By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HTTPS routing for EC2

0

Hi, I wanted to know whether I can access my application running in an EC2 instance (Ubuntu) via HTTPS instead of HTTP without having to provide any ssl/tls or domain name additionally ?

i.e., If AWS provides automatic HTTPS routing without the user having to provide or create any certificates.

I am asking this, because I want to publish my app in AWS Marketplace using the AMI with Cloudformation template listing

Topics
ComputeSecurity, Identity, & ComplianceAWS Marketplace
Tags
Amazon EC2AWS Certificate ManagerAWS Marketplace - Seller
Language
English
Pratyusha
asked 6 months ago232 views
2 Answers
1

Straight out of the box on EC2 - the answer is no. With your EC2 instance you can open up ports HTTPS traffic, but the crux here is that your EC2 instance will not present a certificate for use by the client. This is not something that can be a feature request, either. However, it is something that you can avail of through a managed service on AWS, such as Lightsail for the likes of a Wordpress site, or Elastic Beanstalk with the use of a free publicly-issued certificate from AWS ACM.

As was mentioned by Brettski-AWS, you can go down the route of a self-signed certificate, but you will then need to ensure that every client connecting to your app trusts your certificate - which they won't be default because it is self-signed.

Your options for HTTPS with an EC2 instance are as follows:

  • Purchase/obtain a certificate from a CA (Certificate Authority) and install it onto your instance.
  • Put an ALB (Application Load Balancer) in front of your EC2 instance, and then put a certificate from AWS ACM on the HTTPS Listener.
  • Put a CloudFront distribution in front of your EC2 instance, and associate an AWS ACM certificate with it.
profile pictureAWS
Ciaran Carragher
answered 6 months ago
0

You can ship your product with a self-signed certificate - this means that the HTTPS connections will work but the client browser will throw a warning to the user - a warning that in modern browsers is getting harder and harder to ignore and bypass.

Properly signed certificates require the requester to indicate that they own the host/domain name that the certificate is being generated for. Presumably in your case the customer who deploys your solution will have to create a DNS entry to point to the instance that has been deployed. If they can do that then they can generate a certificate because they "own" the DNS domain - they can make changes to it. And most certificate providers can use DNS to perform the verification of "ownership".

Unfortunately, AWS Certificate Manager can't be used in this case because it doesn't integrate directly with EC2-based solutions. If you solution used a load balancer during deployment then you could use ACM.

In any case - you need to provide a mechanism to your customers so that they can deploy a properly signed certificate within your solution.

profile pictureAWS
EXPERT
Brettski-AWS
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content