By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enable HTTPS for (only) a Subdomain that loads an S3 Bucket | IAM?

0

Hello,

My client has domain.com hosted on another hosting company.

They are currently having sub.domain.com loads a bucket here, using CNAME record value like s0m3th1ng.cloudfront.net

It worked perfectly for around a decade, but now we want to load the subdomain over HTTPS. domain.com on the other hosting, has HTTPS activated.

How could one achieve that?

My client gave me 'database admin' permission, which allow me to see buckets and the files. But, I can't find sub.domain.com written anywhere. Can you also tell me what permission(s) my client should give me to safely set up this matter?

Thank you.

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon CloudFront
Language
English
rlatief
asked 8 months ago208 views
1 Answer
0

You will need permission in ACM to create a certificate for sub.domain.com. You will also need permissions in CloudFront to add the certificate to the distribution and add alternate domain of sub.domain.com to the distribution. See: Using alternate domain names and HTTPS.

In response to the comment below: There are a couple of AWS Manage policies that they could assign to you. See: CloudFrontFullAccess and AWSCertificateManagerFullAccess.

Those two policies are not least privileged but they could start with these and add Resources and Conditions to restrict you to your specific task by creating a customer-managed policy.

profile pictureAWS
EXPERT
kentrad
answered 8 months ago
  • rlatief
    8 months ago

    Hello, may I bother you a little bit more?

    It seems like my client is still having trouble setting it up themselves, and also in providing permissions to other users.

    I once had an ECS account, but that was more than a decade ago. I haven't used AWS since then, so I'm quite unfamiliar with it.

    My client gave me 'database admin' permission. I have a feeling, that the permissions you mentioned can't be set-up in the same easy way as setting up that 'database admin' permission?

    If that's the case, could you suggest a simpler way for my client to provide me with the necessary permissions? Perhaps an easy to set-up, broader permission, that doesn't include access to billing, etc.?

    Thanks in advance!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content