How to Host a Static Website on AWS S3 and CloudFront for Free
By Braincuber Team
Published on March 9, 2026
Why are you paying $20/month per user for "premium" static hosting when AWS gives it to you for pennies? We constantly audit tech stacks for D2C brands burning $1,400+ a year on basic marketing page hosting. Amazon S3 combined with CloudFront gives you enterprise-grade DDoS protection, free SSL, and global edge caching for literal fractions of a cent. Stop throwing away your marketing budget. Here is the exact step by step workflow to deploy your static site right now.
What You'll Learn:
- Why S3 alone is not enough (HTTPS, caching, DDoS protection)
- How to create and configure an S3 bucket for web hosting
- How to write the JSON bucket policy to allow public access
- How to set up a CloudFront distribution for edge caching
- How to lock down S3 so users must go through CloudFront
The Architecture: S3 + CloudFront Explained
First, let's clear up a common beginner mistake: Just uploading HTML files to an S3 bucket is not a production deployment. Here is why you need both services.
Amazon S3 (The Storage)
S3 is a highly durable object store (99.999999999% durability). It simply holds your HTML, CSS, JS, and image files. But alone, it only serves traffic over HTTP (no SSL lock icon) and from a single geographic region.
Amazon CloudFront (The CDN)
CloudFront sits "in front" of your S3 bucket. It pulls your files from S3 and caches them in over 400 Edge Locations worldwide. This gives you instant global loading speeds, free SSL/TLS encryption, and native DDoS protection.
Step by Step Guide: Deploy Your Static Site
Create an S3 Bucket and Upload Files
Log into AWS, navigate to S3, and click Create bucket. Give it a globally unique name (e.g., your-startup-website-2026). Leave other parameters default for now and click Create. Open the bucket, click Upload, and drag your static files in (ensure index.html is at the root, not inside a subfolder). Click Upload.
Enable Static Website Hosting
Go to the Properties tab of your bucket. Scroll to the bottom to Static website hosting. Click Edit. Select Enable. Under Index document, type exactly index.html. Save changes. You will now see an endpoint URL (e.g., http://your-bucket-name.s3-website.region.amazonaws.com). BUT — if you click it, you will get a 403 Forbidden error. Let's fix that.
Unblock Public Access & Attach Policy
Go to the Permissions tab. Under Block public access, click Edit, uncheck the box to allow public access, and type "confirm" in the popup. Then, scroll down to Bucket Policy, click Edit, and paste the JSON below. Replace YOUR-BUCKET-NAME with your actual bucket name. Save. Your S3 endpoint URL will now load your site.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
}
]
}
Do Not Stop Here: You Are Not Secure
Right now, your site works. But it is serving over HTTP (unsecured connection), and a bot scraping your files repeatedly will cost you data transfer bandwidth from S3. We must put CloudFront in front of it to cache the files at the edge and force HTTPS. Proceed to Step 4.
Create a CloudFront Web Distribution
Navigate to CloudFront and click Create Distribution. In the Origin domain field, do not select the S3 bucket from the dropdown. Instead, paste your S3 website endpoint URL (the one you tested in Step 3). Under Default Cache Behavior, set Viewer Protocol Policy to Redirect HTTP to HTTPS. Under Web Application Firewall (WAF), enable security protections if desired. Click Create. Wait 3-5 minutes for it to deploy. You will receive a distribution domain name (e.g., dXXXXX.cloudfront.net). Open that in your browser — your site is now live with HTTPS!
Lock Down S3 (Force CloudFront Traffic)
Right now, users can bypass CloudFront and hit your S3 bucket directly. We need to update the S3 bucket policy to only allow traffic from your specific CloudFront distribution ARN. Copy your CloudFront distribution ARN (found at the top of its details page). Then paste the JSON below into your S3 Bucket Policy, replacing the bucket name, account ID, and distribution ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::[ACCOUNT_ID]:distribution/[DISTRIBUTION_ID]"
}
}
}
]
}
S3 Endpoint vs. Bucket URL: The Trap
| URL Type | Format | Outcome When Using in CloudFront Origin |
|---|---|---|
| Standard Bucket URL | bucket-name.s3.amazonaws.com |
If you select this from the CloudFront dropdown, S3 treats requests as standard API calls. Subdirectories without trailing slashes will fail. |
| Website Endpoint URL | bucket.s3-website.region.amazonaws.com |
Correct Method. S3 treats requests like a web server, automatically appending index.html to root folders. |
Frequently Asked Questions
Can I point my custom domain to CloudFront?
Yes. In your CloudFront distribution settings, add your custom domain under 'Alternate domain names (CNAME)'. Then use AWS Certificate Manager (ACM) to provision a free SSL certificate for that domain. Finally, point your DNS A Record (via Route 53 or your registrar) to the CloudFront domain name.
Why am I getting "Access Denied" when setting up CloudFront?
This usually means your S3 Bucket Policy is misconfigured, or you copied the S3 REST endpoint URL instead of the S3 Static Website URL into the CloudFront Origin field.
Is AWS S3 and CloudFront free?
It fits neatly into the AWS Free Tier. You get 5GB of S3 storage and 1TB of CloudFront data transfer OUT per month for free. Unless you are streaming 4K video or serving massive payloads, a standard static website will cost literal pennies, if anything at all.
Why use CloudFront instead of just S3?
S3 alone does not support HTTPS/SSL with custom domains. S3 alone serves from a single AWS region (high latency for users on the other side of the world). CloudFront caches your files globally and provides SSL encryption and DDoS protection.
Tired of Managing Infrastructure?
We move D2C stores away from expensive hosting traps. Whether you need CI/CD deployment pipelines to S3, headless CMS setups pushing to CloudFront, or full-stack Odoo ERP migrations — we handle the devops and data architecture so you can grow revenue.