I'm currently hosting a Single Page Application (SPA) on AWS and have set it up with the following configuration: my frontend code is deployed in an S3 bucket with static website hosting enabled, and I'm using CloudFront configured with the S3 website endpoint as the origin. My backend API, which is secured via HTTPS, uses JWTs for authentication. I have everything working as it should, but I'm starting to worry about the security aspect. My main question is: given that S3 website hosting only supports HTTP, is the traffic from S3 to CloudFront encrypted? I'm concerned that content, particularly HTML/JS files that might handle JWTs or authentication logic, could potentially be intercepted or tampered with while traveling from S3 to CloudFront. I'd appreciate any insights or experiences from others in the community. Thanks!
6 Answers
From what I know, traffic between CloudFront and other AWS services like S3 is typically encrypted as it flows through AWS’s own network. They state that all data moving across their global network is encrypted at the physical layer before leaving their secured facilities. So generally, you should be covered there, but still, consider if you even need the website endpoint as mentioned before.
For a more secure setup, consider this: use an S3 origin with OAC, implement CloudFront Functions to handle dynamic paths (like /login), and maybe add a WAF if you're looking for extra security measures. This setup is a straightforward way to handle your needs with an SPA.
CloudFront essentially just delivers your HTML/JS files to the web browsers. The JavaScript runs on the client's side, so it's the web browser that deals with the JWTs, not CloudFront or S3 directly.
I recommend avoiding S3 website endpoints with CloudFront. Instead, use the bucket directly as the origin. That way, you're not relying on HTTP, which will help keep your traffic more secure.
And don't forget to set up Origin Access Control (OAC) for added security!
Actually, CloudFront uses its own TLS certificate for secure connections. While the traffic from CloudFront to clients is encrypted using HTTPS, the connection from S3 using a website endpoint remains HTTP. So, if that’s a concern, be mindful of how you set up your origin.
Yes, just remember, while the client to CloudFront is secure with HTTPS, from S3 to CloudFront is still HTTP, so you want to keep that in mind.
Is your S3 bucket public? You don't need to make it public if you're using CloudFront. You can directly set the S3 bucket as the origin, not the website endpoint, which helps improve security.
Got it! So it means that the client makes further requests to the API after the initial page load. That clarifies things!