Skip to content

Latest commit

 

History

History
210 lines (148 loc) · 11.8 KB

README.md

File metadata and controls

210 lines (148 loc) · 11.8 KB
Raw

English / 日本語

AWSCloudFormationTemplates/static-website-hosting-with-ssl

Build Status GitHub GitHub release (latest by date)

AWSCloudFormationTemplates/static-website-hosting-with-ssl builds Amazon CloudFront, Amazon S3 and related resources for static website hosting.

TL;DR

If you just want to deploy the stack follow these steps.

  1. Before running this Cloudformation template, run both the Security template and Global Settings template in this project.
  1. Click the button below.

cloudformation-launch-stack

If you want to deploy each service individually, click the button below.

Services Launchers
Synthetics cloudformation-launch-stack
Real-time Dashboard cloudformation-launch-stack
WAF cloudformation-launch-stack

Architecture

The following sections describe the individual components of the architecture.

Amazon S3

Origin

This template create an S3 bucket as origin for web distributions. S3 allows to be accessed from CloudFront using an origin access identity (OAI) , but denies direct access from anonimous users.

Log Bucket

Logs generated by S3 and CloudFront are stored in an S3 bucket created by this template.

Amazon CloudFront

This template creates a CloudFront. It supports Custom Domain Name with ACM, Aliases, Origin Access Identity, Secondary Origin and Logging.

AWS WAF

This template can attach AWS WAF with Amazon CloudFront. It enables AWS Managed Rules rule as follows.

  • AWSManagedRulesCommonRuleSet
  • AWSManagedRulesAdminProtectionRuleSet
  • AWSManagedRulesKnownBadInputsRuleSet
  • AWSManagedRulesAmazonIpReputationList

Synthetics Stack

This template creates a nested stack for monitoring. See here for the detail on this stack.

Real-time Dashboard Stack

This template creates a nested stack for real-time dashboard using CloudFront logs. It contains the following resources.

Amazon Kinesis Data Streams

The real-time logs generated by Amazon CloudFront are integrated with Amazon Kinesis Data Streams to enable delivery of these logs to a generic HTTP endpoint using Amazon Kinesis Data Firehose.

Amazon Kinesis Data Firehose and related resouces

Amazon Kinesis Data Firehose delivers the logs to Amazon S3 and Amazon Elasticsearch Service. Kinesis Data Firehose invoke an AWS Lambda function to process logs, and update the log format. Kinesis Data Firehose sends logs to Amazon S3 bucket where it is unable to deliver the data to Elasticsearch.

Amazon Elasticsearch Service

you can create real-time dashboards, set up alerts, and investigate anomalies or respond to operational events quickly on Amazon Elasticsearch Service. Common data points that can be tracked include the number of viewer requests originating from different geographical regions and the number of unique viewers experiencing increased latency.

Deployment

Execute the command to deploy with DomainName parameter.

aws cloudformation deploy --template-file template.yaml --stack-name StaticWebsiteHosting --parameter-overrides DomainName=XXXXX CertificateManagerARN=XXXXX

You can provide optional parameters as follows.

Name Type Default Required Details
CertificateManagerARN String If it's NOT empty, SSL Certification is associated with CloudFront.
DomainName String The CNAME attached to CloudFront
CloudFrontDefaultTTL Number 86400 CloudFront Default TTL
CloudFrontMinimumTTL Number 0 CloudFront Minimum TTL
CloudFrontMaximumTTL Number 31536000 CloudFront Maximum TTL
CloudFrontViewerProtocolPolicy allow-all / redirect-to-https / https-only redirect-to-https CloudFront Viewer Protocol Policy
CloudFrontAdditionalName String If it's NOT empty, Alias name is set on CloudFront.
CloudFrontSecondaryOriginId String If it's NOT empty, Secondary S3 bucket is associated with CloudFront.
CloudFrontRestrictViewerAccess ENABLED / DISABLED DISABLED Enable or disable Restrict Viewer Access
CloudFront403ErrorResponsePagePath String The path to the 403 custom error page
CloudFront404ErrorResponsePagePath String The path to the 404 custom error page
CloudFront500ErrorResponsePagePath String The path to the 500 custom error page
RealtimeDashboardElasticSearchVolumeSize Number 10 The volume size (GB) of ElasticSearch Service
RealtimeDashboardElasticSearchInstanceType String r5.large.elasticsearch The instance type of Elasticsearch Service
RealtimeDashboardElasticSearchMasterType String r5.large.elasticsearch The master type of Elasticsearch Service
RealtimeDashboardElasticSearchLifetime Number 1 The lifetime (hour) of ElasticSearch Service
RealtimeDashboardElasticSearchMasterUserName String root The user name of Elasticsearch Service
RealtimeDashboardElasticSearchMasterUserPassword String Password1+ The password of Elasticsearch Service
RealtimeDashboardElasticsearchVersion String 7.8 The version of Elasticsearch Service
RealtimeDashboardState ENABLED / DISABLED DISABLED If it is ENABLED, Real-time Dashboard is enabled.
RealtimeDashboardSamplingRate Number 100 The sampling rate of logs sent by CloudFront
RealtimeDashboardKinesisShardCount Number 1 The shard count of Kinesis
RealtimeDashboardKinesisNumberOfPutRecordThreshold Number 12000000 The threshold of PutRecord API calls
Route53HostedZoneId String Route53 hosted zone id
S3DestinationBucketArnOfCrossRegionReplication String If it's NOT empty, Cross region replication is enabled on S3.
SyntheticsCanaryName String If it's NOT empty, CloudWatch Synthetics is enabled.
Logging ENABLED / DISABLED ENABLED If it is ENABLED, Logging is enabled on CloudFront and S3.
LogBacketName String If it's empty, the bucket name logging data are stored is named 'defaultsecuritysettings-logs-${AWS::Region}-${AWS::AccountId}'.
WebACLArn String The ARN of Web ACL

If you deploy Real-time Dashboard Stack individually, you can provide optional parameters as follows.

Name Type Default Required Details
ElasticSearchVolumeSize Number 10 The volume size (GB) of ElasticSearch Service
ElasticSearchDomainName String cloudfront-realtime-logs The domain name of ElasticSearch Service
ElasticSearchInstanceType String r5.large.elasticsearch The instance type of Elasticsearch Service
ElasticSearchMasterType String r5.large.elasticsearch The master type of Elasticsearch Service
ElasticSearchLifetime Number 1 The lifetime (hour) of ElasticSearch Service
ElasticSearchMasterUserName String root The user name of Elasticsearch Service
ElasticSearchMasterUserPassword String Password1+ The password of Elasticsearch Service
ElasticsearchVersion String 7.8 The version of Elasticsearch Service
SamplingRate Number 100 The sampling rate of logs sent by CloudFront
KinesisFirehoseStreamNameSuffix String default The suffix of the Kinesis Firehose stream
KinesisShardCount Number 1 The shard count of Kinesis
KinesisNumberOfPutRecordThreshold Number 12000000 The threshold of PutRecord API calls

Manual Deployment

Origin failover

You can add secondary origin server in CloudFront by this CloudFormation Template, but it does NOT suppport creating Origin Group. Therefore create Origin Group and edit Default Cache Behavior Settings manually after comleting CloudFormation deployment.

  1. Create Origin Group with Origins and Failover criteria .
  2. Change Origin or Origin Group at Default Cache Behavior Settings to Origin Group you created.

Kibana

Follow the steps below to create a real-time dashboard using Kibana.

  1. Under Security, choose Roles.

  1. Click the + icon to add new role.
  2. Name your role; for example, firehose.

  1. In the Cluster Permissions tab, for Cluster-wide permissions, add as Action Groups: cluster_composite_ops and cluster_monitor.

  1. In the Index Permissions tab, click Add index permissions. Then choose Index Patterns and enter realtime*. Under Permissions: Action Groups, add three action groups: crud, create_index, and manage.

  1. Click Save Role Definition.
  2. Under Security, choose Role Mappings.

  1. Click Add Backend Role.
  2. Choose the firehose you just created.
  3. For Backend roles, enter the IAM ARN of the role Kinesis Data Firehose uses to write to Amazon ES and S3 arn:aws:iam::<aws_account_id>:role/service-role/<KinesisFirehoseServiceRole>.

  1. Click Submit.
  2. Choose Dev Tools.
  3. Enter the following command to register the timestamp field as a date type and execute it.
PUT _template/custom_template
{
    "template": "realtime*",
    "mappings": {
        "properties": {
            "timestamp": {
                "type": "date",
                "format": "epoch_second"
            }
        }
    }
}

  1. Import visualizes and a dashboard to your Kibana.