Introduction: Understanding Internal Websites and SPAs

Single-page applications (SPAs) have become famous for modern web development due to their seamless user experience and fast performance. Internal websites designed for exclusive use within an organization often host these SPAs. Ensuring their security and accessibility is paramount, especially when dealing with sensitive data. This guide will walk you through securely hosting internal SPAs on AWS S3.

Why Choose S3 for Static Website Hosting?

Amazon S3 is a highly scalable, reliable, low-latency data storage infrastructure. It offers robust features like versioning, lifecycle policies, and cross-region replication. S3 provides simplicity and cost-effectiveness for static website hosting, making it an excellent choice for SPAs. Here are a few reasons why S3 stands out:

  • Cost-Effective: Pay only for what you use without upfront costs.
  • Scalable: Automatically scales to handle any number of requests.
  • High Availability: Designed for 99.999999999% (11 9’s) of data durability.
  • Secure: Offers robust security features, including encryption and access control.

Architecting Internal S3 Hosting: The Role of VPC Endpoints and ALBs

Hosting an internal website on S3 requires ensuring it is not publicly accessible. This is where Virtual Private Cloud (VPC) endpoints and Application Load Balancers (ALBs) come into play. Here’s how they help:

  • VPC Endpoints: Enable you to connect your VPC to AWS services without exposing your data to the internet.
  • Application Load Balancers: Distribute incoming traffic across multiple targets, such as EC2 instances, and ensure that only authenticated users can access your application.

Implementing Internal S3 Hosting with AWS CDK: A Step-by-Step Guide

Prerequisites

  • AWS Account
  • AWS CLI installed and configured
  • AWS CDK installed

Step 1: Set Up the AWS CDK Project

mkdir internal-spa-hosting

cd internal-spa-hosting

cdk init app –language typescript

Step 2: Define the S3 Bucket

In your lib/internal-spa-hosting-stack.ts file, add:

import * as s3 from ‘@aws-cdk/aws-s3’;

import * as cdk from ‘@aws-cdk/core’;

export class InternalSpaHostingStack extends cdk.Stack {

  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {

    super(scope, id, props);

    const siteBucket = new s3.Bucket(this, ‘SiteBucket’, {

      websiteIndexDocument: ‘index.html’,

      publicReadAccess: false,

      blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,

    });

  }

}

Step 3: Add VPC Endpoint and ALB

Add the following to the same file:

import * as ec2 from ‘@aws-cdk/aws-ec2’;

import * as elbv2 from ‘@aws-cdk/aws-elasticloadbalancingv2’;

import * as iam from ‘@aws-cdk/aws-iam’;

const vpc = new ec2.Vpc(this, ‘VPC’);

const endpoint = new ec2.InterfaceVpcEndpoint(this, ‘S3Endpoint’, {

  vpc,

  service: new ec2.InterfaceVpcEndpointService(‘com.amazonaws.us-east-1.s3’, 443),

});

const alb = new elbv2.ApplicationLoadBalancer(this, ‘ALB’, {

  vpc,

  internetFacing: false,

});

const listener = alb.addListener(‘Listener’, {

  port: 80,

  open: true,

});

listener.addTargets(‘Target’, {

  port: 80,

  targets: [new elbv2.InstanceTarget(instanceId)],

});

new iam.PolicyStatement({

  actions: [‘s3:GetObject’],

  resources: [siteBucket.bucketArn + ‘/*’],

  principals: [new iam.AnyPrincipal()],

});

Step 4: Deploy Your Application

cdk deploy

Testing Your Internal S3-Hosted SPA

To test your internal SPA, ensure your ALB is correctly configured to route traffic to your S3 bucket. Access the application through the internal network to verify connectivity and functionality. Ensure that only authorized users can access the application by checking IAM policies and security group settings.

Additional Security Considerations for Private Websites

  1. Encryption: Ensure your data is encrypted at rest and in transit.
  2. Access Control: Use IAM policies to restrict access to the S3 bucket and other resources.
  3. Logging and Monitoring: Enable logging on your S3 bucket and use AWS CloudTrail to monitor access.

Beyond Internal Hosting: Balancing Security and Accessibility

While internal hosting ensures security, there may be times when you need to grant temporary access to external users. Consider using AWS WAF (Web Application Firewall) to control access based on IP addresses and other criteria. Constantly monitor access and adjust policies as needed to balance security and accessibility.

Conclusion: Empowering Your Organization with Secure Internal Applications

By leveraging AWS S3, VPC endpoints, and ALBs, you can securely host internal SPAs, providing a seamless and secure user experience. AWS CDK simplifies the process, allowing you to define and deploy your infrastructure as code. With robust security measures and careful planning, you can empower your organization with efficient and secure internal applications.

References

Hosting Internal HTTPS Static Websites with ALB, S3, and PrivateLink

Deploy a React-based single-page application to Amazon S3 and CloudFront