Deploy Static Website on AWS

Published: 2026

This project demonstrates the deployment of a fully static website using AWS cloud services. The architecture leverages S3, CloudFront, Route 53, and ACM.

The goal of this setup was to achieve a secure, scalable, and highly available static website with low latency access from anywhere in the world.

Architecture Diagram

graph TD User[User Browser] subgraph Edge_Layer DNS[Route 53 DNS] CF[CloudFront CDN] end subgraph Security_Layer ACM[SSL Certificate ACM] end subgraph Storage_Layer S3[S3 Static Website Bucket] Files[HTML / CSS / JS Files] end User --> DNS DNS --> CF CF --> ACM CF --> S3 S3 --> Files

Technical Implementation Guide

Follow these steps to reproduce this edge-optimized hosting environment:

1. Initialize Origin Storage (S3)
Create an S3 bucket and disable all public access. The bucket will act as the private origin for the distribution.

AWS CLI

aws s3api create-bucket --bucket my-secure-web-bucket --region us-east-1
2. Establish Identity (ACM)
Request a public SSL/TLS certificate. Important: You must request this in the us-east-1 region to ensure CloudFront compatibility.
3. Configure CloudFront with OAC
Deploy the distribution. Instead of legacy OAI, use Origin Access Control (OAC) for enhanced security and support for encrypted buckets.

Terraform Snippet

resource "aws_cloudfront_distribution" "s3_distribution" {
  enabled = true
  default_root_object = "index.html"
  origin {
    domain_name = aws_s3_bucket.b.bucket_regional_domain_name
    origin_access_control_id = aws_cloudfront_origin_access_control.default.id
  }
}
4. Update DNS Records (Route 53)
Map your custom domain to the CloudFront distribution using an Alias A Record. This allows for apex domain mapping which standard CNAMEs do not support.
5. Handshake Permissions
Apply the S3 bucket policy to allow the CloudFront Service Principal to fetch objects. This completes the "Zero Trust" link between your CDN and Storage.
6. Cache Management
Execute a manual invalidation after the initial deployment to ensure the global edge nodes are synchronized with your latest build.

AWS CLI

aws cloudfront create-invalidation --distribution-id YOUR_ID --paths "/*"

Architectural Challenges

Regional Constraints: Certificates must reside in us-east-1 for global distributions, regardless of where your other resources sit.
Consistency vs. Performance: High TTLs improve cache hit ratios but require explicit invalidation logic during CI/CD cycles.
OAC Policy Logic: The S3 bucket policy must specifically reference the distribution ARN to prevent unauthorized access from other CloudFront users.

Engagement

Discussion

@Arch_Reviewer: Clean implementation of OAC. Have you considered Lambda@Edge for security headers?

Deploy Static Website on AWS

Architecture Diagram

Technical Implementation Guide

1. Initialize Origin Storage (S3)

2. Establish Identity (ACM)

3. Configure CloudFront with OAC

4. Update DNS Records (Route 53)

5. Handshake Permissions

6. Cache Management

Architectural Challenges

Engagement

Discussion