Skip to main content

US-3: React SPA to S3+CloudFront+WAF

As a frontend developer, I want to deploy React SPA to S3+CloudFront with WAF, so that the app is secure (OWASP Core) and fast (CDN-served).

INVEST Score

I	N	V	E	S	T	Avg
8	8	8	8	7	8	7.8

Sprint: 3 | WSJF: 1.6 | Effort: 5 days | Status: Approved (split)

Split

US-3a (Sprint 3, 3d): S3 + CloudFront + OAC - MVP static hosting
US-3b (Sprint 3, 2d): WAFv2 + managed rules - security hardening

Acceptance Criteria

terraform validate passes for web module
Two deployment modes: static_only = true ($1-5/mo), static_only = false ($30-150/mo)
CloudFront OAC (not legacy OAI) for S3 access
WAFv2 with AWSManagedRulesCommonRuleSet
TLS 1.2+ minimum (TLSv1.2_2021)
/api/* routes to ALB, /* routes to S3

GitHub Issues

INVEST Score
Split
Acceptance Criteria
Related ADRs
GitHub Issues