π Introduction
If you directly host a static site on AWS S3 (public), your files are exposed to the internet. This is fine for simple hosting, but not secure for production.
The best practice is:
- Keep your S3 bucket private
- Serve content via CloudFront (with caching + HTTPS)
- Map domain using Route 53
This way, CloudFront acts as a secure CDN, while S3 only accepts requests from CloudFront β
By the end, youβll have this flow:
π Browser β Route 53 (DNS) β CloudFront (HTTPS + caching + SSL) β S3 (private)
π Step 1: Keep Your S3 Bucket Private
- Block Public Access = ON β (default)
- Disable Static Website Hosting
- Remove any public bucket policy
π Your bucket should have no public access.
β‘ Step 2: Create a CloudFront Distribution
- Go to CloudFront β Distributions β Create Distribution
-
Custom Domain: Enter your domain name (
myapp.com
) - If no SSL β Request a free SSL certificate from ACM and attach it
-
Specify Origin:
- Origin type β S3
- Origin β Select your bucket
- Origin Path β
/index.html
(if required) - Enable OAC (Origin Access Control) β Allows CloudFront to access your private S3 bucket
Leave other settings as default
(Optional) WAF β Not needed for now
Save distribution
π Step 3: Update S3 Bucket Policy
- After CloudFront is created β it will suggest a bucket policy (under Settings β Origins β Edit)
- Copy that policy and paste it into your S3 bucket policy section
- β This ensures that only CloudFront can read from your S3 bucket
π Step 4: Update Route 53 DNS
- Go to your Hosted Zone (example:
myapp.com
) -
Create a Record:
- Name β
myapp.com
- Type β A (Alias)
- Alias β Yes
- Target β Select your CloudFront distribution
- Name β
(Optional) Create another record for
www.myapp.com
β CloudFront
π§ͺ Step 5: Test Setup
- Wait 5β15 minutes for CloudFront distribution to deploy
- Open:
https://myapp.com
- Flow is now: Browser β Route 53 β CloudFront β S3 (private) π
π― Conclusion
With this setup, you get a secure and production-ready website hosting on AWS:
β
Private S3 bucket (no public exposure)
β
CloudFront with HTTPS + caching
β
Custom domain via Route 53
β
Free SSL from ACM
This is the recommended AWS architecture for static site hosting in production π
β Next Steps
π Be interview-ready in the era of AI & Cloud β start your DevOps journey today!
π‘ YouTube wonβt get you a job. Real projects + real internship certificate will.
π₯ AI is reshaping jobs. Donβt watch it happen, be part of it with DevOps & Cloud skills.
π― βΉ2000/month today = Dream job tomorrow. Secure your spot now.
β³ Every month you wait, Cloud + AI jobs are being filled. Donβt miss out!
π DevOps + AWS + AI = The skillset every recruiter is hunting for in 2025.
Top comments (0)