Architecture

AWS infrastructure-as-code with security best practices

System Architecture

┌─────────────────────────────────────────────────────────────────────────────┐
│                              User Request                                    │
└─────────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────────┐
│                             Route 53 (DNS)                                   │
│                    Hosted Zone: crofton.cloud                                │
│                    A/AAAA Records → CloudFront                               │
└─────────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────────┐
│                         CloudFront Distribution                              │
│  ┌────────────────────────────────────────────────────────────────────────┐ │
│  │  • TLS 1.2+ enforcement (TLSv1.2_2021 policy)                          │ │
│  │  • Custom SSL certificate via ACM                                       │ │
│  │  • IPv6 enabled                                                         │ │
│  │  • Origin Access Control for S3                                         │ │
│  │  • Access logging to dedicated S3 bucket                                │ │
│  └────────────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
                    │                                   │
                    ▼                                   ▼
┌──────────────────────────────────┐   ┌──────────────────────────────────────┐
│         S3 (Website)             │   │           API Gateway                 │
│  ┌─────────────────────────────┐ │   │  ┌──────────────────────────────────┐│
│  │ • KMS encryption (SSE-KMS)  │ │   │  │ • HTTP API                       ││
│  │ • Versioning enabled        │ │   │  │ • CORS configured                ││
│  │ • Public access blocked     │ │   │  │ • CloudWatch access logging      ││
│  │ • Access logging enabled    │ │   │  └──────────────────────────────────┘│
│  │ • Lifecycle policies        │ │   └──────────────────────────────────────┘
│  └─────────────────────────────┘ │                     │
└──────────────────────────────────┘                     ▼
                                       ┌──────────────────────────────────────┐
                                       │           Lambda Function             │
                                       │  ┌──────────────────────────────────┐│
                                       │  │ • Python 3.12 runtime            ││
                                       │  │ • KMS-encrypted env vars         ││
                                       │  │ • Reserved concurrency limit     ││
                                       │  │ • CloudWatch logs (KMS)          ││
                                       │  └──────────────────────────────────┘│
                                       └──────────────────────────────────────┘
                                                         │
                                                         ▼
                                       ┌──────────────────────────────────────┐
                                       │                SES                    │
                                       │        Email Delivery Service         │
                                       └──────────────────────────────────────┘

Infrastructure Components

Static Website Hosting

CloudFormation: cfn-website-framework.yaml

  • S3 bucket with KMS server-side encryption
  • CloudFront distribution with custom SSL
  • Route 53 DNS with apex and www records
  • Dedicated logging buckets for S3 and CloudFront
  • SQS queue for S3 event notifications

Contact Form Backend

CloudFormation: cfn-contact-form.yaml

  • Lambda function with Python 3.12
  • API Gateway HTTP API with CORS
  • KMS key for env vars and logs
  • SES integration for email delivery
  • Reserved concurrency for cost control

CI/CD Pipeline

GitHub Actions + OIDC

  • OIDC authentication (no stored credentials)
  • Automated linting with cfn-lint and cfn-nag
  • Security scanning with checkov
  • Automatic deployment on main branch
  • CloudFront cache invalidation

Static Site Generator

Python + Jinja2

  • YAML-based content management
  • Jinja2 templating engine
  • Responsive HTML/CSS output
  • Automated generation in CI/CD
  • API endpoint injection at build time

Security Controls

This infrastructure implements security best practices aligned with NIST 800-53 control families.

Access Control (AC)

  • S3 public access blocking
  • CloudFront Origin Access Control
  • IAM roles with least privilege
  • OIDC federation for CI/CD

Audit and Accountability (AU)

  • S3 access logging
  • CloudFront access logs
  • API Gateway access logging
  • CloudWatch Logs for Lambda

System and Communications Protection (SC)

  • TLS 1.2+ enforcement
  • KMS encryption at rest
  • HTTPS-only access
  • Custom security headers

Configuration Management (CM)

  • Infrastructure as Code
  • Version-controlled templates
  • Pre-commit validation hooks
  • Automated security scanning

Deployment Workflow

1

Code Push

Developer pushes code to GitHub repository

2

Lint & Scan

cfn-lint, cfn-nag, pylint, and security scanning

3

OIDC Auth

GitHub Actions assumes AWS IAM role via OIDC

4

Deploy

CloudFormation update and S3 sync

5

Invalidate

CloudFront cache invalidation

Source Code

This project is open source. View the complete infrastructure code and templates on GitHub.

View on GitHub