AWS S3 Static Website Hosting #
Note The bucket website endpoint will be a regular HTTP endpoint, not HTTPS. To serve over HTTPS, we have to put it behind a proxy (AWS Cloudfront or third-party, e.g., Cloudflare).
Ref:
Setup #
To enable AWS S3 static website hosting:
-
In bucket settings, uncheck “Block all public access.
-
Enable “Static website hosting”
- Hosting type: “Host a static website”
- Index document: “index.html”
- Error document - optional (replaces the default error page): “error.html”
- Redirection rules - optional (advanced): see docs.
-
In bucket permissions, set the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "{BUCKET_ARN}/*"
}
]
}
- When serving behind a third-party proxy, limit access to a set of IP addresses. For that, add the following
Conditionto the policy statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "{BUCKET_ARN}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.2.3.4",
"5.6.7.8"
]
}
}
}
]
}
Cloudflare Proxy IP Addresses #
When serving behind a Cloudflare proxy, we can limit aws:SourceIp list to the following ranges (last updated Sep 28, 2023):
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
Refs:
- https://www.cloudflare.com/ips/
- https://www.cloudflare.com/ips-v4 (
text/plain) - https://www.cloudflare.com/ips-v6 (
text/plain)