Add a Custom Domain or Upgrade to CloudFront/Amplify
Choose between S3-only, CloudFront, or Amplify for custom domains and HTTPS — and understand the tradeoffs.
Core services are free, but some optional features may incur small costs.
AWS Services Used
Route 53 hosted zone costs $0.50/month and domain registration is paid ($10-15/year). Both are optional — you can skip the custom domain.
The main decision
You now have three realistic paths:
| Path | HTTPS | Public bucket/content | Best for |
|---|---|---|---|
| S3 website endpoint + custom domain | No | Yes | Fast learning demo |
| CloudFront + S3 + custom domain | Yes | Can be private with OAC | Best AWS-native upgrade |
| Amplify Hosting + custom domain | Yes | Managed for you | Easiest production path |
Recommended rule
- Choose S3 website endpoint + custom domain only if you want a simple demo and you are okay with HTTP only
- Choose CloudFront + S3 if you want to learn the real AWS path for HTTPS, CDN, certificates, and DNS
- Choose Amplify Hosting if you want the easiest route to a secure public site with less manual setup
Path A: Add a custom domain directly to the S3 website endpoint
This is the simplest custom-domain path, but it is not HTTPS.
You can point a DNS CNAME to the S3 website endpoint, and the bucket name should match the custom domain you want to serve. For example, a bucket named www.example.com can be pointed to its S3 website endpoint with a DNS record.
What you do
- Own a domain, ideally in Route 53
- Create a bucket whose name matches the hostname you want to use, such as
www.example.com - Enable static website hosting on that bucket
- Add the public-read bucket policy needed for S3 website hosting
- Point DNS to the S3 website endpoint
Warning
S3 does not support HTTPS for the website endpoint. If you need HTTPS, use CloudFront or Amplify instead.
Path B: Upgrade to CloudFront with a custom domain
This is the better AWS-native upgrade if you want to learn how secure static hosting is typically done.
What you do
- Create a CloudFront distribution in front of your S3 content
- Add your custom domain as an alternate domain name
- Attach an ACM certificate from
us-east-1 - Point Route 53 to the CloudFront distribution with an Alias record
- Set the default root object to
index.htmlif you want root requests to load the home page
Important nuance: website endpoint vs regular S3 bucket origin
- If CloudFront uses an S3 website endpoint as the origin, that origin is treated as a custom origin, and you cannot use OAC or OAI
- If you want a private S3 bucket behind CloudFront, use a regular S3 bucket origin, not the website endpoint, and secure it with Origin Access Control (OAC)
Note
AWS recommends OAC over OAI. If you use the regular S3 bucket origin with OAC, your bucket does not need to be publicly readable.
Why this path is strong
CloudFront adds HTTPS, caching at edge locations, and custom-domain support. This is the standard AWS architecture for production static sites.
Path C: Upgrade to Amplify Hosting
This is the easiest secure path.
Amplify Hosting lets you connect a deployed app to a custom domain, supports domains registered in Route 53 or with third-party DNS providers, and lets you use either an Amplify-managed certificate or your own custom certificate.
What you do
- Deploy the app to Amplify Hosting
- Open Hosting > Custom domains
- Choose Add domain
- Enter your root domain
- Use the default Amplify-managed certificate or choose a custom ACM certificate
- Let Amplify guide the DNS setup
Note
DNS propagation and certificate issuance can take up to 24 hours.
Why this path is strong
Amplify is easier because it handles more of the hosting and certificate workflow for you, while still giving you a custom HTTPS URL.
Best choice
- Learning raw AWS architecture → CloudFront + S3
- Ship something secure quickly → Amplify Hosting
- See a custom domain work once → S3 website endpoint (HTTP only)
Mini activity
| Prompt | Your answer |
|---|---|
| Which path would you choose: S3-only, CloudFront, or Amplify? | |
| Why is that path the best fit for your site right now? | |
| Do you need HTTPS for your project? |
Summary
S3 website endpoints can use a custom domain, but they do not support HTTPS, so they are best treated as a simple learning setup. CloudFront is the AWS-native upgrade for HTTPS, custom domains, and CDN delivery, but it requires certificate and DNS work. Amplify Hosting is the easiest managed route to a custom HTTPS domain.
The most important concept in this lesson is that custom domain and secure hosting are related but not identical. You can add a custom domain directly to an S3 website endpoint, but secure production-style hosting usually means putting CloudFront or Amplify in front.