Enabling SSL on a subdomain with AWS S3 and ACM


I have a site example.com that lives on S3. I have set up HTTP -> HTTPS forwarding successfully for this site.

I also have a subdomain, blog.example.me that also lives on S3, which I want to enable SSL with. Right now, it only supports HTTP. I am using Route 53 for routing and Cloudfront as a CDN.

I have looked for documentation on this issue, but have yet to find something that works. Do I have to create a new certificate, or can I use the same cert that example.com uses? If I can use the same certificate, which piece of AWS should I start with?


For the certificate it depends if its a wildcard certificate that covers the whole domain example of a wildcard certificate would be *.example.com the you can use the same certificate for your sub domain(s)

A typical hosted secured site with S3 and Cloudfront would follow the following steps

Create an S3 Bucket

Bucket name – your domain name

Select your bucket, go to Properties -> Static Website Hosting, then Enable
Website Hosting

Grant public read access to allow cloudfront to read from your bucket.

Get SSL certficate/ Use existing if applies

AWS provides free SSL certificates, which work with browsers that support SNI. You can import your own SSL certificate.

CloudFront configuration

Create a new Web distribution. Under Origin Settings, use the Endpoint
you copied from your S3 bucket’s static hosting setup. Many other
guides instruct this without explaining why — this is because if you
have redirect rules configured with your S3 bucket and you specify the
internal AWS S3 resource, the redirects will no longer work.
Therefore, you must specify the website endpoint domain to ensure
redirection functionality works.

Under Default Cache Behavior Settings, it’s worth selecting Redirect
HTTP to HTTPS and narrowing down the Allowed HTTP Methods — for a
static website, GET and HEAD will do.

Under cloudfront distribution settings configure:

  • Set your domain names under Alternate Domain Names (yourdomain.com,
    and optionally, www.yourdomain.com)
  • Configure SSL by selecting Custom SSL Certificate, then choosing the
    certificate generated or imported in to Certificate Manager.
  • Finally, specify the Default Root Object. This should match your S3
    bucket’s Index Document, usually index.html. This is simply where all
    requests are redirected to when a client requests your website URL
    without a path

Route 53 configuration:

  • Head over to hosted zones
  • Select the hosted zone for the domain or subdomain you wish to use
  • Create a record for your site: select Alias and in the dropdown you should see your cloudfront distribution, select it as your alias target and save it.

For more detailed info check: https://medium.com/@willmorgan/moving-a-static-website-to-aws-s3-cloudfront-with-https-1fdd95563106

Leave a Reply