Cloud Resume Challenge: Second Take (This site)

Live site: jlcrc.cloud
GitHub repository: https://github.com/jericholeal/jl-cloud-resume-challenge-2

Frontend & Hosting

• Deployed a multi-page static website (HTML, CSS, JS) hosted on Amazon S3
• Served content via a CloudFront distribution using Origin Access Control (OAC) with public access blocks
• Implemented a session-based visitor counter display on the index page (sessionStorage to limit one increment per session)

Serverless Backend

• Used a python-based AWS Lambda function to increment a count stored in a DynamoDB table on website visits
• Integrated Lambda function with API Gateway (HTTP API) triggered via frontend JavaScript fetch calls
• Used DynamoDB (NoSQL) for persistent storage of visit counts

CI/CD

• Implemented CI/CD pipelines using GitHub Actions with OpenID Connect (OIDC) to assume IAM roles (for frontend and backend deployment)
• Created separate workflows for:
  • Frontend deployment (S3 + CloudFront invalidation)
  • Backend deployment (Terraform automation)
  • Lambda ZIP packaging and upload (S3)
• Practiced least-privilege access control in IAM roles used by GitHub workflows

Security & DNS

• Used ACM (AWS Certificate Manager) to issue SSL/TLS certificates for HTTPS traffic
• Managed domain DNS via Route53 hosted zone with custom domain (jlcrc.cloud)
• Enabled DNSSEC (DNS Security Extensions) with Route53:
  • Created a KMS key for signing
  • Attached a key-signing key (KSK) to the hosted zone
  • Published DS record to parent domain via registrar (NameCheap)

Infrastructure as Code (Terraform)

• Used modular Terraform configurations with separate modules for each AWS service (ACM, API Gateway, CloudFront, DynamoDB, IAM, Lambda, Route53, S3, KMS, OIDC)
• Managed variables with variables.tf, terraform.tfvars, and locals.tf
• Created secure Terraform remote backend (in S3) with state locking (DynamoDB)
• Manually bootstrapped core resources (S3, DynamoDB, OIDC roles), then imported and managed them with Terraform
• Practiced best practices: least-privilege IAM roles, tagging, modular architecture

Access Management & AWS Account Structure

• Logged in via AWS IAM Identity Center (SSO) for CLI access and permission control
• Used AWS Organizations with an Organizational Unit (OU) and account for project isolation
• Assigned scoped roles and policies for project-specific operations

Planned Enhancements

• Monitoring & Alerting
  • Use Amazon CloudWatch alarms (with SNS topics) to track key metrics (Lambda invocations, API Gateway errors, etc.) and to detect anomalous behaviour
• Incident Response Automation
  • Connect CloudWatch alarms to external services like Slack and PagerDuty to receive real-time notifications and alerts for issues and failures
• Security & Policy Validation
  • Use IAM Access Analyzer and IAM Policy Validator tools to tighten IAM roles and policies and narrow down overly broad permissions (Current OIDC role policies are too broad)
• CI/CD Security Gates
  • Integrate IAM policy validation into GitHub Actions workflows to catch insecure configurations to prevent bad policies from being deployed

Back to Cloud Resume Challenge page