We are running a static website in S3 using CloudFront for distribution. CloudFront has an SSL Certificate assigned, so we are receiving HTTPS traffic and redirecting HTTP to HTTPS.
What I'm trying to determine is that does mean that TLS is enforced from CloudFront to the S3 Static Site?
If so, I am looking for a reference stating that - we need to have end to end encryption applied for compliance and I need to be able to verify/prove that this is in place.
Thanks !!!
CodePudding user response:
does mean that TLS is enforced from CloudFront to the S3 Static Site?
No its not. Static S3 websites are HTTP only. Docs explain that:
If your Amazon S3 bucket is configured as a website endpoint, you can't configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn't support HTTPS connections in that configuration.
we need to have end to end encryption applied for compliance
For end-to-end ssl you have to setup setup origin access identity (OAI) for your CF. This means that the bucket can't be in website mode. Instead, it has to be configured for OAI access as explained in the docs. To enforce HTTPS between CF and S3 you must ensure that your "Viewer Protocol Policy to Redirect HTTP to HTTPS or HTTPS Only".