As I mentioned in a previous post, I am migrating a number of static websites from Apache on bare metal to an object store and a CDN in the cloud. Namely, this is AWS S3 and CloudFront. To avoid too much manual grooming of pet yaks, I also went directly for Infrastructure-as-Code with CloudFormation, with the objective of creating a relatively simple reusable web+CDN template.
This is not a new topic, and a number of resources already exist around the web. I, for example, started with this one, which does a fairly decent job. There are, however, a number of fine details which I have found were tricky to get right, could lead into incompatibilities, and for which accurate documentation was hard to find (even ChatGPT failed to provide a correct answer, though this is not entirely surprising).
The goal of this post is to call those out, and provide the CloudFormation template mentioned above for those looking for a base. The template will:
- create an S3 bucket for use as a website endpoint
- create a CloudFront distribution using that bucket as an Origin
- create a few DNS entries
- create a TLS certificate for the service
tl;dr:
- The S3 website endpoint behaves like a website, returning directory index documents, or HTML errors documents.
- The bucket needs to be public for this to work, and it is not possible to use either OAI nor OAC to limit access to the CloudFront distribution only. The solution is to control access based on the
Refererheader - Generating TLS certificates with CertificateManager will fail with no clear explanation if the CAA policy for the domain forbids it.