How to run a static blog on AWS

Today I will describe how to build, deploy and serve a website similar to this one. We will primarily use AWS services.

Step 1: Buy a domain name

Most domain names can be bought using AWS’s Route 53. Route 53 is the AWS service responsible for all things related to DNS - you can buy domains, set up records for your domains, and so on. Use Route 53 to buy your domain name. Let us assume your domain name is domain.com

Step 2: Cert Manager

Once you have purchased a domain, obtain a new SSL certificate for the domain that you purchased. This is so that you can serve requests at https://yourdomain.com. AWS has a service called Certificate Manager that is designed exactly for this purpose. Note that you MUST use the us-east-1 or N.Virginia region for your certificate to work with Cloudfront

While creating the certificate, provide two names in the list of domains:

• domain.com
• www.domain.com

This will allow your certificate to be used from either https://domain.com or https://www.domain.com

Step 3: S3

S3 stands for Simple Storage Service and it can store files of any kind. Create a new bucket in S3(any region) that will contain all your static assets. Block public access to your S3 bucket. Upload your static assets if you have them, or a dummy index.html if you don’t.

Step 4: Cloudfront

Cloudfront is a CDN(content distribution network) which will help us in serving our website to every corner of the world, handlng HTTPS, enforcing custom rules, etc. Create a new Cloudfront distribution that will serve your traffic. Use the following settings for your distribution.

• Origin Path : select your bucket name from the drop down, it should look like bucket-name.s3.amazonaws.com
• Origin Access Identity : create a new identity if you don’t already have one. This is so that Cloudfront can “read” the contents of your S3 bucket. Don’t select the option for auto-updating the bucket’s policy - we will come back to that
• Viewer Protocol Policy : I recommend using Redirect HTTP to HTTPS. This will ensure that user requests to http://domain.com always get redirected to https://domain.com
• SSL certificate : select the certificate that you created in AWS Cert Manager
• Security policy : use TLSv1.2
• Default root object: index.html
• Turn off Logging
• Price class: Use All Edge Locations (Best Performance)
• Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0
• IPv6: Enabled

Step 5: S3

Update your S3 bucket’s policy to look like:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity {OAI-ID}"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::{bucket-name}/*"
        }
    ]
}

where in you MUST

• replace OAI-ID in the policy by looking up your OAI’s ID
• replace bucket-name with your own

Test that you can access your website by opening your Cloudfront domain in a browser. The domain should look like {random-text}.cloudfront.net.

Step 5: Route 53

Navigate to your hosted zones in Route 53 and select the zone for your domain. Add the following A records to the zone

Step 6: Success!

Navigate to domain.com & www.domain.com - they should both work and redirect you to the https version of your website.

References

• AWS’s version of this page
• How do I allow access to an Amazon S3 bucket only from a CloudFront distribution?
• Creating a CloudFront Origin Access Identity and Adding it to Your Distribution