Minimalist static website with AWS S3, Cloud Formation & Route 53

We'll use a minimalist method to deploy a static website using a custom domain name with AWS S3, Route 53 and CloudFormation. Our stack will contain:

  • An S3 bucket holding our website content with a public access policy
    • The bucket will act as storage for our website data (HTML, CSS, etc.), we'll just need to copy our website content into it.
  • A Route 53 DNS record for our domain name pointing to our S3 bucket
  • A CloudFormation stack deploying all of the above


  • An existing Route53 Hosted Zone for our domain name
  • An AWS user with enough permission to manage our stack (see below for minimal IAM policy)

Minimal example

We're gonna deploy our website at using Hosted Zone You can see the final result on the full example on GitHub.

First, let's create our S3 bucket and DNS record with this cloudformation.yml template:

# CloudFormation template deploying a static S3 bucket with custom DNS
# Based on
AWSTemplateFormatVersion: 2010-09-09


  # Name of the Hosted Zone under which to create DNS record
  # Note: the full HZ name ends with a dot ('.') such as ''
    Type: String

  # Desired Fully Qualified Domain Name (FQDN) for our website
    Type: String


  # Bucket holding static content
  # Bucket name must match desired domain name
    Type: AWS::S3::Bucket
      BucketName: !Ref WebsiteFQDN
      AccessControl: PublicRead
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain

  # Allow world to read bucket objects (i.e grant public access)
    Type: AWS::S3::BucketPolicy
      Bucket: !Ref S3Bucket
        Id: PublicAccessPolicy
        Version: 2012-10-17
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join 
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket
                - /*

  # DNS record pointing to bucket
  # Record name using name of S3 bucket (they must match)
    Type: AWS::Route53::RecordSetGroup
      HostedZoneName: !Ref HostedZoneName
      - Name: !Ref S3Bucket
        Type: CNAME
        TTL: 900
        # Record like
        # We'll use current stack's AWS region to point to S3 bucket website endpoint
        # See
        -  !Join [ '', [ !Ref S3Bucket, '.s3-website.', !Ref "AWS::Region", ''] ]

Run command:

# Deploy our stack using given Hosted Zone and domain name
aws cloudformation deploy \
  --template-file cloudformation.yml \
  --stack-name minimalist-s3-website \
  --parameter-overrides \
    HostedZoneName='' \

Once created, simply copy your website content with:

# Synchronize website content to bucket
# The bucket name matches exactly our FQDN
# /!\ --delete flag will ensure Bucket content matches EXACTLY local website-content/ folder and delete anything else
# For non-destructive action, you can use `aws s3 cp` or remove --delete flag
aws s3 sync --delete /path/to/website-content/ s3://

That's it! Our website should be available at

Minimal AWS IAM policy

Minimalist CloudFormation is nice and all, but how about a minimalist IAM policy which only grant enough permissions to manage our stack and website content? Thus respecting Principle of Least Privileges (also known as Principle of Minimal Privileges).

The below policy only allow:

  • Management of S3 bucket for our website (and content within)
  • Management of records on our Route 53 Hosted Zone
  • Management of CloudFormation stacks named like minimalist-s3-website
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "S3List",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Sid": "S3",
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Sid": "Route53Records",
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Sid": "CloudFormation",
            "Effect": "Allow",
            "Action": [
            "Resource": [

This policy is an example, you may restrict it further by specifying AWS account ID and region, using wildcard on resource names to manage multiple environments, etc. - but it works with the above example without having to set FullAccess rights on a bunch of services.


You can delete all resources by using:

# Delete CloudFormation stack
# S3 bucket won't be deleted - AWS won't allow it if bucket is not empty
# Bucket must be destroyed manually afterward (or emptied before deletion)
aws cloudformation delete-stack --stack-name minimalist-s3-website

# Force bucket deletion afterward
aws s3 rb --force s3://

Full example on Github

You can checkout the full example on GitHub

Hi there! You went this far, maybe you'll want to subscribe?

Get mail notification when new posts are published. No spam, no ads, I promise.

Leave a Reply

Your email address will not be published. Required fields are marked *