Final Architecture Integration

Complete System View

The system you have built is a single-origin, single-region static content host. The data flow is linear: a browser issues an HTTP GET to the S3 website endpoint, S3 evaluates the request against the bucket policy, finds the object at the requested key, and returns it with the stored content type.

For a request to /, S3 serves index.html — the configured index document. For any key that does not exist, S3 serves error.html — the configured error document — rather than the default XML error body. For any request that would require write access (PUT, DELETE), S3 rejects it with a 403 because the bucket policy grants only s3:GetObject.

The security boundary is the bucket policy. No authenticated session is required to read content. No unauthenticated caller can modify content. Object enumeration is blocked by the absence of s3:ListBucket.

The failure path in this system is simple: if your object does not exist at the requested key, users see error.html. If the bucket itself is misconfigured or deleted, the endpoint returns an error. There is no application tier to fail, no database to become unavailable, and no cache to invalidate incorrectly.

The scaling path requires CloudFront in front of this origin for production use. CloudFront handles HTTPS termination, global edge caching, custom domain binding, and origin access control. S3 in this configuration is the origin, not the edge.

Reflection

You have implemented the foundational pattern for static web hosting on AWS. The architectural principles applied here — least privilege, explicit access control, separation of public and private content, and awareness of HTTPS limitations — carry forward into more complex systems. Before deploying this pattern in production, the required additions are: CloudFront for HTTPS and edge delivery, a custom domain via Route 53, and a CI/CD pipeline that deploys build artifacts to S3 without manual file uploads.

Final Architecture Check

Question 1 of 1

0/1

A user navigates directly to https://www.yourdomain.com/about in a React SPA hosted on S3. They get a 403 error. CloudFront is not yet configured. What is the most complete production fix?

Add s3:ListBucket to the bucket policyAdd CloudFront with a custom error response that redirects all 403s to index.html with a 200 status, allowing the SPA router to handle the routeRename the error document to about.htmlSet the index document to about/index.html

Back

Submit