FinOps Center delivers its web application frontend through a secure Amazon S3 + Amazon CloudFront distribution.
This component provisions the frontend hosting layer using a customer-owned custom domain and SSL/TLS certificate, ensuring compliance with AWS security best practices and enterprise DNS requirements.
This step is mandatory and must be completed before any users access FinOps Center.
Overview
This CloudFormation stack deploys:
• A private, encrypted S3 bucket to store the FinOps Center frontend assets
• A CloudFront distribution secured by your custom domain
• An ACM-issued SSL certificate for HTTPS
• Secure access using CloudFront Origin Access Control (OAC)
• SPA routing support for modern web application frameworks
• Centralized tagging for governance and cost allocation
The stack provisions the public entry point to FinOps Center.
Required Prerequisites
Before launching this stack, complete the following:
Requirement
Description
Custom domain
A DNS name you control (for example: finops.company.com)
ACM Certificate
Must be issued in us-east-1 for your domain
Route 53 or external DNS access
Required to create the DNS alias to CloudFront
IAM permissions
Permissions to create CloudFront, S3, ACM, and IAM resources
CloudFormation Parameters
Parameter
Description
Custom Domain Name
Public DNS name for FinOps Center (for example finops.company.com)
S3 Bucket Name
Globally unique bucket for frontend assets
ACM Certificate ARN
ARN of SSL certificate in us-east-1
Default Root Object
Default document (normally index.html)
SPA Error Page Path
SPA routing handler (/index.html)
CloudFront Price Class
Determines CloudFront edge locations
HTTP Version
HTTP protocol version
Enable Compression
Enables Brotli/Gzip
Minimum TLS Version
Enforces TLS security baseline
Enable IPv6
Enables IPv6
Error Caching TTL
TTL for error response caching
Environment
Tagging (dev/stage/prod)
These parameters map directly to the FinOps Center CloudFormation template
