TL;DR

Your application stores files in S3 Bucket. The problem is that the URL to a file stored in S3 Bucket is under the AWS domain name, s3.amazonaws.com. In this post, we explain how to set up your custom S3 domain name.

Precondition

You have to own a domain and it is parked at CloudFlare. My domain is testivator.com, parked at Cloudflare. Also, be sure to use all AWS Services in same Region.

S3 Bucket

First, you need to have an S3 bucket.

First constraint, your bucket name must be your desired DNS name, mine is documents.testivator.com.

Leave all bucket options to default. Under permissions, you need to Edit Bucket policy (change documents.testivator.com => to your custom S3 domain name:

{
“Version”: “2012-10-17”,
“Id”: “Policy1548223592786”,
“Statement”: [
{
“Sid”: “Stmt1548223591553”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::documents.testivator.com/*”
}
]
}

Upload a file, and open its S3 URL:

https://s3.amazonaws.com/documents.testivator.com/testival_poster_print.png

and you will get AWS S3 XML access denied error:

<Error>

<Code>AccessDenied</Code>

<Message>Access Denied</Message>

<RequestId>7B7KPM74SG5X59MS</RequestId>

<HostId>kRNALNOLAyMBYV7PJqLq8kCGhTpdhuYXyjYJJriOIxaDtzm26Pi/ihCBhUkkE1NB4MHwsiKFtyw=</HostId>

</Error>

This is fine because the bucket is not set to public access. We use a pre-signed URL. The following URL will expire on Apr 11. With this URL you will not get AccessDenied, but an image for Testivator 2015 Poster.

Amazon Certificate Manager

We want to have our documents behind SSL: https://documents.testivator.com. If you use CloudFlare SSL/TLS Flexible option, your are good to go. For Full option, we need to issue valid certificate. As S3 is AWS service, we need to use Amazon Certificate Manager.

Provision Certificate => Request A Public Certificate

Set your domain name, mine is documents.testivator.com, and use simpler DNS validation. If you set up everything correctly, certifificate should be validated in several minutes. Otherwise, you did not correctly set CNAME record for certificate validation at your DNS provider (mine is CloudFlare).

CloudFront

In order to expose S3 bucket to internet, we first need to create CloudFront distribution. Two parameters are important:

Origin Domain Name: select S3 bucket that you are exposing.

Alternate Domain Names (CNAMEs): documents.testivator.com

Custom SSL Certificate: Select certificate from previous step.

Leave everything else to default. Wait for status to become Deployed (a couple minutes top).

Add CNAME For CloudFront Distribution in CloudFlare

Copy Cloudfront domain name for your distribution, and create in your DNS provider, CNAME record:

documents.testivator.com => distribution domain name.

Mode must be proxied.

That it is, now you can use presigned url with custom domain.