AWS Architecture

Static portfolio deployment using CloudFront, Route 53, ACM, and private S3.

The main domain is bryanweizeang.dev. The www subdomain redirects to the main domain, while CloudFront serves the site over HTTPS from a private S3 origin through Origin Access Control.

User over HTTPS

Route 53 DNS

alias

CloudFront Distribution

signed request

Origin Access Control

S3 REST endpoint

Private S3 Website Bucket

Main Domain

Route 53 hosts DNS for bryanweizeang.dev and points the apex domain to CloudFront using an alias record.

WWW Redirect

www.bryanweizeang.dev redirects to bryanweizeang.dev so visitors use one canonical domain.

HTTPS

CloudFront uses an ACM certificate created in us-east-1 because CloudFront is a global service.

Private Origin

The main S3 bucket blocks public access and is read only by CloudFront through Origin Access Control.

Serverless Contact Form

The contact page uses a small serverless backend for message storage and delivery.

Contact Form

POST JSON

API Gateway HTTP API

invokes

Lambda Function

stores

DynamoDB

sends

SES + Inbox

API Gateway

Provides the public HTTPS endpoint for form submissions and allows requests only from the portfolio domains through CORS.

Lambda

Validates the form payload, applies basic spam handling, stores the submission, and calls SES without running a dedicated server.

DynamoDB

Stores valid contact submissions with a message ID, timestamp, sender details, message content, source IP, and user agent for backup and review.

Amazon SES

Sends email from the verified portfolio domain to the configured inbox, with the visitor email used as the reply-to address.

IAM Permissions

The Lambda execution role is scoped to write to the contact table and send email from the verified domain to the intended recipient address.

Storage and Logging

Three S3 buckets support the website, redirect, and access logs.

Bucket 1

Main website bucket

Stores HTML, CSS, JavaScript, and static assets for bryanweizeang.dev. Versioning is enabled, and direct public access is blocked.

Bucket 2

Subdomain redirect bucket

Supports redirect behavior from www.bryanweizeang.dev to bryanweizeang.dev.

Bucket 3

Logging bucket

Receives S3 server access logs from the main website bucket and remains separate from website assets.

Lifecycle Rules

Retention policies keep the deployment clean and cost-aware.

Logging Bucket Lifecycle

Current log object versions transition to S3 Standard-IA after 30 days and expire after 90 days.

Main Bucket Version Lifecycle

The 3 newest noncurrent versions are retained, while older noncurrent versions are permanently deleted.

Future Improvements

Practical next steps for a stronger cloud portfolio deployment.

CloudWatch alarms for 4xx/5xx errors AWS Budgets billing alerts GitHub Actions deployment to S3 CloudFront invalidation automation Basic AWS WAF protection Custom error pages Better cache-control headers Infrastructure as Code