Skip to content

View or edit on GitHub

This page is synchronized from doc/Static-websites-on-AWS-S3.md. Last modified on 2025-12-09 00:30 CET by Trase Admin. Please view or edit the original file there; changes should be reflected here after a midnight build (CET time), or manually triggering it with a GitHub action (link).

Static websites on AWS S3

A number of our websites are deployed under the following architecture:

  1. An S3 bucket, configured with public access and a website endpoint, is used to store the static files.
  2. An AWS Cloudfront distribution provides caching and HTTPS. AWS Certificate Manager provides the SSL certificate.

At the time of writing, this was the case for https://wtf.deforestationfree.com, https://what.deforestationfree.com, https://docs.deforestationfree.com, and https://data.deforestationfree.com. The advantage of this setup is that deployment is very simple: it's just a case of running aws s3 sync in a GitHub Action. Additionally, the cost is very low.

How to set up a new static website

If the S3 bucket doesn't yet exist, then create it:

  1. Create the new bucket:
  2. The name should be e.g. wtf.deforestationfree.com
  3. Objects are allowed to be public
  4. Set a bucket policy to make all objects public
  5. Allow static web hosting
  6. Test that it works by uploading an object and checking it is publicly accessible

If the SSL certificate doesn't yet exist, then request one:

  1. Go to Amazon ACM in us-east-1 https://us-east-1.console.aws.amazon.com/acm/home?region=us-east-1#/welcome.
  2. Click "Request" in the top right:
  3. Choose to request a public certificate.
  4. Domain name: e.g. wtf.deforestationfree.com.
  5. Note the CNAME name and value.
  6. You will now need to validate the certificate:
  7. Go to Cloudflare, our domain registrar.
  8. Navigate to edit DNS records.
  9. Add a CNAME record, setting the name and value to the name and target respectively. Disable proxying.
  10. Go back to ACM, which will say "Pending validation". You will need to wait until it says "Issued".

If the AWS Cloudfront distribution doesn't yet exist, then create one:

  1. Go to AWS Cloudfront
  2. Click "Create a distribution.
  3. Origin > Origin domain: choose the S3 bucket then click "Use the website endpoint", e.g. wtf.deforestationfree.com.s3-website-eu-west-1.amazonaws.com
  4. Web Application Firewall (WAF) > tick "Enable security protections"
  5. Settings > Custom SSL certificate: choose the certificate from earlier.
  6. Click "Create distribution".
  7. Under settings click "Edit" and add an alternate domain name, e.g. wtf.deforestationfree.com.
  8. Wait until "Last modified" is not longer "Deploying".
  9. Check it works:
    1. Copy the "distribution domain name", e.g. https://d1j0awnos53rom.cloudfront.net
    2. Paste this into your address bar and check it works

Finally, configure the domain to point to the Cloudfront distribution:

  1. Go to our domain registar and add a new CNAME record to the Cloudfront URL, e.g.:
    • name: wtf
    • target: d1j0awnos53rom.cloudfront.net
  2. Test the new URL, e.g. https://wtf.deforestationfree.com. You may need to wait a while for the DNS records to propagate.