8.1 Objective
Add a custom HTTPS domain to the site and use the opportunity to close a security gap from Day 7-10: the S3 bucket was originally public-read, which is acceptable for learning but not production-grade. This phase moves to a private bucket served only through CloudFront.
8.2 Architecture Decision
Chose to do this fully rather than skip it: registered domain (qossim005.online, via Namecheap) delegated to Route 53, ACM certificate for HTTPS, CloudFront distribution with Origin Access Control (OAC) in front of a nowprivate S3 bucket. This also sets up Day 21-22 log monitoring, since CloudFront provides proper access logs that a bare S3 static website endpoint does not.
8.3 Cross-Account DNS Complication
The domain’s Route 53 hosted zone existed in a different AWS account (used for an earlier, separate project). Rather than moving infrastructure between accounts or duplicating the domain, used subdomain delegation:
- Created a new, separate hosted zone in this project’s AWS account for cicd-demo.qossim005.online specifically
- Added a single one-time NS record in the other account’s qossim005.online hosted zone, delegating authority for the cicd-demo subdomain to this account’s new hosted zone
- From that point on, this account has full independent control over everything under cicddemo.qossim005.online - no further cross-account steps needed
Note: This is a clean pattern worth reusing: subdomain delegation lets one AWS account own DNS for a piece of a domain without needing access to the parent zone’s account at all beyond the single delegating NS record.
8.4 ACM Certificate
- Requested in us-east-1 (N. Virginia) - required for CloudFront regardless of the bucket’s actual region
- Domain: cicd-demo.qossim005.online
- DNS validation, using the “Create records in Route 53” one-click option - worked directly since the hosted zone was now in the same account as the certificate
8.5 CloudFront Distribution
- Origin: S3 bucket (REST API endpoint, not the website endpoint - required for Origin Access Control)
- Origin access: Origin Access Control (OAC), newly created
- Security: no WAF - unnecessary cost/complexity for a small static project
- Alternate domain name (CNAME): cicd-demo.qossim005.online, attached after cert issued
- Default root object: index.html
8.6 Locking Down the Bucket