Hosting a Secure Static Website with S3 and CloudFront: Part III

In this three part series, I will present a solution for creating a private, secure, static website using Amazon S3 and CloudFront.

Introduction

Amazon S3 and CloudFront are powerful tools for hosting static websites, but configuring them securely can be surprisingly confusing-even for experienced AWS users. After implementing this setup for my own use, I discovered a few nuances that others often stumble over, particularly around CloudFront access and traffic routing from VPC environments. This post aims to clarify these points and highlight a potential gap in AWS’s offering.

The Secure S3 + CloudFront Website Setup

The typical secure setup for hosting a static website using S3 and CloudFront looks like this:

1. S3 Bucket: Store your website assets. Crucially, this bucket should not be publicly accessible.
2. CloudFront Distribution: Distribute your website content, with HTTPS enabled and custom domain support via ACM.
3. Origin Access Control (OAC): Grant CloudFront permission to read from your private S3 bucket.
4. S3 Bucket Policy: Configure it to allow access only from the CloudFront distribution (via OAC).