{"id":30807,"date":"2026-02-17T15:39:39","date_gmt":"2026-02-17T10:09:39","guid":{"rendered":"https:\/\/opstree.com\/blog\/?p=30807"},"modified":"2026-02-17T15:44:35","modified_gmt":"2026-02-17T10:14:35","slug":"secure-website-hosting-aws-s3-cloudfront-oac","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2026\/02\/17\/secure-website-hosting-aws-s3-cloudfront-oac\/","title":{"rendered":"Secure, Serverless And Private: Hosting Static Sites with AWS S3 And CloudFront OAC"},"content":{"rendered":"

Modern platforms demand architectures that are not only fast and scalable but also impossible<\/em> to attack at the storage layer. A static website might seem simple, but hosting it securely on AWS\u2014without exposing S3 to the public internet<\/strong>\u2014requires careful design.<\/p>\n

As part of my DevOps journey, I was given a straightforward but strict objective:<\/p>\n

Host a static site that loads globally fast, while keeping the S3 bucket 100% private. No public access. No website hosting mode. No shortcuts.<\/p><\/blockquote>\n

This blog covers the Proof of Concept (PoC) I executed using Amazon S3<\/strong><\/a>, CloudFront<\/strong>, and the modern Origin Access Control (OAC), <\/strong>the secure successor to the legacy Origin Access Identity (OAI).<\/p>\n

<\/p>\n

\n

Table of Contents<\/h2>\n
    \n
  1. Goal: A Secure, Serverless, Zero-Exposure Architecture
    \n<\/a><\/li>\n
  2. Architecture Overview
    \n<\/a><\/li>\n
  3. Phase 1 – Private Storage Setup (S3)
    \n<\/a><\/li>\n
  4. Phase 2 – CDN Setup Using CloudFront (New Wizard Flow)
    \n<\/a><\/li>\n
  5. Phase 3 – The Security Handshake (Bucket Policy)
    \n<\/a><\/li>\n
  6. Phase 4 – Verification (Trust, but Verify)
    \n<\/a><\/li>\n
  7. Final Outcome<\/a><\/li>\n<\/ol>\n<\/div>\n

    <\/p>\n

    Goal: A Secure, Serverless, Zero-Exposure Architecture<\/h2>\n

    The architecture needed to satisfy three non-negotiable conditions:<\/p>\n

      \n
    1. The S3 bucket must block all public access<\/strong><\/li>\n
    2. CloudFront must serve the content securely over HTTPS<\/strong><\/li>\n
    3. Only CloudFront<\/a> should be able to read from S3<\/strong>, enforced by cryptographic OAC signing<\/li>\n<\/ol>\n

      In short: Global speed on the front, private storage at the back.<\/strong><\/p>\n

      \n

      Designing secure, zero-exposure architectures like this is often easier and faster when working with a certified AWS Partner<\/a> who understands compliance, scalability, and modern cloud best practices.<\/strong><\/p>\n<\/div>\n

      Architecture Overview<\/h2>\n

      Below is the exact flow the PoC implements:\"\"<\/p>\n

      \n\n\n\n\n\n\n\n
      Component<\/th>\nPurpose<\/th>\nSecurity Mechanism<\/th>\n<\/tr>\n<\/thead>\n
      S3 Bucket<\/td>\nStores static files<\/td>\nBlock Public Access + Restrictive Bucket Policy<\/td>\n<\/tr>\n
      CloudFront CDN<\/td>\nServes users globally<\/td>\nHTTPS enforced<\/td>\n<\/tr>\n
      Origin Access Control (OAC)<\/td>\nAuthenticates CloudFront \u2192 S3<\/td>\nCryptographic signing + SourceArn restriction<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

      The key upgrade here is OAC<\/span>, which AWS now recommends over the older OAI method because it works across all S3 regions and supports full SSE-KMS compatibility.<\/p>\n

      Phase 1 – Private Storage Setup (S3)<\/h2>\n

      Challenge<\/h3>\n

      Static website hosting mode requires public read access\u2014even if you don\u2019t want it.<\/p>\n

      Solution<\/h3>\n

      I created an S3 bucket (example: s3-cdn-ninja-bucket<\/code>) with:<\/p>\n