Hey everyone! I'm hosting a Single Page Application (SPA) on AWS and have set it up using the following configurations: my frontend is deployed to an S3 bucket with static website hosting enabled, and I've got CloudFront configured with the S3 website endpoint as the origin. My backend is a separate API secured with HTTPS and relies on JWTs for authentication. Everything seems to be working fine, but now I'm having some security concerns. Since S3 website hosting only supports HTTP, I'm worried about whether the traffic between S3 and CloudFront is secure. Specifically, could the content, especially HTML and JS files that handle JWTs or auth logic, be intercepted or tampered with as it travels from S3 to CloudFront? I'd really appreciate hearing how others handle this in production. Thanks!
6 Answers
Here's a reliable setup: use an S3 origin with Origin Access Control, utilize CloudFront Functions for dynamic routing, and consider setting up WAF for additional security. It's mostly straightforward, but you might need to manage custom error pages for your SPA.
Just a heads up, CloudFront distributes the HTML and JS to the web browsers. The JWT handling happens on the client-side, not through CloudFront or S3. So, it's important to ensure your JavaScript manages the JWTs correctly once they're in the browser.
From what I've read, traffic going from CloudFront to any AWS origin, like S3, is usually encrypted while in transit across AWS's network. AWS encrypts all data at the physical level before it leaves their secured locations. But using the website endpoint with CloudFront might not be necessary after all.
Is your S3 bucket public? If you use CloudFront, you don’t have to make it public; just set the S3 bucket as the origin, not the website endpoint.
Actually, CloudFront uses its own TLS certificate, so while traffic from CloudFront to the client is encrypted (HTTPS), the connection from S3 to CloudFront is HTTP when using website endpoints. Just something to think about!
Right, so just to clarify: traffic from the client to CloudFront is secure (HTTPS), but from S3 to CloudFront isn't if you're using the website hosting option?
I wouldn't recommend using S3 website endpoints with CloudFront. Instead, just use the S3 bucket directly as an origin. It’s more secure that way.
And don’t forget to set up Origin Access Control (OAC) for extra security!
Got it! So, the browser makes a separate request post page load to a third-party URL for the JWT, right?