I would like to deploy to a website to a S3 bucket and use static website hosting. However, I have some strict security restrictions:
Here is my plan:
Here is a diagram:
I have one big concern though: Is forwarding a custom header between CloudFront really the best way to do this? AWS docs say that an Origin Access Identity can't be used for S3 buckets that act as a website (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html). The custom header seems less secure than an Origin Access Identity and much harder to maintain. It makes me uncomfortable using a random string as the only security preventing someone from bypassing my CloudFront distribution and directly accessing the S3 bucket. If a malicious party guesses the
My other option here is to just bite the bullet and move to servers where I have more control over a lot of the security but I would like to leverage the convenience of an S3 website.
You should remove the website configuration from your S3 bucket and use Origin Access Identity. The rest of your setup is fine.
You don't need to configure your S3 bucket as a website endpoint because you are not going to serve your content directly via S3. With the Origin Access Identity, your bucket will be available only from CloudFront (unless you add something else in the bucket policy) and this is what you want.