Live delivery infrastructure
Portfolio Delivery on AWS
A Terraform-managed static delivery path using Route 53, CloudFront, managed WAF protection and a private S3 origin, with repeatable deployment and explicit cost controls.
- Edge
- CloudFront + managed WAF
- Origin
- Private S3 through OAC
- Network
- HTTPS, HTTP/2 + HTTP/3
- Guardrails
- Budget monitoring + scoped response
Objective
The goal was to publish the portfolio through a small, reviewable AWS architecture without leaving an origin publicly accessible or introducing always-running compute.
The delivery path also needed a predictable deployment command, canonical domain behavior, TLS, useful security defaults and a cost response that could limit unexpected spend.
Request path
- Route 53A and AAAA aliases send apex and www requests to the CloudFront distribution.
- Canonical hostA CloudFront Function permanently redirects www traffic to the apex domain.
- Edge deliveryCloudFront terminates TLS, compresses content, applies managed security headers and serves cached objects over HTTP/2 or HTTP/3.
- Signed origin requestOrigin Access Control signs requests from CloudFront to S3.
- Private object storageThe S3 bucket blocks all public access and grants read access only to the intended distribution.
Security boundaries
- No public website bucketS3 static website hosting is not used; direct origin requests are denied.
- Scoped origin policyThe bucket policy permits object reads from the CloudFront service only when the request belongs to this distribution.
- Managed edge protectionThe CloudFront pricing plan supplies a managed WAF association while Terraform owns the rest of the distribution configuration.
- No stored credentialsTerraform and deployment scripts use the normal local AWS credential chain; secrets and identifiers are excluded from the public site.
Infrastructure and deployment
Terraform owns the certificate, DNS aliases, CloudFront distribution, origin access control, private bucket policy, cache behavior, redirect function, budget monitoring and automated cost response. State is stored in a separate versioned S3 bucket using native lockfiles.
The content deployment script stages only public HTML, CSS, JavaScript, sitemap, robots and referenced assets. It synchronizes with deletion enabled, applies cache policies by file type and submits one CloudFront invalidation. A separate verification script checks public routes, the canonical redirect, security headers and custom 404 behavior.
Cost governance
- Predictable deliveryThe distribution uses AWS-managed policies and a flat-rate CloudFront pricing plan.
- Small originThe architecture uses static objects and avoids a load balancer, NAT Gateway, database or always-running compute.
- Budget monitoringAWS Budgets provides forecast and actual-spend notifications for the portfolio delivery services.
- Automated responseA separate threshold invokes a narrowly scoped Lambda that can disable only this distribution.
Verified behavior
- Public deliveryThe apex domain serves every portfolio route over HTTPS, including a custom 404 response.
- Canonical redirectThe www hostname returns a permanent redirect to the apex site.
- Origin isolationDirect S3 requests return access denied and all four S3 public-access controls are enabled.
- Configuration integrityA post-deployment Terraform plan reported no drift after the CloudFront pricing plan was attached.
Engineering outcome
The portfolio is not only a collection of screenshots. It is a live, reproducible delivery system with a private origin, edge security, automated publishing, explicit verification and cost-aware failure handling.