If I understand what you're saying, if the origin for your Cloudfront distribution is an S3 bucket, the link between S3 and Cloudfront is unencrypted? That seems unimaginable to me.
If the origin is an S3 static website, the link is unencrypted but should run over Amazon's own network. Since Amazon has your S3 and CloudFront data anyway, assuming all CF endpoints are under Amazon's control, you don't lose much by having the S3 origin load over http.
This article[1] states the following, though it doesn't cite any specific source:
> CloudFront will use encryption when retrieving data from its storage service S3 (Simple Storage Service), so the content is protected all the way from where it is stored to the user's computer, according to Amazon.
Eavesdropping on the connection between CF and S3 doesn't say too much about a public static website, though. If you're serving private data, use an S3 bucket directly instead of the S3 static website hosting HTTP server.
Yup. It's fine for most simple sites that don't receive much traffic due to almost nonexistent costs. But I personally don't recommend it when there are many alternatives out there these days. Partly SSL is no SSL imo.
The method I described doesn't require you to use a S3 static website. We don't have that option enabled, so the bucket name isn't mysite.com, it's "mysite-html", and the S3 website hosting is not enabled.
CloudFront has its own IAM user that is permitted to access the contents of the bucket, which means that it has to use the API. I don't think it's even possible to access the S3 API without using HTTPS. Therefore I think it is highly unlikely that the connection is unencrypted.
Awesome! I'm new to AWS, and when I tried to setup a static website using cloudfront + s3, I was only aware of the static website option on s3. This is what the docs uses, and it led me to the wrong path it seems! Thanks