๐ Introduction
If you directly host a static site on AWS S3 (public), your files are exposed to the internet. This is fine for simple hosting, but not secure for production.
The best practice is:
- Keep your S3 bucket private
- Serve content via CloudFront (with caching + HTTPS)
- Map domain using Route 53
This way, CloudFront acts as a secure CDN, while S3 only accepts requests from CloudFront โ
By the end, youโll have this flow:
๐ Browser โ Route 53 (DNS) โ CloudFront (HTTPS + caching + SSL) โ S3 (private)
๐ Step 1: Keep Your S3 Bucket Private
- Block Public Access = ON โ (default)
- Disable Static Website Hosting
- Remove any public bucket policy
๐ Your bucket should have no public access.
โก Step 2: Create a CloudFront Distribution
- Go to CloudFront โ Distributions โ Create Distribution
-
Custom Domain: Enter your domain name (
myapp.com
) - If no SSL โ Request a free SSL certificate from ACM and attach it
-
Specify Origin:
- Origin type โ S3
- Origin โ Select your bucket
- Origin Path โ
/index.html
(if required) - Enable OAC (Origin Access Control) โ Allows CloudFront to access your private S3 bucket
Leave other settings as default
(Optional) WAF โ Not needed for now
Save distribution
๐ Step 3: Update S3 Bucket Policy
- After CloudFront is created โ it will suggest a bucket policy (under Settings โ Origins โ Edit)
- Copy that policy and paste it into your S3 bucket policy section
- โ This ensures that only CloudFront can read from your S3 bucket
๐ Step 4: Update Route 53 DNS
- Go to your Hosted Zone (example:
myapp.com
) -
Create a Record:
- Name โ
myapp.com
- Type โ A (Alias)
- Alias โ Yes
- Target โ Select your CloudFront distribution
- Name โ
(Optional) Create another record for
www.myapp.com
โ CloudFront
๐งช Step 5: Test Setup
- Wait 5โ15 minutes for CloudFront distribution to deploy
- Open:
https://myapp.com
- Flow is now: Browser โ Route 53 โ CloudFront โ S3 (private) ๐
๐ฏ Conclusion
With this setup, you get a secure and production-ready website hosting on AWS:
โ
Private S3 bucket (no public exposure)
โ
CloudFront with HTTPS + caching
โ
Custom domain via Route 53
โ
Free SSL from ACM
This is the recommended AWS architecture for static site hosting in production ๐
โ Next Steps
๐ Be interview-ready in the era of AI & Cloud โ start your DevOps journey today!
๐ก YouTube wonโt get you a job. Real projects + real internship certificate will.
๐ฅ AI is reshaping jobs. Donโt watch it happen, be part of it with DevOps & Cloud skills.
๐ฏ โน2000/month today = Dream job tomorrow. Secure your spot now.
โณ Every month you wait, Cloud + AI jobs are being filled. Donโt miss out!
๐ DevOps + AWS + AI = The skillset every recruiter is hunting for in 2025.
Top comments (0)