3

I've setup a static website on Amazon S3. I also wanted a SSL certificate for my custom domain name, so I had to setup ACM + Cloudfront as well. This is working fine (connections between Cloudfront and clients are encrypted), but there is a detail that is bugging me: the connection between Cloudfront and S3 is over plain HTTP. This is because apparently the S3 web endpoint doesn't support HTTPS. The REST one does, but it seems I can't use it as it breaks clean URLs with my site (e.g. see https://stackoverflow.com/questions/22740084/amazon-s3-redirect-and-cloudfront)

My question being: is it really not possible to have Cloudfront and S3 communicate over HTTPS? If not, could an attacker do a MITM between Cloudfront and S3? It's not like my website is doing financial transactions, but still it's quite annoying that HTTPS works only in the "front-end".

Community
  • 1
eang
  • 131
  • 2

1 Answers1

1

I believe CloudFront uses a private AWS network to connect to S3, so the risks are relatively low. I would ensure you block public bucket access and use an origin access identity, and this will probably ensure security is adequate.

I can't see how a MITM attack could be done here, but I will also say this isn't an area where I have a lot of experience. Interested in others opinions.

This page confirms that https isn't supported for website endpoints.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • It seems I can't set an Origin Access Identity because my distribution is using a "custom origin" and not an "S3 origin". But if Amazon uses a private network as you say, that should be good enough. – eang Sep 26 '16 at 08:47