The steps for setting up this secure website on AWS content delivery network (CloudFront) are as follows:
Create some website content (e.g., these wesbite pages you are browsing).
Register a domain name in Amazon Route 53: waltdoescloud.com.
Create two S3 buckets for this 1 website: (a) bucket1 for the website name without www. prefix; (b) bucket2 for website name with www.
Explanation: bucket2 will contain the actual content and bucket1 will be setup to redirect to bucket2 when clients use the simpler.
Note: you can do it in reverse - have bucket2 setup to redirect to bucket1 (with the website content being put into bucket1). The effect is the same.
Create s3 bucket waltdoescloud.com with defaults (modifications to come later).
Create s3 bucket www.waltdoescloud.com with defaults (modifications to come later).
Upload website content into s3 bucket www.waltdoescloud.com.
Enable public settings (Permissions) for the s3 bucket www.waltdoescloud.com: edit and disable (un-check) "Block all public access".
Edit the "Bucket policy" to enable public read access to bucket's content: copy-paste contents of bucketpolicy-readonly.txt into the Edit statement text area.
Enable "Static website hosting" setting (bucket's Properties). Options:
Static website hosting: Enabled.
Hosting type: Host a static website.
Index document: index.html.
Error document - optional: error.html.
Setup redirection of non-www bucket (waltdoescloud.com) to www bucket (www.waltdoescloud.com) - now containing website content and configured for static website hosting: in Properties of waltdoescloud.com, set options:
Static website hosting: Enabled.
Hosting type: Redirect requests for an object.
Host name: www.waltdoescloud.com.
Protocol: http (https to be configured later).
Create DNS records (using Route 53) for the two s3 buckets (waltdoescloud.com and www.waltdoescloud.com):
Define another simple record with its "record name" blank, and the same choices for 2nd to 4th options. The last option displays the non-www S3 bucket. Mine: "s3-website-us-east-1.amazonaws.com (waltdoescloud.com)". Again, set "Evaluate target health" to "no".
Secure the website with certificate:
In AWS Certificate Manager, "Request a public certificate" for www.waltdoescloud.com (in the "Domain name" field), and specify "waltdoescloud.com" for the "Add another name to this certificate" field.
Use defaults for "Validation method" (DNS validation) and Key algorithm (RSA 2048).
Validate the DNS records that will use the certificate: open the relevant certificate from ACM's "List certificates" blade, then click "Create records in Route 53" (right pane).
Verify the certificate status has changed from "Pending" to "Issued"
Setup CloudFront for caching and so https can be enabled for the site:
In CloudFront's "Create Distribution" wizard, setup "Origin domain" using the "Bucket website endpoint" URL (for each bucket, in turn): in bucket's Properties - "Static website hosting" section.
Origin domains: http://www.waltdoescloud.com.s3-website-us-east-1.amazonaws.com and http://waltdoescloud.com.s3-website-us-east-1.amazonaws.com
In the "Default cache behavior" section, set "Viewer protocol policy" to "Redirect HTTP to HTTPS"
For "Alternate Domain Names (CNAMEs), type www.waltdoescloud.com and waltdoescloud.com on separate turns.
For "Price class", select your preference. Mine: Use only North America and Europe.
For "Custom SSL Certficate", select relevant certificate (www.waltdoescloud.com)
For "Supported HTTP versions", include HTTP/3 (HTTP/2 is checked by default).
Enable HTTPS Redirect for the non-www version of the website: In waltdoescloud.com's Properties, "Static web hosting" settings, change the "Protocol" setting to "https".
NOTE: This setting is not available for www version because the www version is not a redirector site (instead, it's a content hosting bucket).
Change DNS A records (in Route 53) to point to the CloudFront distributions instead of directly pointing at S3:
Remember: The CloudFront distributions have been configured to point directly to S3 (as "Origin domains").
In the Hosted zone "waltdoescloud.com" check the "www.waltdoescloud.com" record edit it to change "Route traffic to" option from "Alias to S3 website endpoint" to "Alias to CloudFront distribution".
Copy the "Domain name" of the www.waltdoescloud.com Distribution and paste it into the third field of the "Route traffic to" setting located in the "Edit record" dialog box of the www.waltdoescloud.com A record.
Repeat steps a and b for the "waltdoescloud.com" record.
[IMPORTANT TIP] To update cached content immediately, execute an "Invalidation":
Upload your new content to S3.
In CloudFront's "Distribution" blade, select the www.waltdoescloud.com distribution, then run "Create invalidation" on the "Invalidations" tab. You must specify "/**/*" (no quotes) in the Object Paths field.
Repeat for the waltdoescloud.com distribution.