Scenario Patterns

Architecture Diagrams

Common AWS architecture patterns with anatomy breakdowns, exam traps, and official docs. Study the why behind each component — not just the diagram.

· more coming soon
D3 · High-Perf

S3 + CloudFront Static Website

Secure global delivery of static content via CDN with private S3 origin

User BrowserHTTP/HTTPS request
optionalRoute 53ALIAS → CloudFront domain
CloudFrontEdge PoP · Cache · HTTPS · OAC
optionalACM CertificateSSL/TLS · must be us-east-1
S3 BucketPrivate · Block Public Access ON

Host static assets (HTML, CSS, JS, images) in a private S3 bucket. CloudFront acts as the CDN — caching content at 400+ edge locations globally, enforcing HTTPS, and being the ONLY entry point to the bucket via OAC. S3 Block Public Access stays ON; users never hit S3 directly.

S3 BucketOrigin — stores all static files
  • Block Public Access = ON (bucket stays private)
  • Use S3 REST API endpoint as origin — NOT the S3 website endpoint
  • Website endpoint → must use Custom Origin + OAC is NOT supported
  • SSE-KMS encrypted bucket → MUST use CloudFront + OAC (SSE-KMS blocks anonymous access)
  • Object Ownership must be "Bucket owner enforced" when using OAC
Origin Access Control (OAC)Grants CloudFront permission to read from private S3
  • Replaces legacy OAI (Origin Access Identity) — AWS recommends OAC for all new distributions
  • OAC adds a signed SigV4 request header so S3 knows the request comes from your CF distribution
  • Bucket policy: Principal = cloudfront.amazonaws.com + Condition on AWS:SourceArn = your distribution ARN
  • OAC supports all AWS regions (including opt-in regions after Dec 2022)
  • OAC supports SSE-KMS encryption — OAI does NOT
  • OAC supports dynamic requests (PUT, DELETE) — OAI does NOT
CloudFront DistributionCDN — caches and serves content globally from 400+ edge PoPs
  • Viewer Protocol Policy: "Redirect HTTP to HTTPS" (recommended) or "HTTPS Only"
  • Default TTL: 86,400s (24h) · Min TTL: 0 · Max TTL: 31,536,000s (1 year)
  • Cache Invalidation: /path or /* to clear cache — first 1,000 paths/month free, then $0.005/path
  • Geo Restriction: allowlist (only these countries) or blocklist (block these countries)
  • Signed URLs: restrict access to individual files with expiry time
  • Signed Cookies: restrict access to multiple files (good for premium/subscription users)
  • Response headers policy: add security headers (HSTS, X-Frame-Options, CSP, etc.)
ACM CertificateProvides SSL/TLS for HTTPS on custom domain
  • MUST be provisioned in us-east-1 (N. Virginia) — this is a hard requirement for CloudFront
  • Works with any AWS region for the actual distribution
  • Supports wildcard certificates (*.example.com)
  • Free for use with AWS services (no charge for ACM-issued certs)
Route 53DNS — routes custom domain to CloudFront
  • Use ALIAS record (not CNAME) pointing to the CloudFront domain (xxx.cloudfront.net)
  • ALIAS is free and works at zone apex (e.g., example.com, not just www.example.com)
  • CNAME cannot be used at zone apex — use ALIAS instead

Official Docs

Hosting a static website using Amazon S3Restrict access to an Amazon S3 origin — OACGet started with a secure static website (CloudFront + S3 + ACM + Route 53)Serve private content with signed URLs and signed cookiesWays to use CloudFront — use cases overview