Setup Your Own Secure Website on AWS using AWS Route 53, and Certificate Manager

Securing your website with HTTPS is crucial for ensuring data integrity and privacy. In this guide, we’ll walk you through the process of configuring HTTPS for our EC2-hosted website using AWS Route 53, Certificate Manager, and a Load Balancer. By the end, our website will be secure and redirect all HTTP traffic to HTTPS.

Prerequisites

Before we start, ensure you have the following:

• An AWS account
• A domain name registered through Route 53 or another domain registrar
• A running EC2 instance with a hosted website.
• Basic knowledge of AWS services

Step 1: Set Up Your Domain with Route 53

Log in to our AWS Management Console and go to Route 53. This service allows us to manage our domain’s DNS settings directly within AWS.

Create a hosted zone for your domain.

• Click on “Create Hosted Zone”.
• Enter your domain name and leave the default settings.
• Note down the nameservers (NS) provided by Route 53. We will need to update these at our domain registrar if our domain was registered elsewhere.

A hosted zone is a container for records that define how we want to route traffic for our domain. By setting up a hosted zone, we enable Route 53 to manage our domain’s DNS records.

Next, update our domain’s DNS settings to point to the Route 53 name servers provided in the hosted zone. We’ll need to update our domain registrar’s settings to use the name servers provided by Route 53.

This allows AWS to manage DNS for your domain, which is crucial for setting up the SSL certificate and Load Balancer.

Step 2: Generate an SSL Certificate with AWS Certificate Manager (ACM)

In the AWS Management Console, go to the Certificate Manager service. ACM allows you to provision, manage, and deploy SSL/TLS certificates for use with AWS services and your internally connected resources.

Request a Certificate:

• Click on “Request a certificate”.
• Select “Request a public certificate” and click “Next”.
• Enter your domain name and any subdomains you want to include.
• Click “Next” and choose “DNS validation”.

By requesting a certificate through ACM, you’re ensuring that your site can establish secure connections via HTTPS. DNS validation is recommended for ease of use, especially when your domain is managed by Route 53.

Validate Your Domain:

• ACM will provide CNAME records.
• Add these records to your Route 53 hosted zone to validate your domain.
• ACM will automatically validate the domain once the DNS changes propagate.
• Once the validation is complete, the certificate status will change to “Issued“.

The validation process proves to ACM that you own the domain. By adding the CNAME records to Route 53, we’re verifying that our control the DNS settings for our domain.

Step 3: Set Up a Target Group

Now, we need to register our EC2 instance to a target group. A target group routes requests to one or more registered targets, such as EC2 instances, and performs health checks to ensure that the targets are healthy. By creating a target group, we define how traffic should be routed and which targets should receive it.

Create a New Target Group:

• Click “Create target group”.
• Choose “Instances” as the target type.
• Enter a name for your target group.
• Leave the protocol port as HTTP 80.
• Select the appropriate VPC.
• Configure the health check settings:
  • Protocol: HTTP
  • Path: / (or the appropriate path for your application health check)
• Click “Next”.
• Select the EC2 instance(s) running our website.
• Click “Include as pending below” to add the instance(s) to the target group.

Step 4: Set Up an Application Load Balancer

In this section, we’ll configure an Application Load Balancer (ALB) to distribute traffic and manage SSL termination for our website hosted on an EC2 instance. An ALB will handle incoming requests, decrypt HTTPS traffic, and route it to our EC2 instances.

Navigate to EC2:

• In the AWS Management Console, go to the EC2 service and select “Load Balancers” under the “Load Balancing” section.
• A Load Balancer distributes incoming application or network traffic across multiple targets, such as EC2 instances.

Create a Load Balancer:

• Click on “Create Load Balancer” and select “Application Load Balancer“.
• Name the load balancer and select the scheme as “internet-facing“.
• Select the appropriate VPC and 2 subnets

An internet-facing load balancer routes client requests over the internet to our EC2 instances. Choosing the correct VPC and subnets ensures that our load balancer is accessible and properly distributes traffic.

Listeners and routing:

• For HTTP listeners on port 80, select the target group we created.
• Add an HTTPS listener on port 443, and select the target group we created.
• Select “From ACM” for the certificate source.
• Select the SSL certificate we created in ACM.

Listeners check for client connection requests using the protocol and port we configure. By adding an HTTPS listener, we’re ensuring that the traffic between the clients and the load balancer is encrypted.

Configure Security Groups:

• Create or select a security group that allows traffic on ports 80 (HTTP) and 443 (HTTPS).

Security groups act as virtual firewalls for our EC2 instances. By allowing traffic on ports 80 (HTTP) and 443 (HTTPS), we’re ensuring that our instances can accept both secure and non-secure traffic.

Step 5: Redirect HTTP to HTTPS in the Load Balancer

To ensure that all traffic to our website is secure, it’s important to redirect any HTTP requests to HTTPS. This can be achieved by configuring listener rules on our Application Load Balancer.

Configure Listener Rules:

• Choose your Application Load Balancer.
• Go to the “Listeners” tab.
• Click on the HTTP listener.
• In the “Actions” column of the HTTP listener, click “View/edit rules”.
• Click the “+” icon to add a new rule.

These settings ensure that any HTTP traffic is permanently redirected to HTTPS, enhancing the security of your site by ensuring that all traffic is encrypted.

A 301 (Permanent Redirect) status code indicates to browsers and search engines that the resource has moved permanently to the HTTPS version, helping improve SEO and ensuring users always access our site securely.

Conclusion

Congratulations! We’ve successfully set up HTTPS for our EC2-hosted website using AWS Route 53, Certificate Manager, and an Application Load Balancer. Our website is now secure, and all HTTP traffic is redirected to HTTPS, ensuring a safe browsing experience for our visitors. This setup ensures that all traffic is encrypted, improving both security and performance.