This page is my take on the Cloud Resume Challenge, built using AWS best practices with a strong emphasis on security, least-privilege access, and layered architecture.

The static frontend is hosted in an S3 bucket behind a private CloudFront distribution, with access locked down via Origin Access Control (OAC). CloudFront is the sole public entry point, securely fronting an API Gateway backed by two Lambda functions.

To prevent abuse, CloudFront injects a custom header into API Gateway, and that value is validated in the Lambda handler against a Parameter Store secret. This setup ensures that only requests originating from the front-end (via CloudFront) are accepted, helping prevent bots and direct API misuse.

I also set two cookies — one when you land on the page (hasVisited) and one when you wave (hasWaved). This helps reduce unnecessary API calls, further limits potential bot abuse, and keeps costs as low as possible.

CI/CD is handled by GitHub Actions using OIDC-based role assumption, which avoids hardcoded credentials entirely. The pipeline syncs updated files to S3 and triggers a CloudFront invalidation on every push to main. Everything deploys automatically using short-lived, signed credentials.

My goal was to build a system that follows AWS best practices all the way through: secure by default, least-privilege access, clean resource separation, and automation-first delivery. I wanted this project to reflect how I’d approach infrastructure for a real production workload, not just a portfolio demo.

The project initially used ClickOps while I explored and validated the architecture. I've since started rebuilding the entire stack using Terraform to ensure long-term reproducibility and auditable infrastructure. This process has helped solidify my real-world experience with IAM, API security, parameter validation, and secure serverless design.