Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.
#networking#cost#dns
LabCrumbtrail, a one-person sourdough blog whose owner just got a $312 surprise bill from a "serverless" host that quietly autoscaled a recipe nobody read.all labs
02 - Actions
score -- - -- votes
-- completed
Sign in with a real account to save ratings, completions, and share snapshots.
Stateloading
03 - Scenario
Crumbtrail, a one-person sourdough blog whose owner just got a $312 surprise bill from a "serverless" host that quietly autoscaled a recipe nobody read.
Move the static site to an S3 bucket fronted by CloudFront with HTTPS, so it costs cents a month, survives a front-page hug of death, and never exposes the bucket directly to the internet.
Constraints
Bucket must NOT be public — CloudFront is the only thing allowed to read it
HTTPS only, with a valid certificate — no 'not secure' warning in the bar
Everything as Terraform, applies from a clean clone in one go
Steady-state cost under $1/month at blog-sized traffic
ScenarioAWS - beginner
05 - Steps
STEP_01
Create the private origin bucket
Make an S3 bucket for the site's files with all public access blocked. Upload your index.html (or let the template's objects sync). The bucket stays private the whole way through — CloudFront will be the only reader.
Request an ACM certificate for your domain. CloudFront only reads certs from us-east-1, so declare a provider alias pinned there even if the rest of your stack lives elsewhere. Validate it with DNS.
Hint: The classic footgun: the cert is in your default region and CloudFront silently refuses it. Pin an aliased provider to us-east-1 for the cert only.
Create a CloudFront distribution with an Origin Access Control pointing at the bucket, attach the ACM cert, and redirect HTTP to HTTPS. This is the piece that makes the bucket private-but-reachable.
Add a Route 53 alias record for your domain pointing at the CloudFront distribution, then load the site over HTTPS and confirm the bucket URL itself returns Access Denied.