AWS S3 + CloudFront + Route53 Complete Production Environment Deployment Guide

๐Ÿ“… 2026-01-31

โœ…Part One: Prerequisites Preparation

Preparation Checklist

  • AWS Account (with payment method activated)
  • Your own domain name (e.g.: example.com)
  • Website files ready (HTML/CSS/JS)
  • Browser open to AWS Console (console.aws.amazon.com)

Key Concepts Understanding

  • S3 Bucket: Container for storing website files
  • CloudFront: Global CDN, accelerates content distribution
  • Route53: DNS resolution service, associates domains
  • ACM: Free SSL/TLS certificate service
  • OAC: Origin Access Control, ensures only CloudFront can access S3

๐Ÿ’พPart Two: S3 Bucket Creation and Configuration

1Create an S3 Bucket

Path: AWS Console Home โ†’ S3 โ†’ Buckets โ†’ Create Bucket

Detailed Steps

  1. Sign in to AWS Console
  2. In the top search box, type S3 โ†’ Click to enter S3 service
  3. In the left sidebar, click "Buckets"
  4. Click the "Create bucket" button (blue)

Fill Out the Form

โ”Œโ”€ Bucket name โ”‚ Enter: example-com-website โ”‚ โœ“ Globally unique โ”‚ โœ“ Lowercase letters, numbers, hyphens only โ”‚ โœ“ Cannot start with "xn--" โ”‚ โ”œโ”€ Region โ”‚ Select: us-east-1 (or the region closest to you) โ”‚ ๐Ÿ’ก Recommended to use us-east-1 to reduce CloudFront costs โ”‚ โ”œโ”€ Object Ownership โ”‚ Select: ACL disabled โ”‚ โ”œโ”€ Block Public Access settings โ”‚ โœ“ Keep all checked (will control access via CloudFront later) โ”‚ โ”œโ”€ Versioning โ”‚ โ—‹ Disabled (optional, recommended to disable to reduce costs) โ”‚ โ”œโ”€ Server-side encryption โ”‚ โ—‹ Use Amazon S3 managed key (SSE-S3) โ”‚ โ””โ”€ Create button Click "Create bucket"
โœ… Success Indicator: New bucket appears in bucket list with status โœ“

2Enable Static Website Hosting

Path: S3 Bucket โ†’ Properties โ†’ Edit Static Website Hosting

Detailed Steps

  1. Click on the bucket name you just created (example-com-website)
  2. Click the "Properties" tab (fifth from the right)
  3. Scroll down to find the "Static Website Hosting" section
  4. Click the "Edit" button

Configuration Items

โ”Œโ”€ Static Website Hosting โ”‚ โ—‹ Enable โ† You must select this option โ”‚ โ”œโ”€ Hosting type โ”‚ โ—‹ Host a website โ† Select this option (do not select redirect requests) โ”‚ โ”œโ”€ Index document โ”‚ Enter: index.html โ”‚ Description: File returned when user accesses / โ”‚ โ”œโ”€ Error document โ”‚ Enter: error.html โ”‚ Description: File returned when 404/403 errors occur โ”‚ โ””โ”€ Save changes โ†’ Click "Save" button
โœ… Verify Success:
  • Page displays "โœ“ Update Completed"
  • Under "Static Website Hosting" displays "Enabled"
  • You will see a website endpoint URL

3Upload Website Files

Path: S3 Bucket โ†’ Objects โ†’ Upload

File Structure Example

my-website/ โ”œโ”€โ”€ index.html โ† Required โ”œโ”€โ”€ error.html โ† Required โ”œโ”€โ”€ css/ โ”‚ โ””โ”€โ”€ style.css โ”œโ”€โ”€ js/ โ”‚ โ””โ”€โ”€ app.js โ”œโ”€โ”€ images/ โ”‚ โ””โ”€โ”€ logo.png โ””โ”€โ”€ about.html

Upload Methods

Method A: Drag and Drop
Drag the website folder into the upload area, supports recursive uploading of subfolders

Method B: Click to Select
Click "Add file" or "Add folder" and select files one by one
โœ… Verify Upload:
  • See upload progress reach 100%
  • After returning to bucket, see list of all files

๐Ÿ”Part Three: Create Origin Access Control (OAC)

4Create OAC

Path: CloudFront โ†’ Security โ†’ Origin Access

Detailed Steps

  1. In the top search box, type CloudFront โ†’ Enter CloudFront service
  2. In the left sidebar, expand the "Security" menu
  3. Click "Origin Access"
  4. Click the "Create Origin Access Control" button

Fill Out the Form

โ”Œโ”€ Origin Access Control Name โ”‚ Enter: s3-website-oac โ”‚ Description: For easy identification, customizable โ”‚ โ”œโ”€ Origin Type โ”‚ โœ“ S3 โ† You must select S3 โ”‚ โ”œโ”€ Description (optional) โ”‚ Enter: For example.com static website โ”‚ โ””โ”€ Create button Click "Create"
โœ… Success Indicator:
  • Newly created OAC appears on page
  • Copy the OAC ID shown (e.g.: E127EXAMPLE51Z)
โš ๏ธ Important Note: Remember the OAC ID, you will need it for subsequent configuration

โšกPart Four: Create CloudFront Distribution

5Create CloudFront Distribution

Path: CloudFront โ†’ Distributions โ†’ Create Distribution

Origin Configuration - Origin Section

โ”Œโ”€ Origin Domain โ”‚ Click input box โ†’ Select S3 bucket from dropdown โ”‚ Should display: example-com-website.s3.us-east-1.amazonaws.com โ”‚ โš ๏ธ Do not select s3-website endpoint, select standard S3 URL โ”‚ โ”œโ”€ Origin Access โ”‚ โ—‹ Origin Access Control Setting โ† Select this option โ”‚ โ”œโ”€ Origin Access Control โ”‚ Click dropdown โ†’ Select "s3-website-oac" created earlier โ”‚ โ””โ”€ Protocol when S3 is the Origin โ—‹ HTTPS Only โ† Recommended to select (more secure)

Default Cache Behavior Configuration

โ”Œโ”€ Viewer Protocol Policy โ”‚ โ—‹ Redirect HTTP to HTTPS โ† Select this option โ”‚ Description: Automatically redirects HTTP to HTTPS โ”‚ โ”œโ”€ Allowed HTTP Methods โ”‚ โœ“ GET, HEAD (keep default) โ”‚ โ”œโ”€ Cache Policy and Origin Request Policy โ”‚ Cache Policy: Click dropdown โ†’ Select "CachingOptimized" โ”‚ Origin Request Policy: Click dropdown โ†’ Select "S3Origin" โ”‚ โ””โ”€ Compress Objects โœ“ Enable โ† Can reduce data costs

Distribution Configuration

โ”Œโ”€ Enable This Distribution โ”‚ โœ“ Must be checked โ”‚ โ”œโ”€ Alternate Domain Names (CNAME) โ”‚ โš ๏ธ Do not fill in for now, configure later โ”‚ โ”œโ”€ Default Root Object โ”‚ Enter: index.html โ”‚ Description: File returned when / is accessed โ”‚ โ”œโ”€ IPv6 โ”‚ โœ“ Enable (already default) โ”‚ โ””โ”€ Create Distribution Click "Create Distribution" button
โณ Wait: Distribution deployment takes 5-10 minutes, status changes from "In Progress" to "Deployed"

6Copy CloudFront Domain Name

Path: CloudFront โ†’ Distributions โ†’ Distribution Details

  1. After distribution is created, click on the Distribution ID
  2. In the "Distribution Details" tab view the following information
  3. Copy the distribution domain name (d111111abcd.cloudfront.net)
Distribution Domain Name: d111111abcd.cloudfront.net โ†‘ Copy this item (for use later) Distribution ID: E1234ABCD

7Apply S3 Bucket Policy

Path: S3 โ†’ Bucket โ†’ Permissions โ†’ Bucket Policy

Operation Steps

  1. Return to S3 service
  2. Select your website bucket (example-com-website)
  3. Click the "Permissions" tab
  4. Scroll down to find "Bucket Policy" and click "Edit"
  5. Paste the following JSON into the edit box

Bucket Policy JSON (requires modification)

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontOAC", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-com-website/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/E1234ABCD" } } } ] }
โš ๏ธ Three Items You Must Modify:
  • example-com-website โ†’ Replace with your bucket name
  • 123456789012 โ†’ Replace with your AWS Account ID
  • E1234ABCD โ†’ Replace with your CloudFront Distribution ID
โœ… Complete: Click "Save Changes"

๐Ÿ”’Part Five: ACM Certificate Request

8Request SSL/TLS Certificate

Path: ACM (AWS Certificate Manager) โ†’ Certificates โ†’ Request Certificate

Important Note

โš ๏ธ Region is Very Important: Make sure the region is US East (N. Virginia), CloudFront only supports certificates from this region

Detailed Steps

  1. In the top search box, type Certificate Manager โ†’ Enter ACM service
  2. Make sure the region is US East (N. Virginia)
  3. Click the "Request Certificate" button

Fill Out the Form

โ”Œโ”€ Certificate Type โ”‚ โ—‹ Public Certificate โ† You must select this option โ”‚ โ”œโ”€ Add Domain Names โ”‚ Click "Add Domain Name" โ†’ Enter: example.com โ”‚ Click again โ†’ Enter: *.example.com โ”‚ โ”‚ Final Display: โ”‚ โœ“ example.com โ”‚ โœ“ *.example.com โ”‚ โ”œโ”€ Validation Method โ”‚ โ—‹ DNS Validation โ† Select this option (faster than Email) โ”‚ โ”œโ”€ Key Algorithm โ”‚ โ—‹ RSA 2048 (keep default) โ”‚ โ”œโ”€ Tags (optional) โ”‚ Enter: website-cert โ”‚ โ””โ”€ Request button Click "Request"

Subsequent DNS Validation

After requesting, the page will prompt you to validate the domain:

Steps:
  1. In the "Domain Validation" section you will see validation records
  2. Click the "Create Route53 Record" button
  3. AWS will automatically add a CNAME record in Route53
  4. Wait 5-30 minutes, status will change to "Issued"
โœ… Complete: Certificate status will change to "Issued"

๐ŸŒPart Six: Route53 DNS Configuration

9Create Route53 Hosted Zone

Path: Route53 โ†’ Hosted Zones โ†’ Create Hosted Zone

Detailed Steps

  1. In the top search box, type Route53 โ†’ Enter Route53 service
  2. In the left sidebar, click "Hosted Zones"
  3. Click the "Create Hosted Zone" button

Fill Out the Form

โ”Œโ”€ Domain Name โ”‚ Enter: example.com โ”‚ โš ๏ธ Do not include www or http:// โ”‚ โ”œโ”€ Description (optional) โ”‚ Enter: Website hosting โ”‚ โ”œโ”€ Type โ”‚ โ—‹ Public Hosted Zone โ† Select this option โ”‚ โ””โ”€ Create Hosted Zone Click "Create Hosted Zone" button

Record Important Information

Hosted Zone ID: Z1234567890ABC โ†‘ Copy and note this item Name Servers (NS Records): ns-1111.awsdns-22.com ns-2222.awsdns-33.co.uk ns-3333.awsdns-44.org ns-4444.awsdns-55.net โ†‘ Copy these 4 NS records

10Update Domain Registrar DNS Settings

Operate at Domain Registrar (such as GoDaddy, Namecheap, Aliyun, etc.)

Steps

  1. Log in to your domain registrar account
  2. Find "DNS Management" or "Domain Management"
  3. Modify Name Servers (NS Records) to the 4 you copied above
  4. Save changes
โณ DNS Propagation: May take 1-48 hours, you can check with the following command:
nslookup example.com # You should see AWS NS records

11Create Alias Records in Route53

Path: Route53 โ†’ Hosted Zones โ†’ Create Record

Create First Record (Root Domain)

โ”Œโ”€ Record Name โ”‚ Leave blank (represents example.com root domain) โ”‚ โ”œโ”€ Record Type โ”‚ Click dropdown โ†’ Select "A" โ”‚ โ”œโ”€ Alias โ”‚ โœ“ Enable Alias โ† You must check this โ”‚ โ”œโ”€ Select Traffic Policy โ”‚ โ—‹ Simple Routing โ† Keep default โ”‚ โ”œโ”€ Route Traffic To โ”‚ Click dropdown โ†’ Select "CloudFront Distribution" โ”‚ โ”œโ”€ Select Distribution โ”‚ Click dropdown โ†’ Select your distribution (d111111abcd.cloudfront.net) โ”‚ โ”œโ”€ Evaluate Target Health โ”‚ โ—‹ No (keep default) โ”‚ โ””โ”€ Create Record Click "Create Record"

Create Second Record (www Subdomain)

Repeat the steps above, but change "Record Name" to www, rest of configuration is the same.

โœ… Complete: Both records should point to the same CloudFront distribution

12Configure CloudFront CNAME and Certificate

Path: CloudFront โ†’ Distributions โ†’ Edit

Steps

  1. Return to CloudFront service
  2. Select your distribution (click on Distribution ID)
  3. Click the "Edit" button
  4. Find the "Alternate Domain Names (CNAME)" field
  5. Click the input box and add two domain names
Add in the Alternate Domain Names input box: example.com www.example.com

Select SSL Certificate

Scroll down to find "Custom SSL Certificate" or "SSL Certificate" โ”Œโ”€ SSL Certificate โ”‚ โœ“ Custom SSL Certificate โ”‚ โ”œโ”€ Select Certificate โ”‚ Click dropdown โ†’ Select the certificate you requested earlier โ”‚ Should display: example.com (and *.example.com) โ”‚ โ””โ”€ Save Click "Save Changes"
โณ Wait for Deployment: Distribution status changes from "In Progress" to "Deployed" (usually 5-10 minutes)

โš™๏ธPart Seven: Configure Caching Policy

13Set Cache for Different File Types

Path: CloudFront โ†’ Distributions โ†’ Behaviors โ†’ Edit

This step is used to optimize costs and performance. Set different cache times for different file types.

Default Behavior Configuration

1. Return to CloudFront distribution edit page 2. Click the "Behaviors" tab 3. Select Default Behavior โ†’ Click "Edit" โ”Œโ”€ Cache Key and Origin Request โ”‚ Cache Policy: CachingOptimized (already configured) โ”‚ โ”œโ”€ Viewer Cache Control Request Headers โ”‚ โœ“ Use Original Cache-Control Headers โ”‚ โ””โ”€ Save Click "Save"

Optional: Create Separate Behavior for HTML

For finer control, you can create different behavior rules for different file types:

HTML File Behavior:
Path Pattern: *.html Cache Policy: Cache Disabled (do not cache, get latest each time) Origin Request Policy: S3Origin
JavaScript File Behavior:
Path Pattern: *.js Cache Policy: CachingOptimized Compress: Enable

โœ”๏ธPart Eight: Testing and Verification

14Test Website Access

Test URLs

Access in browser: https://example.com https://www.example.com https://d111111abcd.cloudfront.net (CloudFront direct URL)

Success Indicators

  • โœ… Page loads normally
  • โœ… HTTPS is valid (address bar shows lock icon)
  • โœ… Certificate information is correct (click lock icon to view)

Troubleshooting Table

Problem Cause Solution
Shows AWS S3 error page S3 bucket policy not configured correctly Check distribution ID in bucket policy
Shows "Access Denied" OAC not applied correctly Confirm OAC exists in S3 bucket policy
Custom domain name not working Route53 DNS not in effect Wait for DNS propagation (maximum 48 hours)
Invalid SSL certificate ACM certificate not deployed to CloudFront Select correct certificate in CloudFront
Access is slow Cache not working Check Cache-Control header configuration

๐Ÿš€Part Nine: Performance Optimization

15Configure Cache Header Optimization

Setting appropriate Cache-Control headers for files in S3 can significantly reduce costs and improve performance.

Method A: Through AWS Console

  1. S3 โ†’ Bucket โ†’ Objects
  2. Select file โ†’ "Object Actions" โ†’ "Edit Metadata"
  3. Add custom metadata (Key: Cache-Control)

Cache Time Recommendations

File Type Cache-Control Value Description
HTML File public, max-age=300, must-revalidate 5 minutes, must revalidate
CSS/JS/Image public, max-age=31536000, immutable 1 year, requires versioned filenames
API Response public, max-age=0 No cache, get latest each time

Method B: Through AWS CLI

# Upload and configure HTML cache aws s3 cp index.html s3://example-com-website/index.html \ --metadata "Cache-Control=public, max-age=300" # Upload and configure long-term cache for JS/CSS aws s3 cp app.a1b2c3d4.js s3://example-com-website/ \ --metadata "Cache-Control=public, max-age=31536000, immutable"

16Enable Gzip Compression

Enabling automatic compression in CloudFront can reduce traffic by 60-70%.

Steps

  1. CloudFront โ†’ Distributions โ†’ Edit
  2. Find "Default Cache Behavior"
  3. Check "Enable Compression" โœ“
๐Ÿ’ฐ Cost Savings: After enabling compression, text files (HTML, CSS, JS) can reduce transfer volume by 60-70%

๐Ÿ“ŠPart Ten: Monitoring and Cost Control

17Set Up Monitoring Alerts

Monitor CloudFront Costs

  1. Enter CloudWatch or Cost Management
  2. Set up budget alerts
Budget Name: Website Monthly Cost Budget Amount: $10 (example) Alert Threshold: Notify when reaching 80%

Monitor Key Performance Indicators

View the following metrics in CloudFront distribution:

  • Number of Requests: Total requests per day
  • Data Transfer Volume: Size of outbound traffic
  • Cache Hit Rate: Should be > 90%
  • Error Rate: Should be close to 0%

Cost Estimation Table (Monthly)

Service Cost Description
S3 Storage $0.23 10GB ร— $0.023
S3 GET Requests $0.04 1M รท 1000 ร— $0.0004
CloudFront Outbound Free 1TB free tier (100GB used)
CloudFront Requests Free 10M free tier (1M used)
Route53 $0.50 Hosted zone monthly fee
ACM Certificate Free Free for AWS internal use
Total $0.77/month

Frequently Asked Questions

Q1: How do I update website files?

# Method 1: Use AWS CLI aws s3 cp ./new-file.html s3://example-com-website/ aws s3 sync ./website-files/ s3://example-com-website/ --delete # Method 2: Use AWS Console # S3 โ†’ Bucket โ†’ Upload โ†’ Select file โ†’ Upload

Q2: How do I clear CloudFront cache?

  1. CloudFront โ†’ Distributions โ†’ Invalidations
  2. Create Invalidation โ†’ Enter path /* โ†’ Create
๐Ÿ’ก Tip: This will clear all cached files (usually takes effect in 5 minutes)

Q3: What is the data transfer flow of S3 + CloudFront?

User โ†’ CloudFront Edge Node โ†’ S3 Bucket โ†“ Return Cached Content (fast)

Q4: How do I implement HTTPS redirect?

Already configured in CloudFront:

  • Viewer Protocol Policy: Redirect HTTP to HTTPS

All HTTP requests will be automatically redirected to HTTPS.

โœ…Summary Checklist

After Deployment, Verify the Following Items

  • S3 bucket created and files uploaded
  • Static website hosting enabled (index.html, error.html)
  • OAC created
  • CloudFront distribution created and deployed
  • ACM certificate requested and verified
  • Route53 hosted zone created
  • Domain registrar DNS updated to Route53 NS
  • Alias records (A records) created
  • CloudFront CNAME configured
  • CloudFront ACM certificate applied
  • https://example.com accessible normally
  • Cache policy optimized
  • Compression enabled
  • Cost monitoring set up

Subsequent Maintenance

Daily Operations

  • Regularly check CloudFront cache hit rate (should be > 90%)
  • Monitor monthly costs
  • Use aws s3 sync command when updating website content

Regular Maintenance

  • Check ACM certificate expiration date (auto-renewal)
  • Verify Route53 DNS configuration is correct
  • Clean up old S3 object versions (if versioning is enabled)

Performance Optimization

  • Use CloudFront real-time logs to analyze cache hit rate
  • Regularly adjust Cache-Control header configuration
  • Consider using Lambda@Edge for edge computing

๐ŸŽ‰ Deployment Complete

You now have a production-grade, low-cost static website hosting solution

๐Ÿ“Š Cost: $0.50 - $5 average per month
โšก Performance: Global < 500ms load time
๐Ÿ”’ Security: HTTPS + DDoS protection
๐Ÿ“ˆ Scalability: Automatically handles traffic growth