8.1 Objective

Add a custom HTTPS domain to the site and use the opportunity to close a security gap from Day 7-10: the S3 bucket was originally public-read, which is acceptable for learning but not production-grade. This phase moves to a private bucket served only through CloudFront.

8.2 Architecture Decision

Chose to do this fully rather than skip it: registered domain (qossim005.online, via Namecheap) delegated to Route 53, ACM certificate for HTTPS, CloudFront distribution with Origin Access Control (OAC) in front of a nowprivate S3 bucket. This also sets up Day 21-22 log monitoring, since CloudFront provides proper access logs that a bare S3 static website endpoint does not.

8.3 Cross-Account DNS Complication

The domain’s Route 53 hosted zone existed in a different AWS account (used for an earlier, separate project). Rather than moving infrastructure between accounts or duplicating the domain, used subdomain delegation:

8.4 ACM Certificate

8.5 CloudFront Distribution

8.6 Locking Down the Bucket