AWS Logo

Architecture Overview

How users reach your static site securely and quickly via AWS S3 + CloudFront with OAC

Deployment Architecture

UsersWorldwide (Browser)Amazon CloudFrontCDN • 300+ Edge Locations • HTTPS • CachingCloudFront: Caches content globally, reduces latency, enforces HTTPS, signs requests to S3Amazon S3 Bucket (Private)Static files (Next.js export) • Index.html • OAC PolicyPrivate Bucket + OAC: Only CloudFront can access files. No public bucket risk.Route 53DNS + Custom DomainRoute 53: Points your domain (e.g. gemechis.dev) to CloudFrontACMFree HTTPS CertAWS Certificate Manager: Free SSL/TLS certificate for HTTPS

Why S3 + CloudFront?

  • Secure: OAC keeps S3 private — no public bucket vulnerabilities
  • Fast: Global edge caching reduces latency (e.g. Addis Ababa → edge in milliseconds)
  • Scalable & Cheap: Auto-scales, no server management, low cost

OAC Security Mechanism

Origin Access Control allows CloudFront to sign requests to a private S3 bucket.

  • Without OAC: Bucket must be public or anyone can bypass CloudFront
  • With OAC: S3 stays private, only accepts signed requests from your CloudFront distribution
Next: Deployment Steps →