S3 Static Website Hosting

📌 AWS Recommendation (October 2024): AWS now recommends using AWS Amplify Hosting to host static website content stored on S3. Amplify Hosting is a fully managed service that deploys your websites on a globally available CDN powered by Amazon CloudFront, with built-in HTTPS, custom domains, redirects, and custom headers. See AWS Amplify Hosting section below.

Amazon S3 can be used for Static Website hosting with Client-side scripts.
S3 does not support server-side scripting.
S3, in conjunction with Route 53, supports hosting a website at the root domain which can point to the S3 website endpoint

S3 website endpoints do not support HTTPS or access points. Use Amazon CloudFront to serve HTTPS traffic.
For S3 website hosting the content should be made publicly readable which can be provided using a bucket policy.
Since April 2023, all new S3 buckets have Block Public Access enabled and ACLs disabled by default. To use S3 static website hosting, Block Public Access must be explicitly disabled and a bucket policy must be configured for public read access.

Users can configure the index, and error document as well as configure the conditional routing of an object name
S3 supports up to 50 routing rules per website configuration for conditional redirects.
Requester Pays buckets do not allow access through the website endpoint. Any request to such a bucket will receive a 403 – Access Denied response.

If the S3 bucket is encrypted using SSE-KMS, the website endpoint cannot serve the content. Use CloudFront with Origin Access Control (OAC) instead.
S3 website endpoint domains are registered in the Public Suffix List (PSL). If setting sensitive cookies, use the __Host- prefix for CSRF protection.

S3 Website Endpoints

S3 provides two types of endpoints:
- REST API endpoint (s3.amazonaws.com) – Supports HTTPS, access points, OAC
- Website endpoint (s3-website-region.amazonaws.com or s3-website.region.amazonaws.com) – Supports only HTTP, no access points, no OAC
Website endpoint formats:
- http://bucket-name.s3-website-Region.amazonaws.com (dash format)
- http://bucket-name.s3-website.Region.amazonaws.com (dot format)

Website endpoints return HTML error documents for 4xx errors, while REST API endpoints return XML error responses.
Website endpoints support index documents and redirects; REST API endpoints do not.

S3 Static Website with CloudFront

CloudFront is the recommended approach to add HTTPS support, caching, and global distribution to S3-hosted websites.

Two approaches to use CloudFront with S3:
- S3 REST API endpoint as origin with OAC (Recommended) – Keeps the bucket private; CloudFront uses Origin Access Control to authenticate requests to S3.
- S3 website endpoint as custom origin – Bucket must be publicly accessible; does not support OAC/OAI. Can restrict access using a custom Referer header.

Origin Access Control (OAC) is the current best practice for securing S3 origins with CloudFront (replaces the legacy OAI).
- OAI creation was deprecated in 2024.
- As of March 2026, new CloudFront distributions can only use OAC.
- OAC supports SSE-KMS encrypted objects, SigV4, and all AWS regions.
- OAC requires S3 Object Ownership set to “Bucket owner enforced” (default for new buckets).
CloudFront Functions can handle URL rewriting (e.g., appending index.html to directory paths) when using the REST API endpoint with OAC, providing website-endpoint-like behavior while keeping the bucket private.
AWS Shield Standard is automatically included with every CloudFront distribution at no extra cost for DDoS protection.

AWS Amplify Hosting (Recommended Alternative)

AWS Amplify Hosting is a fully managed service for hosting static websites, officially recommended by AWS as of October 2024 for static content stored on S3.
Key benefits over S3 website hosting:
- Built-in HTTPS with free SSL/TLS certificates
- Global CDN powered by Amazon CloudFront
- Custom domain configuration with automatic DNS setup
- Custom headers and redirects without additional services
- Atomic deployments and instant cache invalidation
- No need to disable Block Public Access on S3 bucket

Amplify Hosting can deploy directly from an S3 general purpose bucket by selecting the location of objects within the bucket.
Does not support cross-account S3 bucket access.
Simplifies the setup compared to manually configuring S3 + CloudFront + Route 53 + ACM.

Security Best Practices

Prefer CloudFront + OAC or Amplify Hosting over making S3 buckets publicly accessible.

Keep Block Public Access enabled whenever possible; use CloudFront OAC to grant access to the distribution only.
If public access is required (S3 website endpoint), use a bucket policy (not ACLs) to grant read access, as ACLs are disabled by default on new buckets.
Enable access logging to track website requests.
Use CloudFront with WAF for additional security controls like geo-restriction, rate limiting, and IP filtering.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

Company ABCD is currently hosting their corporate site in an Amazon S3 bucket with Static Website Hosting enabled. Currently, when visitors go to http://www.companyabcd.com the index.html page is returned. Company C now would like a new page welcome.html to be returned when a visitor enters http://www.companyabcd.com in the browser. Which of the following steps will allow Company ABCD to meet this requirement? Choose 2 answers.
1. Upload an html page named welcome.html to their S3 bucket
2. Create a welcome subfolder in their S3 bucket
3. Set the Index Document property to welcome.html
4. Move the index.html page to a welcome subfolder
5. Set the Error Document property to welcome.html
A company wants to host a static website on AWS with HTTPS support using a custom domain. The website files are stored in an S3 bucket. Which combination of services provides the MOST secure and recommended architecture? Choose 2 answers.
1. Enable S3 static website hosting and use the website endpoint directly
2. Use CloudFront with Origin Access Control (OAC) and the S3 REST API endpoint as origin
3. Use CloudFront with Origin Access Identity (OAI)
4. Keep S3 Block Public Access enabled on the bucket
5. Disable server-side encryption on the bucket
A developer needs to host a static single-page application on AWS. The requirements include HTTPS, a custom domain, atomic deployments, and minimal operational overhead. Which approach requires the LEAST configuration effort?
1. S3 static website hosting with CloudFront and ACM certificate
2. AWS Amplify Hosting with S3 as the source
3. S3 static website hosting with Route 53 alias record
4. EC2 instance with Nginx serving static files

An organization hosts a static website on S3 using the website endpoint. They want to ensure only CloudFront can access the S3 content while keeping the bucket private. However, they need S3 website features like index documents for subdirectories. What is the recommended solution?
1. Use OAC with the S3 website endpoint
2. Use CloudFront with the S3 REST API endpoint, OAC, and a CloudFront Function for URL rewriting
3. Use OAI with the S3 website endpoint
4. Make the bucket public and use a custom Referer header

A company created a new S3 bucket and enabled static website hosting. However, users are receiving 403 Forbidden errors when accessing the website. What is the MOST likely cause? (Choose 2)
1. S3 Block Public Access is still enabled on the bucket (default for new buckets since April 2023)
2. The bucket does not have versioning enabled
3. No bucket policy has been configured to allow public read access
4. The index document has not been uploaded
5. The bucket is using SSE-S3 encryption