Questions tagged with Website Provisioning

Greetings from Amazon Web Services. We're sorry. You've written to an address that cannot accept incoming e-mail. If you need to contact us, please visit http://www.aws.amazon.com/contact-us . Thank you for your business. Best regards, Amazon Web Services http://www.aws.amazon.com/ P.S. You received this message because Amazon.com received the following message: Date: Thu, 12 May 2022 12:57:23 +0900 From: ?? <yi@hwa-mok.co.kr> To: Amazon Web Services <no-reply-aws@amazon.com> Subject: I'd like to ask you to solve the homepage connection problem. Hello This is Youngin Co., Ltd., a Korean and South Korean company that we talked on the phone yesterday. I have an additional request. This is the question 1. The company's homepage is not connected. - Company Domain: hwa-mok.co.kr - Used IP: A@13.209.78.168 2. Has the IP used changed? - Please check the IP used. 3.Why can't I connect to the homepage? - Can you tell me how to connect? 4. Notes - Home page: https://www.hwa-mok.co.kr - Mail: yi@hwa-mok.co.kr - Phone: 00821067124317 - Country: Korea, South Korea I want to talk to the person in charge who can speak Korean on the phone. Please take prompt action. Thank you.

I'm hosting a static website via S3 buckets and CloudFront. I've set it up so that the data is stored in the www bucket and the other, non-www, bucket routes to it. Typing in the ULR with the www works perfectly. The issue I'm running into is that when I type in the URL without the www, it routes to another site with a different, but similar URL. It's been like this for about a week and nothing I do seems to change it. I've redone the hosting zones and checked multiple times and none of it seems to work. I've done something like this before with other sites I've set up so I know what I'm doing works. I'm last as to how to go about fixing this so any help would be very much appreciated.

ec2-54-87-201-155.compute-1.amazonaws.com 54.87.201.155 Instance is inside VPC with internet gateway attached and also route table has 0.0.0.0/0 destination My security groups are as follows ``` sgr-0f24aa20ece6c10df 80 TCP 0.0.0.0/0 launch-wizard-1 sgr-0b9cc7da941a4456d All All 0.0.0.0/32 launch-wizard-1 sgr-0815f5d840e9d3937 443 TCP 0.0.0.0/0 launch-wizard-1 sgr-019b0f12413825491 22 TCP xx.xx.xxx/32 launch-wizard-1 ``` I am able to connect ssh from my IP with Git bash on windows, I have installed apache there and I am able to curl localhost on the instance

I'd like to request to S3 as a cognito certification qualification. S3 is using sdk Cognito is using amplify. Use an angular typescript. I would like to replace the secret key with the cognito authentication information when creating S3. I want to access s3 with the user I received from Auth.signIn, but the credentials are missing. I need your help. ``` public signIn(user: IUser): Promise<any> { return Auth.signIn(user.email, user.password).then((user) => { AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', }); const userSession = Auth.userSession(user); const idToken = userSession['__zone_symbol__value']['idToken']['jwtToken']; AWS.config.region = 'ap-northeast-2'; AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', RoleArn: 'arn:aws:iam::111111111111:role/Cognito_role', Logins: { CognitoIdentityPool: 'ap-northeast-2:aaaaaaaa-bbbb-dddd-eeee-ffffffff', idToken: idToken, }, })); const s3 = new AWS.S3({ apiVersion: '2012-10-17', region: 'ap-northeast-2', params: { Bucket: 'Bucketname', }, }); s3.config.credentials.sessionToken = user.signInUserSession['accessToken']['jwtToken']; s3.listObjects(function (err, data) { if (err) { return alert( 'There was an error: ' + err.message ); } else { console.log('***********s3List***********', data); } }); } ``` bucket policy ``` { "Version": "2012-10-17", "Id": "Policy", "Statement": [ { "Sid": "AllowIPmix", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::s3name/*", } ] } ``` cognito Role Policies - AmazonS3FullAccess ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*", ], "Resource": "*" } ] } ```

Going to the Sitemap link at the bottom of this website (https://repost.aws/sitemap), I see only a list of five topics. Will there be more information be added or is there an additional sitemap that can be used? As well, is there an API that can be used for this site?

What I want to do is from the domain name vapeprivate.com make vapeprivate.com/fr, vapeprivate.com/es, vapeprivate.com/it to create several versions of the website at the language level. Can you give me the example of how to do in my case concretely. Currently I have a bucket created in the name of vapeprivate.com connected to the domain name vapeprivate.com with route 53

Hello, I have a Lightsail distribution using a bucket as an origin for my Wordpress instance. I've set an A record for my apex domain (rionomada.com) pointing to my distribution. I also set a CNAME record for www.rionomada.com pointing to the default domain (xxxxxxxx.cloudfront.net). Nothing works. I have an SSL certificate for both domains (rionomada.com and www.rionomada.com) which appears valid and in use. The setup seems to be fine, but even if I go directly to the xxxxxxxxx.cloudfront.net domain, it won't resolve and I get the following error: <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>B0EYV5RM142PFS93</RequestId> <HostId>p9h5yZ05E1UqUWKppER2q2s1YuRaGvIIgl+jear2oB6oS8AGbTGbOFrYYVt0rjLqOg4Vd2LsFyw=</HostId> </Error> I haven't touched the wp-config.php file at all, but I did set the Let's Encrypt certificate to automatically turn HTTP requests to HTTPS. Has anyone had this issue as well? Any help you can provide will be greatly appreciated! Thanks, Luis

Hello, I wanted to ask you if it is possible to create an OpenLiteSpeed web server app using AWS Elastic Beanstalk. I'm planning on launching a WordPress site with it. I have just created one but it creates it with NGINX and gives me the option to change it to Apache. Do you have any docs on how to do it? If possible.

I have a public site hosted through S3. It is connected to an RDS/MySQL database via an API gateway and a Lambda function. This has worked very well for me so far. However, I am unable to select any DATETIME fields from the database. Every time I have a DATETIME field in the SELECT clause of a SQL statement, I receive an internal server error. This only occurs with DATETIME fields. This also only occurs in the SELECT clause. I have been able to use DATETIME fields in ORDER BY clauses with no issue. How can I get around this and retrieve these fields? I am also only concerned with the date part of these fields. If I can't get the entire field, is there any way I could extract just the date part?

I have react application which i integrated into amplify. The amplify created one amplifyapp domain, which is using the production configuration (some of the debug settings are not visible). How do we make the front end CI/CD pipeline for react application using amplify with dev (with dev settings), pre-prod and prod stages ?

I had created a Lightsail instance "instance1" followed by creating a static IP address and a distribution + SSL certificate for this distribution. Then I used a domain name to point to the CNAME entries provided by this SSL certificate. This worked great and I was able to access this instance via the custom domain name. I forgot the password of the app that was running on instance1, so I ended up deleting the instance and the distribution. I kept the static IP though. I created another Lightsail instance "instance2" and followed the process above. I am able to access the app of this instance via the given cloudfront address with HTTPS protocol. The problem I have is that whenever I try to enable the custom domain for this distribution I get the following error: "AttachCertificateToDistribution[us-east-1] Alternate Domain Names [x,y] have one or more parameter that is already associated with a different resource. InvalidInputException" so, I can access the instance with (for example) https://d827Of.cloudfront.net. When I try to access the https://customdomainname, it still points to the content from the previous instance1, which has since been deleted. So, what do I need to do to enable custom domain with this Lightsail distribution? Thank you, A Perplexed user

I have a website through S3 with a Cloudfront distribution in front of it. The title of the tab for the website homepage has the domain title, but the title of every page just says "Document." How can I change this so that each page of my website shows the domain title in the browser tab title?

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx). ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server. The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server. Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them. We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing? Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.

Hello, I have a wordpress site and trying to use cloudfront in order to improve the website response time. I followed the steps in the article below: https://aws.amazon.com/blogs/startups/how-to-accelerate-your-wordpress-site-with-amazon-cloudfront/ I completed all the steps and modified C:\Windows\System32\drivers\etc\hosts on my computer so that the domain name of my site points to the ip address of my cloudfare distribution. (when I ping www.domain.com => I get the ip address of my distribution). When I put the domain name of my site on a browser, I get the response below: -------------- 403 ERROR The request could not be satisfied. Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Generated by cloudfront (CloudFront) Request ID: SVH3QfYg-qs-TkAfBIrIkFH-Er0R-V1aJGjORaub7-ApZ5Vdte372w== -------------------------- What did I do wrong ??

Hi, All of a sudden our site wasn't saving images to the S3 bucket and also getting Access Denied from Cloudfront. We have a WordPress site and aren't using Plugins to save to our S3 bucket. Does Amazon change permissions over time? As its a very strange issue that images just stopped uploading..

I have enabled http2 on cloudfront and alb.Below is an access log from alb. https 2022-04-14T12:07:34.438950Z app/awseb-AWSEB-@#$$$$$$$/33c31cf831229bd5 70.132.30.168:19320 172.31.30.35:80 0.001 0.059 0.000 200 200 1091 15561 "GET https://mywebsite.co:443/ HTTP/1.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/awseb-AWSEB-CO4F476RJ4O0/e54f61d50c1c75c9 "Root=1-62580e86-1411f5a823d9bc5f7dc1df7e" "mywebsite.co" "session-reused" 0 2022-04-14T12:07:34.378000Z "forward" "-" "-" "172.31.65.35:80" "200" "-" "-" As you can see cloudfront is using https i.e http over tls instead of http2. What could be the issue ?

Are there any issues with chaining CloudFront distributions like this? Use case: An application that has 2 origins — an S3 bucket and an API. The API will be used by other projects so it has its own CloudFront and we want its cache to be available to those projects. Example: project1.example.com -> api.example.com project2.example.com -> api.example.com Thanks!

Hi, I have successfully deployed a react app on amplify. When I add a custom domain i get this error. Create domain association failed One or more domains requested are already associated with another Amplify app: bakeone.in, www.bakeone.in But i haven't used this domain on amplify. May be the previous domain owner have linked this to an amplify app. I request aws to unlink the domain because i am the domain owner and i want to link it to my app.

I want to add / change "Access-Control-Allow-Origin" and "Strict-Transport-Security" headers in my Appsync response. I found a method for sending the custom headers (https://aws.amazon.com/about-aws/whats-new/2022/02/aws-appsync-support-custom-response-headers/) in res.vtl file and I am able to set the "Strict-Transport-Security" header by using that method. But when I tried the same for "Access-Control-Allow-Origin", it is throwing the error "The header name Access-Control-Allow-Origin is restricted and cannot be included as a custom header." Any other way, we can modify this header value?

I am very confused about leveraging OAI for my static website. A little background. I have a website that I serve from an S3 bucket and use CloudFront to access it. This website bucket and its CloudFront counterpart are built using a CloudFormation template that I have used for years now (i.e., its a little dated). The template follows a traditional plan of configuring the website bucket, then then configure the CloudFront to point to it (using SSL/TLS, etc. for https). This all works fine. However, I have recently been looking at ways to enhance security, and came across OAI as a way to stop having to make the S3 bucket public. According to the AWS documentation entitled "[Restricting access to Amazon S3 content by using an origin access identity (OAI)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html)", I should not use OAI for my static website in S3. But, according to "[Use an Amazon CloudFront distribution to serve a static website](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started-cloudfront-overview.html)", I should set it up. Am I missing something in translation? I would very much like to restrict access to my website served from S3 to my CloudFront distribution. Which is the proper way to do this?

My call recordings of amazon connect are being stored on S3 in .wav file, i am looking to get and play those recordings in a third party application. For this i am using `getObject API` & trying to get/download the .wav files by name but i am getting the **`Cannot Get Error`**. At the same time i do want to provide the path in key **`e.g. Connect/Lab/2022/04/08/abc.wav`**, is it possible? How to resolve it? here is my code: ``` require("dotenv").config(); const expres = require("express"); const app = expres(); app.listen(3001); const aws = require("aws-sdk"); aws.config.update({ secretAccessKey: process.env.ACCESS_SECRET, accessKeyId: process.env.ACCESS_KEY, region: process.env.REGION }) const BUCKET = process.env.BUCKET const Key = '/connect/oblab2/CallRecordings/2022/04/08/' const s3 = new aws.S3(secretAccessKey = process.env.ACCESS_SECRET, accessKeyId = process.env.ACCESS_KEY); app.get("/download/filename", async(req, res)=>{ const filename = req.params.filename let x = await s3.getObject({Bucket:BUCKET, Key:Key + filename}).promise(); res.send(x.Body); }) ```

We want to redirect our old domain (website.io) to our new domain (website.com) We use Route 53 for DNS management of website.io. After reading some forums, the recommended approach was setting up a static website redirect using S3, then serving up S3 with CloudFront to support https. Otherwise, S3 only redirects http requests over port 80. **SO, the configuration is now:** 1. Route 53: alias A name record pointing website.io a CloudFront formation 2. CloudFront: origin is pointing at an S3 bucket, and it is using a valid certificate with matching common names 3. S3: redirecting website.io to website.com The issue is CloudFront non-deterministically returns a 504 when some visitors view the original site (that should redirect). Visiting the S3 bucket directly is very snappy (new site loads in less than a second), so I find it hard to believe that the site is actually timing out when CloudFront is requesting data, but the nondeterministic nature makes that seem like the most logical reasoning. Has anyone seen this error happen before? Any suggestions on how to remediate the issue.

I have a domain registered through Route53, and I'm unable use the named address to reach my server. If I connect using the public numeric IP address of my instance, I get the Apache default page. If I connect using the domain name (or subdomain) I get "Can't connect to server". Here's what I have done: In Route53, my registered domain shows up under Registered Domains In Route53, when I click on Hosted Zones it shows two entries: mydomain.org ... HostedZone mydomain.org ... main site I don't recall having created the first one, so I'm not sure why I have two. They are different from each other in the following way: The HostedZone one contains an NS, SOA and two CNAME records. The mainsite entry contains an NS, SOA, and two A records, one for each subdomain and each pointing to the public IP numeric address of my instance. What am I doing wrong?

I currently have a website hosted on S3 with a working RDS database connection. I would like to run a dynamic web scraper from this site that activates based on user input. Ideally, the user will click a button which will activate a search for a specific product across a specified list of retail sites. This data will be displayed on the site and also saved to the database. It doesn't matter if the data goes directly to the site or to the database. I would like to use an existing web scraping tool such as Scrapy. What is the best way to handle this?

In Amplify console, I connected one branch that contained experiments on adding Next.js and it seems like the whole app switched to SSR mode. Even though all the branches now are SSG (using create-react-app), it's still fails "deploy" stage with following message: ``` 2022-03-28T10:29:07 [INFO]: Beginning deployment for application ..., branch:..., buildId ... 2022-03-28T10:29:08 [INFO]: Cannot find any generated SSR resources to deploy. If you intend for your app to be SSR, please check your app Service Role permissions. Otherwise, please check out our docs on how to setup your app to be detected as SSG (https://docs.aws.amazon.com/amplify/latest/userguide/server-side-rendering-amplify.html#deploy-nextjs-app) 2022-03-28T10:29:08 [ERROR]: {"code":"7","message":"No ssrResources.json file"} ``` And this happens while `package.json` contains following commands: ``` "scripts": { "start": "gatsby develop", "serve": "gatsby serve", "build": "gatsby build", } ``` And `amplify.yml` is this: ``` version: 0.2 frontend: phases: preBuild: commands: - yarn install build: commands: - yarn run build artifacts: baseDirectory: build files: - '**/*' customHeaders: - pattern: '/apple-app-site-association.js' headers: - key: 'Content-Type' value: 'application/json' - pattern: '/*.xml' headers: - key: 'Content-Type' value: 'application/xml' ``` What do I do?

I have a Bitnami WordPress 5.0.3-2 site running on AWS Lightsail / Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1096-aws x86_64). The WordPress dashboard is telling me I need to update the PHP version which is currently 7.2.13 to a minimum Ver. 7.4. I have tried following several step-by-step instructions that I found on the web but in each case, things failed at some point in the process. I'm a novice so I need fairly detailed instructions. Can somebody point me in the right direction? Thanks for your help!

We have a website deployed on the AWS instance and was working fine already. The website has faced attacked on 22-March and 23-March and went down due to some files and folders has been deleted by attack. We were not sure reason behind this. I would request to please let us know steps require from our end to prevent such incidents. We have already added security rules in .htaccess file. Website is built on PHP language.

I want to make a website on S3+CloudFront+Lambda, where Lambdas check whether a user bought a game in Steam. For that, I need him to authorize through Steam. Steam supports OAuth 2.0 protocol, but not OpenID Connect. Is it possible to make users authenticate using Steam before my Lambda returns some result?

The only way I can connect is when I have to start my Server folder from my local computer

I have a containerised web application that supports HTTP2. When I run it on my PC, I can clearly see HTTP2 traffic between my web browser and that container. However, when I deploy the same container to AWS App Runner, I can see that only HTTP 1.1 is used. Does App Runner support HTTP 2? If not, will it be supported and when?

Hi team, Is it possible to prevent users to hit directly my HTTP API GW if my HTTP GW doesn't support WAF AND my CF distribution doesn't have a custom origin (that can support WAF), my CF origin is an S3 bucket. so I don't have any way to prevent users hit directly HTTP API GW.

Hi team, I want to secure my Http API GW (not REST API GW) with WAF, as the HTTP API GW doesn't support the WAF I read this article to do the workaround : https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/ but in my case the origin of my distribution is an S3 bucket (static website hosting is not enabled) that host Angular APP : **users **=> **CloudFront **(with angular App in s3 bucket as Origin : this s3 bucket is not configured with static website hosting because content is served from CloudFront not directly from S3) => A**PI GW** = > **NLB **=> **fargate cluster** is there a way to use the method explained in the above article when my origin is an S3 bucket with no static web hosting enabled ? my objective is to protect my HTTP API GW with WAF, the solution on the article is perfect with custom header and secret manager but not applicable in my case because my DF distribution has S3 as origin.

Hi team, I using HTTP API Gateway (not REST API GateWay), is there a way to make the HTTP Api Gateway to use/support WAF ? Thank you.

I have a public domain in S3 connected to an RDS database via MySQL, a lambda function that runs scripts on the MySQL database, and an API gateway that sends queries to the lambda function. Whenever I try to make an API call from my site, I get the error below. Access to XMLHttpRequest at (lambda url) from origin (my site) has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. How can I get around this?

Hello All, I am building a new website from scratch. I want to comply with the latest CSP recommendations. Using Nginx on an EC2 instance that serves as my origin. I have configured Nginx to inject a nonce into me Headers and the various scripts and styles. I have moved al in-line stuff to style sheets and js files. I used this tutorial: --https://krvtz.net/posts/easy-nonce-based-content-security-policy-with-nginx.html All works great when I access the server directly via cdn.mywebsite.com. I also use the same subdomain, cdn.mywebsite.com as the source for my CloudFront Distribution. I then invalidate the whole, /*, distribution. When I access the site via mywebsite.com, which is set up via Rout 53 to fetch from CloudFront, everything breaks. I view the source code and see that the nonce has been rewritten to "" instead of the nice and secure string that I get when directly accessing via the origin. I can figure things out but am lost. Do I need a Lambada function or something else? Hugs and kisses for any help provided, JCU

I have set up an S3 bucket to serve a website via https using CloudFront. Within that bucket, I have a folder for each environment and a set of version folders within the production folder: ``` my-bucket |-dev |-prod |-v1.0 |-v1.0.1 ...etc. ``` My initial (development) attempt worked fine using https://dev.mydomain.org, but when I decided to change the alternate domain name in the CloudFront distribution to the production name (i.e. https://mydomain.org and https://www.mydomain.org) and updated the Origin path, it stopped working. I am using Route53 to manage DNS and I haven't deleted the hosted zone. As far as I can tell, all the name server entries match like they're supposed to (makes sense, given I haven't touched the zone). I HAVE removed and recreated AAAA alias records that point to my CloudFront distribution with the two alternate domain names. Several times. No dice. I have also removed the alternate domain names from the distribution and re-added them. (I re-created the Route53 AAAA records after changing the distribution.) I can dig my domain without error. The Route53 test also comes back fine (for what it's worth). However, if I try to ping or curl, I get 'unknown host' errors. Visiting https://mydomain.org in a browser similarly returns a DNS_PROBE_FINISHED_NXDOMAIN response. In case it's relevant, I have this function attached to my distribution to re-route https://www.mydomain.org requests to https://mydomain.org: ``` function handler(event) { var request = event.request; var headers = request.headers; var host = request.headers.host.value; if (host.startsWith('www')) { var response = { statusCode: 301, statusDescription: 'Moved Permanently', headers: { location: { value: 'https://' + host.replace('www.', ''), }, }, }; return response; } return request; } ``` However, unlinking the function doesn't resolve the issue. (I have tested the function in the AWS console and it seems fine.) CloudFront itself seems to be OK. If I hit the CloudFront domain (e.g. d3abcdefghi123.cloudfront.net), I can see the site in all its glory. I have created a TLS/SSL certificate through ACM that covers both the apex and wildcard. I don't think there's a problem there. Something just refuses to resolve my custom domain to the CloudFront distribution. I know DNS changes can be slow - maybe I'm just too impatient? I don't want to create a new CloudFront distribution if I can help it - surely it's possible to update the Origin path and alternate domains? Given the site works fine through the default CloudFront domain, I don't *think* I need to invalidate it either. I'm out of ideas at this point, so suggestions would be most welcome. Regards, Flic

If an origin is unavailable, CloudFront will serve the requested object from cache even if it is stale. I have observed that when the origin server is offline, the stale object is served very quickly and it's obvious that the origin isn't contacted during the viewer request. How does CloudFront know that the origin is unavailable? Is there a heuristic for this, ie. how many requests have to fail before the origin is marked unavailable? At what point will the origin be contacted again? Thank you!

When an origin is unavailable, CloudFront will serve the requested object from its cache even if it's stale. If the origin never comes back up, how long will CloudFront continue to serve the stale object? Thank you!

Hello, I need advice on setting up the infrasture for a SaaS system we are building. Our system is as follows; For one instance (on a high-level is this). * Website for users to login and view data that has records stored in a database + any files they upload (such as PDFs etc..). The website is based on PHP backend. * Then there is a MySQL databse to host the records. Then we'd be replicating this for any client who decides to buy our service (so a new instance under foo1.domain.com gets created). The setup is similar to what wordpress.com offers for the users. I'd like to utilize AWS services for it and what is the best place to get started? Any advice? I'd also like to have a way to keep track of the child instances (either in one EC2 instance) remotely to view their usage and disable any which haven't been used.

Hi there, I have a static website being hosted in an S3 bucket with Route 53 handling redirects to our short URL and everything is working well (I'm able to use relative paths in the HTML for pages, images, CSS etc.) except for with PDF files. For some reason, the PDF files can't be accessed using virtual hosting style links (such as http://www.townepoint.org.s3-website-us-west-2.amazonaws.com/images/newsign3.JPG) and only path style links (such as http://s3.us-west-2.amazonaws.com/www.townepoint.org/TPOA+Commons.pdf) work. This is breaking the ability to reference the files relatively like all of the other files on the site. Using the examples above, http://www.townepoint.org/TPOA+Commons.pdf is not a working URL when http://www.townepoint.org/images/newsign3.JPG does work.

Hi, I am trying to deploy an amplify app as per https://webapp.serverlessworkshops.io/staticwebhosting/deploy/ but the build is failing because of an existing bucket I am unable to see the bucket in S3. How can I delete the bucket? or how to resolve this issue? ``` 2022-02-25T03:31:32.457Z [INFO]: An error occurred when creating the CloudFormation stack 2022-02-25T03:31:32.459Z [WARNING]: ✖ Root stack creation failed 2022-02-25T03:31:32.464Z [INFO]: AlreadyExistsException: Stack [amplify-wildrydes-prod-32220] already exists at Request.extractError (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/query.js:50:29) at Request.callListeners (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12) at /root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:116:18) at Request.emit (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:686:14) at Request.transition (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12) at /root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:688:12) at Request.callListeners (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:116:18) at callNextListener (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:96:12) at IncomingMessage.onEnd (/root/.nvm/versions/node/v14.18.1/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/event_listeners.js:335:13) at IncomingMessage.emit (events.js:412:35) at IncomingMessage.emit (domain.js:475:12) at endReadableNT (internal/streams/readable.js:1334:12) at processTicksAndRejections (internal/process/task_queues.js:82:21) { code: 'AlreadyExistsException', time: 2022-02-25T03:31:32.456Z, requestId: '92bb3d71-1610-43c4-a385-54cb25e459cd', statusCode: 400, retryable: false, retryDelay: 81.16703459454344 } 2022-02-25T03:31:32.487Z [ERROR]: !!! Build failed 2022-02-25T03:31:32.487Z [ERROR]: !!! Non-Zero Exit Code detected 2022-02-25T03:31:32.488Z [INFO]: # Starting environment caching... 2022-02-25T03:31:32.488Z [INFO]: # Environment caching completed Terminating logging... ``` Thank you

Hello, i have a problem with my magento instance in admin page. After i try connect to instance it looks fine. When i try to Configure HTTPS for my Magento website(also already have domain) it works but i open my magento website for admin, the page was changed and looks messy. I couldn't set any configuration when went to admin. I can't configure my products, sales, web and anything in the admin page. Somebody help me?Please. This is the screenshot how my [admin page ] (https://drive.google.com/file/d/14YJDwnN-6lUzkf0t1yW7GLgz0jUrq_E1/view?usp=sharing) looks like. Help me!

Need guidance regarding most common issues while migrating, and things to take care of

We have multiple Amplify applications running in multiple regions. Yesterday we tried to connect a new branch to an application in ca-central-1. We were sent to the "AWS Console Add Repository Branch" screen, like usual, but then redirected to GitHub where we were asked to install the aws-amplify application. On GitHub we were then asked to pick the specific repositories that AWS-Amplify could access. I had never seen this screen before and it is not the workflow shown in the Amplify documentation. I selected the repositories to which AWS-Amplify ALREADY has access. The workflow stopped at that point; it dit not ask me which branch to connect. I went back to AWS Amplify console and tried again. Same issue. I was not given a chance to choose a branch. I repeated this a few more times. Then I tried it in us-east-1. It worked as normal. Then I tried to create a new web application in ca-central-1. One of the first screens asks me to choose a repository. When I chose GitHub I was sent to GitHub, just like what had happened when I tried to connect a branch in ca-central-1 and the workflow stopped - I could not create the application. I tried to create a new web application using manual deploy. It worked. Now, when I try to connect a branch to the same application that I had problems with yesterday, it works. I found no questions about this when Googling nor any issues reported on the AWS status/health check pages. It started yesterday or on the weekend- we successfully attached new branches and deployed them for the same app/region on the weekend. I'm sorry that I don't have screen shots. This is my first re:Post question and I wanted to see how it works (i.e. are attachments even allowed) prior to gathering that information, and now, of course, things are working. Is anybody aware of any region specific hiccups with AWS-Amplify GitHub integration over the weekend.

At first, I built a wordpress site on EC2 and after few days , website always shows timed out message. And then I move to Lightsail and it still shows same wrong msg, even I reset website but still not working. But I can login ssh and sftp but SQL site can't connect. My domain name is using route53 and I set a aws alarm, here is alarm msg shows: Alarm Details: - Name: awsroute53-25103daa-41c8-4e4f-a07e-86f23770222f-Low-HealthCheckStatus - Description: - State Change: OK -> ALARM - Reason for State Change: Threshold Crossed: 1 datapoint [0.0 (10/02/22 07:27:00)] was less than the threshold (1.0). - Timestamp: Thursday 10 February, 2022 07:28:37 UTC - AWS Account: xxxxxxxx0044 - Alarm Arn: arn:aws:cloudwatch:us-east-1:401785220044:alarm:example-com-awsroute53-25103daa-41c8-4e4f-a07e-86f23770222f-Low-HealthCheckStatus How should I test connecting problem? Or where can find the solution?

Hello I have configured my CloudFront to use a custom response header CORS policy: Cross-origin resource sharing (CORS)Info Access-Control-Allow-Credentials true Access-Control-Allow-Headers content-type Access-Control-Allow-Methods GET OPTIONS Access-Control-Allow-Origin https://www.xxx.com Access-Control-Expose-Headers - Access-Control-Max-Age (seconds) 600 Origin override request header: GET /index.m3u8 HTTP/2 Host: cdn.xxx.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Origin: https://www.xxx.com Connection: keep-alive Cookie: CloudFront-Policy=xxx; CloudFront-Signature=xxx; CloudFront-Key-Pair-Id=xxx; Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site TE: trailers response header: HTTP/2 200 OK content-type: application/x-mpegURL date: Mon, 07 Feb 2022 17:24:34 GMT last-modified: etag: server: AmazonS3 content-encoding: gzip vary: Accept-Encoding x-xss-protection: 1 x-frame-options: SAMEORIGIN referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff strict-transport-security: max-age=31536000 access-control-allow-origin: https://www.xxx.com vary: Origin x-cache: Hit from cloudfront via: cloudfront.net (CloudFront) x-amz-cf-pop: HKG62-C2 x-amz-cf-id: 6K23FSOHSfGJli3mnSFRfs4nvYXgKw68Ul_s8b5PUsKLg1HrzLqL8w== age: 3929 X-Firefox-Spdy: h2 I try to use HLS request. The response include access-control-allow-origin:https://www.xxx.com. But not include Access-Control-Allow-Credentials.

Hi, As a quick background: Last year we bought a domain from GoDaddy later transffered it to AWS to be our registrar. We had the NS records for AWS and it was fine. We are also connected to Office365, which required us to update the NS records to microsoft ones and modify TXT and MX records. The issue is that there are some moments, where for a few people in specific domains, they cannot access the domain/website. The domain name cant be resolved at all and it causes multiple issues. It occurs every once in a while and consistently on some networks. When we run the dig command with the GTLD, we get (not disclosing domain due to privacy issues): ``` <DOMAIN>. 172800 IN NS ns-641.awsdns-16.net. <DOMAIN>. 172800 IN NS ns-411.awsdns-51.com. <DOMAIN>. 172800 IN NS ns-1689.awsdns-19.co.uk. <DOMAIN>. 172800 IN NS ns-1192.awsdns-21.org. ``` and they are still pointing to the old records, whereas other major public DNS services already have the correct updated information: ``` ~$ dig <domain> @1.1.1.1 NS +short ns4.bdm.microsoftonline.com. ns1.bdm.microsoftonline.com. ns2.bdm.microsoftonline.com. ns3.bdm.microsoftonline.com. ~$ dig <domain> @8.8.8.8 NS +short ns1.bdm.microsoftonline.com. ns2.bdm.microsoftonline.com. ns3.bdm.microsoftonline.com. ns4.bdm.microsoftonline.com. ~$ dig <domain> @9.9.9.9 NS +short ns1.bdm.microsoftonline.com. ns2.bdm.microsoftonline.com. ns3.bdm.microsoftonline.com. ns4.bdm.microsoftonline.com. ``` Why has this change not propagated and how can we get around to fixing this? Cheers

I did the aforementioned steps in my title. But when I type in the URL, it takes me to the wrong website. My website that I want is xxxxmusic.com (x’s representing website name). When I type that in, it takes me to xxxx.com (same base word as my music company). How can I fix that?

Hello everyone, I am a junior front end developer and I am trying to solve the redirect from HTTP to HTTPS on Classic Load Balancer of my angular universal app. Unfortunately my level of knowledge does not allow me to use nginx ( https://aws.amazon.com/it/premiumsupport/knowledge-center/redirect-http-https-elb/ ) , and about node.js (https://gist.github.com/hareeqi/dcc0d409db57668294a7f0d8970aa1e4) I am at the beginning of the study and my knowledge is insufficient to solve the problem. Is there anyone who had the same problem and solved it by following other paths? Does anyone know specific tutorials or can help me by sharing some knowledge? Thanks

I have a website served by cloudfront at https://mysite.com using S3 origin. I have a webflow blog project using a custom domain pointing to http://blog.mysite.com via CNAME in route53. How can I serve the webflow blog project directly under https://mysite.com/blog ? Using the subdomain https://blog.mysite.com is not preferable for SEO reasons (but the subdomain is live and operational pointing to the webflow project) Can I achieve this using lambda@edge?

Hi, I have an existing (and old) site, avidcruiser.com. I am looking for someone to help me migrate from either Codeguard or where the site is currently hosted, Littlebizzy.com. The database is large - 20.4 gb - and files are 10 gb. The site gets about 11,000 page views a month. It could increase if cruise ships return to service and our site gets busy again. I have set up a LIghtsail instance with Wordpress and am trying to figure out what I need. Could anyone recommend what I need? I believe it’s a container and database. I would also need backups. Thank you.

I keep getting `'Access-Control-Allow-Origin' header contains multiple values '*, *'` when using `fetch` API to get images from my cloudfront cdn. A sample URL that demonstrates this problem is `https://cdn.dev.textras.com/images/6158ac8f8074530013f8dcde/77b4b530-738c-11ec-ae4a-1d90956db63a.jpeg?w=320&q=100&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjYxNTFiZTZkMDJkYmM3MDAxNDIzMDhhZiIsImNvdW50cnlDb2RlIjoiTkdBIiwiaWF0IjoxNjQzMjE4ODE2LCJleHAiOjE2NDM0NzgwMTZ9.m2zcZJ0pv-Sj1q7Mz8w9GNoxzLiHBSCf3Yd8qu-YE4s`. If you use that url as the `src` for an `<img>` tag, the image loads. If you visit the URL in a browser tab, the image loads. If you open dev tools within that same tab and then do a `fetch` request to get the image (i.e. same origin), the `fetch` request succeeds. If you request the image using postman or `curl` from the terminal, the request succeeds. However if you're in a browser tab with a domain different from my cdn (i.e. cross origin), it doesn't load. There are lots of questions about this on the internet and the root cause is always that the server is setting the header multiple times in different places. However, I'm unable to identify where this is happening in my case. This is a snippet from the template that defines the behavior of the cloudfront distribution. I'm only including the part that defines the behavior that affects this particular image: ``` ... CloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Aliases: !Ref AliasesParam Comment: !Ref Comment CacheBehaviors: - AllowedMethods: "DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT" CachedMethods: "GET,HEAD,OPTIONS" Compress: false PathPattern: 'videos/thumbnails/*' DefaultTTL: "1814400" ForwardedValues: QueryString: true QueryStringCacheKeys: - w - h - t - q - v LambdaFunctionAssociations: - EventType: 'viewer-request' LambdaFunctionARN: !Ref ViewerRequestFunctionVersionArn - EventType: 'origin-request' LambdaFunctionARN: !Ref LambdaVideoPathEdgeVersionArn - EventType: 'origin-response' LambdaFunctionARN: !Ref OringResponseFunctionVersionArn MaxTTL: 31536000 MinTTL: 0 SmoothStreaming: false TargetOriginId: !Ref IdParam ViewerProtocolPolicy : "redirect-to-https" # TrustedSigners: # - String ``` You can see that the template doesn't specify a response header policy, so I'm sure the duplication is not happening from here. I've checked the CORS config on the s3 bucket and it's this: ``` [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "POST", "GET", "PUT", "DELETE", "HEAD" ], "AllowedOrigins": [ "*" ], "ExposeHeaders": [ "String" ], "MaxAgeSeconds": 3000 } ] ``` So the s3 bucket sets the header. The associated `origin-response` lambda was setting this header too, like this: ```js response.headers['Access-Control-Allow-Origin'] = [ { key: 'Access-Control-Allow-Origin', value: '*' }, ]; ``` I thought this may be the source of the duplication so I commented it out, but the error remained. So the way I'm looking at this is: out of the 3 places that could be setting the header's value (cloudfront distribution, origin s3 bucket, and the lambda for processing image) there's only one place still setting this CORS header, and it's the s3 bucket. Yet the problem is still happening. What other place can/should I look at? Thanks!

We need to stand up a new server in Central or South America to support our application in Guatemala. What is the best region or edge server to give our application as little latency as possible? For possible server locations, we are looking at: * Querétaro, Mexico city which Maps shows as about 1,040 miles from Guatemala * Bogota, Columbia which Maps shows as about 1330 miles from Guatemala

I manage data on the customer's site with an on-premise system(running with Debian or Fedora). To access the data remotely, I have to log into a different server with a different credential to access the on-premise system. My question is that is it possible to implement SSO with the on-premise system that is running standalone?(Sorry if this is confusing, can provide clarifications)

I get my original domain, and using S3 via CloudFront. I want to know how to setup using my domain via CloudFront. I already upload my contents to S3 and not public bucket, and setup CloudFront. I can access via CloudFront to S3 bucket, but currently using auto generate url from CloudFront. So I want to know how to setup my original domain using CloudFront. Thanks

Hello,my name is Justin and I own a smaller company in Virginia, and thank you in advance for your help and guidance. I started working on a new domain/website several weeks back after getting the technical end set up first and surprisingly I've had no issues until now. My set up is Google domain to AWS (basic plan/$3.99/month), using Lightsail and WordPress. I followed the set up for my instance from an AWS certified specialist on YouTube. That said, I have not set up anything for storage/containers/etc tho I do have my static page set up for my landing page. So, Sunday night I finished working on the site on wordpress with no issues outside of a jetpack warning that had been up for 2 days. It stated that my domain name and IP address were both fighting for the same spot and I needed to select one or it would go into safe mode. Outside of this, my primary updates outside of verbage was in installed a few plug ins. The last one was PayPal which was around $60 for the year. I went thru the process of setting all the pages up and everything worked great. The following morning I had planned on fixing the jetpack issue but once I logged on, or attempted to, I realized that the website was down. All pages refused to load and a few times I got a 504 gateway timeout error message. I attempted to log in thru WordPress but I had the same issue, no loading. I then attempted to relaunch the instance via AWS; however, the instance wouldnt connect correctly to Bitnami. Basically, the black terminal screen comes up but is empty. I then created a second instance (can only have 2 max) and attempted to connect to Bitnami again. This time, it was a success. Circle back to verify and my instance 1 still has the same results of not completely connecting to Bitnami. I'm new, and have a basic account,meaning no technical support. Any help would be GREATLY appreciated!! Sincerely, Justin

Hello, I'm having some issues with a test, I have a angular application running on cloudfront / S3, but I have a scenario where I need to redirect a specific link to another domain / server, for that I configured a *cloudfront function* to do the *redirect* when I get a request like **www.mysite.com/env/test/hello** to **www.devsite.com/env/test/hello** and the redirect is working, but I actually need to do a POST request (because it is a REST API function), when I do a POST (using Talend API Tester) it does return the redirect link (using the location field), but gets me the error associated with the GET function not supported on my API (as expected if I try GET against it). When looking for my logs on the webserver with the API I saw that cloudfront is hitting it with a HTTP GET request, but why if I did a POST against cloudfront? I even tried setting the StatusCode on the response of my cloufront function to 307 and 308 but still have the same behavior, it isn't supposed to use the same request method as it received? Can I force cloudfront to use POST in these case? My function is associated with the "Viewer Request". Thanks

Hi, We have a multiplatform app consisting in an Android app and a website that share a User Pool for the login procedure. In the browser, for the login, we use without any problem the flow described in case 4 @ https://www.npmjs.com/package/amazon-cognito-identity-js : ``` var authenticationData = { Username: 'username', Password: 'password', }; var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails( authenticationData ); var poolData = { UserPoolId: '...', // Your user pool id here ClientId: '...', // Your client id here }; var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData); var userData = { Username: 'username', Pool: userPool, }; var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData); cognitoUser.authenticateUser(authenticationDetails, { onSuccess: function(result) { (...) ``` We also have an android application where users can also login using the Amplify framework, the login works as described in https://docs.amplify.aws/lib/auth/signin/q/platform/android/#sign-in-a-user ``` Amplify.Auth.signIn("username", "password", { result -> if (result.isSignInComplete) { Log.i("AuthQuickstart", "Sign in succeeded") } else { Log.i("AuthQuickstart", "Sign in not complete") } }, { Log.e("AuthQuickstart", "Failed to sign in", it) } ) ``` But, now, we need to authenthicate the users in another browser scenario (a webview inside the android Application) without asking for a password or username (as they are using the app, they already logged), I guess using the tokens generated in the Android login. I don't see any way to do such an authenthication using methods described in: https://www.npmjs.com/package/amazon-cognito-identity-js I'm tempted to use in the browser webView, as described in https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-cognito.html, ``` AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: '<the pool that is shared by android and browser app>', Logins: { 'cognito-idp.<region>.amazonaws.com/<the_POOL_ID>': <the_jwt_token_derived_from_the_android_login?>, } }); ``` But this is not working at all. The AWS.config.Credentials show an expired token and no login has been made, I cannot retrieve a Cognito Session. Does anyone know how to handle this situation? Thanks in advance for you time

Are there any plans to support the `stale-while-revalidate` cache in CloudFront or are there any alternatives to mimic this behavior? RFC: https://datatracker.ietf.org/doc/html/rfc5861#section-3 > There is also a very old post on AWS Forums from 2014, where this question was asked the first time https://forums.aws.amazon.com/thread.jspa?threadID=161496

We are tying to point an A Record and a CNAME record to WIX for a www.example.com website. WIX requires this for verification of the domain. In this example, lets say the A record would be @.example.com and the IP would be 1.1.1.1 and the CNAME record would be www.example.com which points to www2@wix.net. A NS lookup for this example would also show that ww2.wix.net is 2.2.2.2 (for reference). I have these entries in route 53 under the example.com as requested. The WIX verifications are failing which at first I believed to be an issue on their end. Upon further investigation, the A record is not populating out correctly to the rest of the world. In fact, what's happening is that it is populating as the CNAME records IP of 2.2.2.2 and not the A record that exists stating it is 1.1.1.1 Does anyone have any ideas on why it is behaving in this manner?

Hello, I have a question, I have 2 cloudfront distributions with 2 different certificates / domains that point to the same S3 Bucket # main distribution is 123456789.cloudfront.net, with alternate domain + certificate: main.mydomain.com # second distribution is 987654321.cloudfront.net, with alternate domain + certificate: sub1.otherdomain.com On DNS (I use cloudflare) I have a CNAME for the main distribution domain: # main.mydomain.com cname to 123456789.cloudfront.net and I add other subdomains pointing to this other CNAME (for better management as I have many subdomains): # sub1.mydomain.com cname to main.mydomain.com but I also do point subdomain from the other domain to this (again because of management and some hardcoded links, **so I can't point it to it's own distribution**): # sub1.otherdomain.com cname to main.mydomain.com On theory I would need to use **cloudfront function to redirect the sub1.otherdomain.com to it's distribution (987654321.cloudfront.net)**, but it works without it and I don't know why (it shouldn't or there is some universal property of cloudfront I'm not aware about), because **there is no pointing / redirect from first distribution to the second one** configured, the **only DNS pointing to cloudfront is from main.mydomain.com** (cname to 123456789.cloudfront.net), and the **certificates are different**. Is it expected? Need to be sure for not having headaches on the future with production stuff.

Hi all, I´m new to Amplify (even to AWS) and I feel life is easier for non coders with some integrated services as Amplify->GraphQL->Lambda Functions->DynamoDB. I´m making some tries with these services working together and my question is: In all examples found, I can create a simple website but frontend code is always given in the tutorials or videos, and they don´t go deeper on how that code was created. Maybe javascript frameworks or others. As I want to create business logic on server side (GraphQL, Lambda, DynamoDB), I only need to make a simple visual frontend for using components (maybe created with Figma) and no need to code more than minimum. Is there a service (inside or outside AWS) to visually create a frontend interface without coding as building blocks to be integrated with Amplify? I thought Amplify Studio could be my tool but I couldn´t find how. Thanks in advance,

Hi there, Is there any services or Web application firewall that can improve the security of the application without touch the web app itself. So far I only know Cloudfront is able to generate a custom error response. 1) I want to hide the following type of error message: 500 – Internal Server Error HTTP 403.14 - Forbidden HTTP 403.14 - Forbidden 2) I want to change the cookie setting of the application: requireSSL="true" sameSite="Lax" -> Not Set in ASPSessionID 3) Misconfigured security headers: Cache-control: no-cache, no-store, must-revalidate. X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload 4) Usage of Weak Cipher Suites: For example, any Cipher suites, we would like to upgrade all cipher suites are modern compatibility on the application: https://wiki.mozilla.org/Security/Server_Side_TLS 5) Hiding of Server banner: Server: Microsoft-IIS/8.0 X-Powered-By: ASP-NET

We are trying to integrate AWS ALB with Cognito user pool. We have setup rules in ALB to authenticate user with Cognito client. After webapp authentication, a session cookie is set. This is all good. Now, we have a desktop application which does internally connect with Cognito, get access token JWT and manage it (refresh etc.). Now, we are trying to fire http requests to ALB with this access token as Authorization header. ALB redirect these requests to Cognito login page again, instead of validating (and allowing) the JWT present in Auth header. What we expect is if request contains valid Auth header (JWT), ALB should validate it and allow it. It seems ALB does not check Auth header. How can we achieve this with ALB? Additionally, is it possible for desktop app to work directly with ALB (instead of Cognito) and use Session ID instead of JWT/Access Token?

Hello, I was following this guide for installing SSL certificate https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress Everything seemed to be going well until step 7, I tried to restart the bitnami services using the command instructed and I got the following message "Job for bitnami.service failed because the control process exited with error code. See "systemctl status bitnami.service" and "journalctl -xe" for details." I'm not technical and I have no idea what this means. My site cannot be reached now, I tried to reboot my lightsail instance but that didn't do anything. At this point, I just want my site back and I'll just pay for a plugin that does the install for me! Any help in getting my site back would be much appreacated.

We're using the Cognito Authorisation Server alongside a custom frontend UI to authenticate users into our web apps. Our web apps have an SPA architecture so we're using Authorisation Code with PKCE as our OAuth flow. Our login page uses the Amplify-JS Auth module to handle the process: 1. Amplify redirects the user to the AUTHORISATION endpoint (which includes the PKCE parameters `code_challenge_method` and `code_challenge`) 2. User logs in via SAML 3. User is redirected back to our app and Amplify submits the code (along with PKCE parameter `code_verifier`) to the TOKEN endpoint in order to get the JWTs In order for this to work it's necessary to create a Cognito app client without a secret. It's my understanding that PKCE is a protocol designed to work in this very case - where the authorisation server is being accessed from an insecure channel (ie browser or app) such that a client secret couldn't be trusted. It was my assumption that in this case, it shouldn't be possible to exchange the code for a token without the PKCE parameters. However I'm finding it is possible: 1. Construct URL from #1 above without the PKCE parameters (this is fairly straight forward since the rest of the values are hardcoded) 2. Follow link and intercept `code` parameter on redirect URL 3. Send the following to TOKEN endpoint without an Authorization header ``` POST /oauth2/token grant_type: authorization_code code: {INTERCEPTED_CODE} client_id redirect_uri ``` A 200 Response is received along with the JWTs. Reading around it seems that an approach is to force public clients to use PKCE: https://www.oauth.com/oauth2-servers/pkce/authorization-request/ >Since the authorization server should know that a specific client ID corresponds to a public client, it can deny authorization requests for public clients that do not contain a code challenge. Seems like this would be useful in this case, but I might be missing something. Is anyone able to advise? Thanks

We're using the Cognito Authentication server to log in users via SAML and OIDC from a custom frontend UI. The AUTHORIZATION endpoint URL (ie. https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?) is being constructed in a client-side JS app and the user is being redirected using JS (ie. window.location) Note: We're using the Amplify-JS Auth module to do this. I'm struggling with error handling... The documentation outlines error responses here https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html One error case from Docs: ----- If client_id and redirect_uri are valid, but the request parameters have other problems (for example, if response_type is not included; if code_challenge is supplied but code_challenge_method is not supplied; or if code_challenge_method is not 'S256'), the authentication server redirects the error to client's redirect_uri. HTTP 1.1 302 Found Location: https://client_redirect_uri?error=invalid_request ---- In this case, we removed the `response_type` parameter, but the user was redirected to the hosted UI: HTTP 1.1 302 Found Location: https://mydomain.auth.us-east-1.amazoncognito.com/error?error=Required+parameters+missing We've tried a few other error cases, ie providing an unknown `identity_provider` and the same happens...the user is redirected to the hosted UI. Is this a known issue? Should the AUTHORIZATION endpoint be working as the docs describe?

Hello all, Recently (November 2nd 2021) AWS Cloudfront started supporting CORS Headers directly, without use of a lambda (https://forums.aws.amazon.com/ann.jspa?annID=8973). Unfortunately, that does not seem to support more than 1784 characters for the CSP (Content Security Policy) header. The error (from the API using Terraform) if I'm trying to set a bigger than 1784 CSP Header is: ``` Error: error creating CloudFront Response Headers Policy (anthony-test-web-response-headers-policy): InvalidArgument: The parameter Content-Security-Policy contains header value that is too big. status code: 400, request id: xxx-xxxx-xxxxxx ``` In the website I wish to deploy using CloudFront, I rather need 3x times that limit - Nginx running on EC2 is actually totally OK with such a big CSP header. Currently I'm thinking on how I can reduce my existing CSP header; but I really wish AWS Cloud Front had a bigger limit. Any explanation why? Is it a bug I should report to AWS team? Thanks

For some reason, one site did not respond to http requests from my EC2 instance (location - USA), although the site responds to requests from the same country from another IP. I decided to make a test http request to another site and got this (screenshots). What could this be related to and how to fix it? screenshots: https://prnt.sc/22roe6w | https://prnt.sc/22roere

My PHP -- specifically an elseif statement -- does not behave the same way on AL2 as it does on my CentOS 7 dev server. Both systems are supposed to be running PHP v7.3. I will note the AL2 system does not have the php-tidy module installed, and I am having GREAT difficulty adding it; but, I do not know if that has anything to do with the problem. What would cause an if->elseif->else statement to perform one way on CentOS 7 and differently on AL2? BTW, it would appear that PHP on the AL2 system is dropping the last '->else' part. Also if I code the elseif part to be precisely $var === 1, it drops the 'elseif' part of the statement and does the else statement. ``` if($var > 1) { // echo HTML form stuff }elseif($var == 1) { // echo HTML table header <th> code only (no form elements) // There is an '&' in the text to be echoed }else{ // echo different HTML table header code, again no form elements // There is a '/' in this text to be echoed } ``` I'm not the best coder, but this code works PERFECTLY on CentOS 7, running PHP v7.3.33 (with the php-tidy module enabled.) Any guidance you all could provide would be greatly appreciated.

Hi all, I just deployed a CloudFormation solutions from the AWS Solutions. The solutions included a new CloudFront distribution. My challenge is that I want to add a custom domain `mysite.example.com` to the `dxxxxxx.cloudfront.net` distribution. I already created an alias and certificate using Certificate Manager. My question is how do I add a new domain to the existing CloudFront. I understand that we can import an existing distribution using [Distribution.fromDistributionAttributes](https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Distribution.html#static-fromwbrdistributionwbrattributesscope-id-attrs). for example ``` const distribution = cloudfront.Distribution.fromDistributionAttributes(this, 'ImportedDist', { domainName: 'd111111abcdef8.cloudfront.net', distributionId: '012345ABCDEF', }); ``` Let's say I have the alias domain name and certificate ARN ready to use. ``` const domainName = 'mysite.example.com'; const certificateArn = 'arn:aws:acm:us-east-1: 123456789012:certificate/abcdefgh-1234-5678-9012-abcdefghujkl'; ``` Where do I go from here? Regards,

A customer is currently hosting a static website on S3 and want to enable HTTPS/TLS connections. Currently the domain resides outside AWS and the customer has created a certificate that they want to use. I was reading through documentation and it says the only way to achieve this is by redirecting to Cloudfront. Any thoughts on this? What is the simplest way to achieve this ? Can this be achieved without using Cloudfront? Will the customer need to import their certificate to ACM? Thanks

My customer hosts a static website on S3, fronted by CloudFront. They rolled out a version that leads to an invalid URL: www.example.com/test1/# They would like to *redirect* all test1/# requests to test1/index.html I thought of two options that failed: A. Lambda@Edge redirect: Failed, because the parameter "#" is invalid when defining a behavior: com.amazonaws.services.cloudfront.model.InvalidArgumentException: The parameter globPattern can only contain these characters: [a-zA-Z0-9_-.*$/~"'&@:?+\]. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidArgument; Request ID: d0; Proxy: null) B. Uploading a file called "#" and edit its metadata to redirect but it doesn't work. CloudFront allows me to download the file.

My customer is looking to migrate their current site to wordpress so that it can be updated by non-engineers for example to add new customer testimonials, upload pictures etc. The wrinkle is that their public website also handles shortcuts to their customer systems and also hosts an alternate way for their customers to log in to their system, so it handles a fair amount of traffic by their standards - roughly 500K-1M pages per month Does AWS offer a fully managed WordPress solution? There are AMIs in the Marketplace but customer is looking for a hands-off system, where their interaction with WP is via its console.

My custmer uses Cloudfront to run shops for customers under their own subdomain but also under the mobile subdomain of the customer, which they don't manage themselves. Before this [CloudFront security change][1] they were able to add the alternate domain using only their certificate and then use it to validate and get a Let's Encrypt certificate for the customer subdomain. Is this still possible through some other means? [1]: https://aws.amazon.com/about-aws/whats-new/2019/04/amazon-cloudfront-enhances-the-security-for-adding-alternate-domain-names-to-a-distribution/