Architecture & creation flow (Terraform-managed):

1. Create a private S3 bucket

- Acts as the origin for the static website

- No content or access rules exist at this stage

2. Apply S3 Public Access Block to the bucket

- Explicitly blocks all public ACLs and bucket policies

- Ensures the bucket cannot be accessed directly from the internet

3. Create CloudFront Origin Access Control (OAC)

- Defines how CloudFront will authenticate to S3

- Uses SigV4 signing for secure, private access

4. Create CloudFront Distribution

- Uses the S3 bucket as its origin

- Associates the OAC with the S3 origin

- Generates a unique CloudFront ARN

5. Generate an IAM bucket policy document

- Allows access ONLY to the CloudFront service

- Restricts access further using AWS:SourceArn

so only this specific CloudFront distribution can access the bucket

6. Attach the generated bucket policy to the S3 bucket

- Enforces CloudFront-only access at the bucket level

- Prevents direct S3 access even if object URLs are known

7. Upload static website files to the S3 bucket

- Files are uploaded as private objects

- etag ensures objects are re-uploaded only when content changes

- content_type ensures correct rendering by browsers

8. End-user access flow

- Users access the site via CloudFront HTTPS endpoint

- CloudFront fetches content from S3 using OAC

- S3 serves content only because the request is signed by CloudFront