This solution creates an S3 bucket that hosts your static website’s assets. The website is only accessible via CloudFront, not directly from S3.
This solution creates a CloudFront distribution to serve your website to viewers. The distribution is configured with a CloudFront origin access identity to make sure that the website is only accessible via CloudFront, not directly from S3. The distribution is also configured with a Lambda@Edge function that adds security headers to every response.
This solution creates an SSL/TLS certificate in ACM, and attaches it to the CloudFront distribution. This enables the distribution to serve your domain’s website using HTTPS.
This solution creates a Lambda@Edge function that’s triggered on an origin response event. The function adds security headers to every response served by CloudFront.
The security headers can help mitigate some attacks, as explained in this blog post: Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront. Security headers are a group of headers in the web server response that tell web browsers to take extra security precautions. This solution adds the following headers to each response:
For more information, see Mozilla’s web security guidelines.