SHART.CLOUD | DESKTOP | LABROULETTE | AWS-STATIC-SITE-CDN.YAML
01 - Labroulette - Ship a Static Site on S3 + CloudFront for Pennies
| shart.cloud / labroulette / aws-static-site-cdn |
AWS *OO ~45 min $0-2 reviewed 6/29/2026

Ship a Static Site on S3 + CloudFront for Pennies

Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.

#networking#cost#dns
Lab Crumbtrail, a one-person sourdough blog whose owner just got a $312 surprise bill from a "serverless" host that quietly autoscaled a recipe nobody read. all labs
02 - Actions
score -- - -- votes
-- completed
State loading
03 - Scenario

Crumbtrail, a one-person sourdough blog whose owner just got a $312 surprise bill from a "serverless" host that quietly autoscaled a recipe nobody read.

Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.

Constraints

  • Bucket must NOT be public — CloudFront is the only thing allowed to read it
  • HTTPS only, with a valid certificate — no 'not secure' warning in the bar
  • Everything as Terraform, applies from a clean clone in one go
  • Steady-state cost under $1/month at blog-sized traffic
Scenario AWS - beginner
05 - Steps
  1. STEP_01

    Create the private origin bucket

    Make an S3 bucket for the site's files with all public access blocked. Upload your index.html (or let the template's objects sync). The bucket stays private the whole way through — CloudFront will be the only reader.

    Terraform docs

  2. STEP_02

    Get a certificate in us-east-1

    Request an ACM certificate for your domain. CloudFront only reads certs from us-east-1, so declare a provider alias pinned there even if the rest of your stack lives elsewhere. Validate it with DNS.

    Hint: The classic footgun: the cert is in your default region and CloudFront silently refuses it. Pin an aliased provider to us-east-1 for the cert only.

    Terraform docs

  3. STEP_04

    Point DNS at the distribution

    Add a Route 53 alias record for your domain pointing at the CloudFront distribution, then load the site over HTTPS and confirm the bucket URL itself returns Access Denied.

    Terraform docs

Steps 4 tasks
06 - Deliverables
  • A Terraform module that stands up the bucket, cert, distribution, and DNS
  • The live HTTPS URL plus a screenshot of the raw bucket URL returning Access Denied
  • A one-line note on the monthly cost estimate at your expected traffic
Deliverables 3 required
07 - Rubric
Bucket has public access fully blocked and is readable only by CloudFront 35%
Distribution serves valid HTTPS with the ACM cert and redirects HTTP 35%
DNS alias resolves to the distribution and the site loads 30%
Rubric self-assessed