- Lab
-
Libraries: If you want this lab, consider one of these libraries.
- Cloud

Setting Up AWS CloudFront as an HTTPS Endpoint for S3
In this hands-on lab, we'll be setting up a CloudFront distribution in front of an S3 bucket website and securing it via HTTPS provided by CloudFront. AWS CloudFront is a versatile caching service (CDN) that helps with lowering latency when accessing objects over the internet. Additionally, it can act as an HTTPS termination point for your cached website — thus, providing a secure way of distributing your content over the internet.

Lab Info
Table of Contents
-
Challenge
Upload Content to S3 Bucket
-
Upload the
index.html
file to the bucket (replacing<BUCKET_NAME_PROVIDED>
with the S3 bucket name listed on the lab page):aws s3 cp index.html s3://<BUCKET_NAME_PROVIDED>
-
-
Challenge
Create CloudFront OAI
-
Create a CloudFront origin access identity so it can get content from your S3 bucket on your behalf (replacing
<YOUR_UNIQUE_UUIDGEN_HERE>
with theuuidgen
):aws cloudfront create-cloud-front-origin-access-identity --cloud-front-origin-access-identity-config CallerReference=<YOUR_UNIQUE_UUIDGEN_HERE>,Comment=MyOAI
-
Copy the
Id
andEtag
in the output and paste them into a text file, as we'll need them later.
-
-
Challenge
Modify S3 Policy File in Directory and Execute It Against S3 Bucket
-
Modify the provided
policy_cloudfront.json
file in the home directory ofcloud_user
. -
Execute this policy against the S3 website bucket (first changing to the
home
directory):cd aws s3api put-bucket-policy --bucket <BUCKET_NAME> --policy file://policy_cloudfront.json
-
-
Challenge
Create CloudFront Distribution
-
Create a CloudFront distribution:
aws cloudfront create-distribution --origin-domain-name <BUCKET_NAME>.s3.amazonaws.com --default-root-object index.html
This will give you a lengthy output. Find and note/save the
ETag
andId
of the CloudFront distribution from within that returned JSON string, as you'll need them later to update it.
-
-
Challenge
Get and Update the CloudFront Distribution Config
-
Get the CloudFront distribution config and filter out the distribution-specific part:
aws cloudfront get-distribution-config --id $CF_ID | jq -r .DistributionConfig > dist-config.json
-
Modify the following properties in the newly created
dist-config.json
file:OriginAccessIdentity
under keyOrigin
should beorigin-access-identity/cloudfront/<OAI_ID>
(don't forget to replace<OAI_ID>
with the actual OAI ID).PriceClass
should bePriceClass_100
.ViewerProtocolPolicy
should beredirect-to-https
.
-
-
Challenge
Update CloudFront Distribution with the Modified `dist-config.json` File
-
Update the CloudFront distribution with the
dist-config.json
file:aws cloudfront update-distribution --id $CF_ID --distribution-config file://dist-config.json --if-match $CF_ETAG
-
-
Challenge
Test and Verify
In the CloudFront Console, copy the CloudFront distribution domain name and paste it into a browser tab to confirm the website is working.
Note: CloudFront distributions can take about 20 minutes to be globally effective. It might work for you immediately or within a few minutes after you create it, so be patient and wait for it to deploy before you test.
About the author
Real skill practice before real-world application
Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.
Learn by doing
Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.
Follow your guide
All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.
Turn time into mastery
On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.