Static site on a global CDN

The simplest production-grade architecture: a static site (SPA, docs, marketing) served from S3, fronted by CloudFront for global caching and TLS, with a custom domain on Route 53.

Build it

1. Add an S3 bucket — this is your origin. Keep it private; CloudFront reads it via an origin access identity, so the bucket is never public.
2. Add a CloudFront distribution and wire the S3 bucket to its origin socket.
3. Add an ACM certificate and wire it to CloudFront’s certificate socket (ACM for CloudFront must live in us-east-1 — Flowright flags this for you).
4. Add a Route 53 record and point it at the CloudFront distribution.
5. Connect the canonical Internet entrypoint to CloudFront so the simulator and diagram show ingress.

The Terraform you get

resource "aws_s3_bucket" "site" {
  bucket = "my-site-origin"
}

resource "aws_cloudfront_distribution" "cdn" {
  enabled             = true
  default_root_object = "index.html"
  origin {
    domain_name              = aws_s3_bucket.site.bucket_regional_domain_name
    origin_id                = "s3-site"
    origin_access_control_id = aws_cloudfront_origin_access_control.site.id
  }
  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.site.arn
    ssl_support_method  = "sni-only"
  }
}

Tip

Don’t hand-build it — open the Static site + CDN starter template, which wires this exact topology with sensible defaults, then make it yours.

Next

• Add a WAF in front of CloudFront for rate limiting.
• Browse every resource’s settings and sockets in the node reference.