Class X8Website

This construct can help build Well Architected infrastructure for website hosting in AWS using S3 Bucket

Infrastructure Diagram

Rest Api Infrastructure

Default Configuration

Validated public certificate for the API domain Cloudfront Distribution

Note: This construct expects a HostedZone present in the same AWS account

Default Alarms
  1. Cloudwatch Total Error Rate Alarm
    • Risk Level: Low
    • Well Architected Pillar: Reliability
  2. Certificate Expiration Alarms
    • Risk Level: High
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Operational Excellence

Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.

Examples

Default Usage

new X8Website(this, "LogicalId", {
     x8DomainName: 'cre8ivelogix.com',
     x8Subdomain: "www",
     x8PathToContent: './site-content'
});

Custom Configuration

new X8Website(this, "LogicalId", {
     x8DomainName: 'cre8ivelogix.com',
     x8Subdomain: "www",
     x8PathToContent: './site-content',
     x8AdditionalDomainNames: ['www2.cre8ivelogix.com']
});

Compliance

It addresses the following compliance requirements

  1. Blocks public access
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  2. S3 Bucket Logging Enabled
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  3. Bucket versioning enabled in Production Environment
    • Risk Level: Low
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Reliability
  4. Block S3 Bucket Public 'READ' Access
    • Risk Level: Very High
    • Compliance: PCI, GDPR, ARPA, MAS, NIST4
    • Well Architected Pillar: Security
  5. S3 Bucket should have Retain Policy in Production Environment
    • Risk Level: High
    • Compliance: NA
    • Well Architected Pillar: Reliability
  6. Only allow secure transport protocols
    • Risk Level: High
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  7. Server side encryption
    • Risk Level: High
    • Compliance: PCI, HIPAA, GDPR, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  8. S3 Bucket Block ACLs
    • Risk Level: Very High
    • Compliance: PCI, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  9. Cloudfront origin should not use insecure protocols
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  10. Cloudfront logging enabled
    • Risk Level: Low
    • Compliance: PCI, HIPAA, GDPR, APRA, NIST4
    • Well Architected Pillar: Operational Excellence
  11. Cloudfront uses enhanced security policy min TLS1.2
    • Risk Level: High
    • Compliance: PCI, HIPAA, MAS, NIST4
    • Well Architected Pillar: Security
  12. Cloudfront uses only secure protocol to communicate with origin
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security
  13. Cloudfront uses only secure protocol to communicate with end users
    • Risk Level: High
    • Compliance: PCI, HIPAA, NIST4
    • Well Architected Pillar: Security
  14. Enable origin access identify for S3 origins
    • Risk Level: Medium
    • Compliance: NA
    • Well Architected Pillar: Security

Hierarchy

  • Construct
    • X8Website

Constructors

constructor

Properties

cdn cloudfrontOAI websiteBucket

Methods

getCertificateDomains getDistributionDomains getSiteDomain

Constructors

constructor

Properties

Readonly cdn

cdn: WaDistribution

CloudFront distribution used in this construct

Readonly cloudfrontOAI

cloudfrontOAI: OriginAccessIdentity

Origin Access Identity

Readonly websiteBucket

websiteBucket: WaBucket

Bucket hosting website content

Methods

getCertificateDomains

getDistributionDomains

getSiteDomain

Settings

Member Visibility

Theme

Generated using TypeDoc