Building a Serverless Portfolio with AWS S3, CloudFront, and Hugo

Welcome to my portfolio! Today, I want to walk you through the architecture and deployment process of the very website you are currently browsing.

As a platform engineer, having a professional space to showcase projects is critical. However, I wanted to avoid the overhead of managing servers, databases, or clunky CMS platforms like WordPress. The goal was simple: High performance, zero maintenance, strict security, and practically zero cost.

The solution? A purely static architecture powered by AWS and Hugo.

The Architecture Stack

Here is a high-level overview of the technologies powering this platform:

1. Hugo (Static Site Generator): Compiles Markdown content into blazing-fast static HTML, CSS, and JavaScript.
2. Amazon S3: Provides highly durable object storage for the compiled static assets.
3. Amazon CloudFront: A global Content Delivery Network (CDN) that caches the site close to users and provides HTTPS.
4. AWS Certificate Manager (ACM): Provisioning and automated renewal of free SSL/TLS certificates.
5. Amazon Route 53: Manages DNS routing for the custom domain.
6. Terraform: Infrastructure as Code (IaC) used to provision and manage all AWS resources deterministically.

Step 1: Infrastructure as Code (IaC) with Terraform

Rather than manually clicking through the AWS Console, the entire infrastructure is codified using Terraform. This ensures the environment is reproducible, easily modifiable, and version-controlled.

A key security feature of this setup is how the S3 bucket is configured. We intentionally bypassed the legacy “S3 Static Website Hosting” feature. Instead, the bucket is locked down completely using Block Public Access, and we use CloudFront with Origin Access Control (OAC).

# Restrict all public access to the S3 Bucket
resource "aws_s3_bucket_public_access_block" "portfolio" {
  bucket                  = aws_s3_bucket.portfolio.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

By attaching an OAC policy, we enforce that the S3 bucket will only accept read requests if they originate from our specific CloudFront distribution. This prevents users from bypassing the CDN, protecting against unexpected data egress costs and ensuring all traffic is encrypted via HTTPS.

Step 2: Content Management with Hugo

Writing raw HTML for every new project or blog post isn’t scalable. To solve this, the frontend is built with Hugo.

Hugo allows me to write posts in standard Markdown. It uses a custom-built theme to parse the front matter (metadata like categories, dates, and summaries) and dynamically generate the project grids and layouts.

Creating a new post is as simple as running:

hugo new posts/new-architecture-design.md

Once the Markdown is written, running the hugo command compiles the entire site into a public/ directory in milliseconds.

Step 3: Deployment and Caching

Deployment is handled seamlessly via the AWS CLI. The compiled public/ directory is synchronized directly to the S3 bucket:

aws s3 sync public/ s3://arun-builds.com --delete

Because CloudFront aggressively caches the content at edge locations worldwide (ensuring sub-100ms load times for users), a cache invalidation is triggered immediately after the S3 sync. This clears the edge caches and forces CloudFront to fetch the newly deployed HTML files from S3.

Conclusion

By combining the raw speed of a Static Site Generator with the global scale of AWS CloudFront, this architecture delivers a professional, highly secure, and incredibly cost-effective platform.

Because there are no idle EC2 servers or RDS databases running 24/7, you only pay for exactly what you use. Thanks to the AWS Free Tier for CloudFront and the negligible cost of S3 storage, the entire AWS bill for this setup typically rounds down to about $0.50 per month (primarily for the Route 53 Hosted Zone).

Stay tuned for more deep dives into cloud architecture, DevOps, and platform engineering!