enable S3 static website hosting if you want the bucket to respond directly, but for a production ready HTTPS setup keep the bucket private and use CloudFront as the public face. Upload your site files and set an index document and an error page as needed.

Do not make the bucket public if you care about security. Instead configure an origin access control or the older origin access identity so CloudFront is the only thing that can fetch objects.

Create the CloudFront distribution

Create a CloudFront distribution and point the origin to your S3 bucket. In the alternate domain name field add your custom domain. Then attach the ACM certificate you requested in us east 1. Set the viewer protocol policy to redirect HTTP to HTTPS so visitors get encrypted traffic even if they type an insecure URL.

Configure origin access control so the bucket does not need to be public. Also pick a minimum TLS version such as TLS 1.2 to keep things modern and less embarrassing.

Update Route53 DNS and wait

In Route53 create an A record with alias to the CloudFront distribution domain name. If you used the apex domain create an alias record. If you used subdomains add the appropriate records. DNS and distribution deployment both take time so relax and have a beverage while things propagate.

Troubleshooting tips

  • If validation shows pending check that the Route53 CNAME entries match the ACM values exactly
  • If the site shows mixed content search for HTTP assets and update them to use HTTPS or relative paths
  • If the certificate is not usable verify it is in us east 1 and that CloudFront is configured to use it
  • For access errors confirm the origin access control or bucket policy allows CloudFront to read objects

Wrap up

This process gives you HTTPS for a static S3 site with ACM handling certificates and CloudFront delivering content fast and securely. It is a bit of clicking and waiting but the outcome is worth it. Now go forth and serve your static site over HTTPS like someone who knows what they are doing.

I know how you can get Azure Certified, Google Cloud Certified and AWS Certified. It's a cool certification exam simulator site called certificationexams.pro. Check it out, and tell them Cameron sent ya!