Securing a Statically Hosted Website on AWS

Securing a statically hosted website on AWS (like one served through Amazon S3 + CloudFront) involves several layers of security controls. Here's a comprehensive breakdown and guide:

Common Stack:

S3 for static file hosting
CloudFront as CDN (optional but recommended)
Route 53 for DNS (optional)
ACM (AWS Certificate Manager) for HTTPS

1. S3 Bucket Security Controls

Enable Bucket Policy Restriction

Go to S3 > [Your Bucket] > Permissions > Block Public Access
Enable:
- Block public ACLs
- Block public bucket policies
- Block new public ACLs and policies

Use Bucket Policy to Allow Only CloudFront Access

{
{
  "Version": "2012-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "AllowCloudFrontServicePrincipalReadOnly",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::YOUR-AWS-ACCOUNT-ID:distribution/DISTRIBUTION-ID"
        }
      }
    }
  ]
}

Or use Origin Access Control (OAC) with CloudFront for secure access.

2. HTTPS (TLS) with CloudFront + ACM

Request a certificate in ACM (us-east-1)
Attach the cert to your CloudFront distribution
Force HTTPS by setting Viewer Protocol Policy to "Redirect HTTP to HTTPS"

3. HTTP Security Headers

These can’t be set directly in S3, so use CloudFront Function or Lambda@Edge to inject them:

function handler(event) {
  var response = event.response;
  var headers = response.headers;

  headers['strict-transport-security'] = { value: 'max-age=63072000; includeSubDomains; preload' };
  headers['content-security-policy'] = { value: "default-src 'self';" };
  headers['x-content-type-options'] = { value: 'nosniff' };
  headers['x-frame-options'] = { value: 'DENY' };
  headers['x-xss-protection'] = { value: '1; mode=block' };
  headers['referrer-policy'] = { value: 'no-referrer' };

  return response;
}

4. CloudFront Controls

Enable Shield Standard (automatically included—helps against DDoS)
Enable WAF (Optional, Extra Layer)
- Use AWS WAF with CloudFront to block IPs, bad bots, common attack patterns (e.g., SQLi, XSS).

5. Logging and Monitoring

S3 Access Logs: Enable logging to a dedicated S3 bucket
CloudFront Logs: Enable access logging to S3 and analyze via Athena or QuickSight
AWS CloudTrail: Track API calls across AWS accounts

6. Deployment Practices

Use CI/CD (e.g., GitHub Actions, CodePipeline) to automate deployments securely
Ensure objects are uploaded with proper MIME types (e.g., text/html, application/javascript)

7. Cache Invalidation

Secure cache invalidation with:

aws cloudfront create-invalidation --distribution-id DIST_ID --paths "/*"

Summary Checklist ✅

Control	Applied?
S3 public access blocked	✅
HTTPS enforced via CloudFront	✅
ACM TLS cert configured	✅
HTTP security headers via Lambda@Edge	✅
CloudFront WAF rules (optional)	✅/🔲
Access logs on S3 and CloudFront	✅
CI/CD secure deployment pipeline	✅/🔲
CloudTrail enabled	✅

Implementation can vary..