37 Managed Resources • 10 Services
All infrastructure is defined in Terraform and deployed via GitHub Actions. Last scanned April 2026.
Estimated Monthly Cost
S3 (storage + requests)
$0.01
CloudFront (CDN + SSL termination)
$1.00 – $3.00
ACM (SSL certificate)
$0.00
Route 53 (3 hosted zones + queries)
$1.50
Lambda (movie API)
$0.00 – $0.10
API Gateway (HTTP API)
$0.00 – $0.05
IAM (role + policies)
$0.00
CloudWatch Logs (14-day retention)
$0.00
S3 (Terraform state bucket)
$0.00
DynamoDB (Terraform state locking)
$0.00
Total
~$2.50 – $4.65 / month
Estimates assume low traffic for a personal site. Lambda and API Gateway include AWS Free Tier (1M requests/month). CloudFront costs vary by traffic volume and geographic distribution. Route 53 is the only fixed cost at $0.50/hosted zone/month.
Static Site Bucket
Amazon S3 • Static site storage
~$0.01/mo
| Region | us-east-1 |
| Objects | 6 files • 92.2 KB total |
| Encryption | SSE-S3 (AES-256) |
| Versioning | Disabled |
| Public Access | Blocked (OAC only) |
| Logging | Not configured |
OBJECTS
index.html1.6 KB
resume.html7.7 KB
ai-build.html22.7 KB
movies.html3.1 KB
css/style.css9.7 KB
img/headshot.jpg47.5 KB
CDN Distribution
Amazon CloudFront • CDN + SSL termination
$1–3/mo
| Status | Deployed • Enabled |
| Price Class | PriceClass_All (all edge locations) |
| HTTP Version | HTTP/2 |
| IPv6 | Enabled |
| Compression | Enabled |
| Default Root | index.html |
| Min TLS | TLSv1.2_2021 |
ALIASES (6)
jsherard.net
www.jsherard.net
jsherard.com
www.jsherard.com
jsherard.org
www.jsherard.org
ORIGINS (2)
| S3 | Regional S3 endpoint Access: Origin Access Control (OAC) |
| API Gateway | HTTP API endpoint Access: Direct (HTTPS-only) |
CACHE BEHAVIORS (2)
| Default (*) | S3 origin • GET, HEAD • TTL 0/3600/86400s |
| /api/* | API Gateway origin • GET, HEAD, OPTIONS • TTL 0/300/600s |
SAN Certificate (6 domains)
AWS Certificate Manager • TLS termination
$0.00/mo
| Status | Issued • Auto-renewal eligible |
| Expires | October 17, 2026 |
| Validation | DNS (6 CNAME records in Route 53) |
| Used By | CloudFront distribution |
COVERED DOMAINS (6)
jsherard.net
www.jsherard.net
jsherard.com
www.jsherard.com
jsherard.org
www.jsherard.org
3 Hosted Zones • 21 Records
Amazon Route 53 • DNS management
$1.50/mo
| jsherard.net | Primary hosted zone • 7 records |
| jsherard.com | Alias hosted zone • 7 records |
| jsherard.org | Alias hosted zone • 7 records |
RECORD TYPES PER ZONE
| NS + SOA | Auto-created by AWS (2 records) |
| A (alias) | Apex + www → CloudFront |
| AAAA (alias) | Apex IPv6 → CloudFront |
| CNAME | ACM DNS validation (2 records) |
Registrar: GoDaddy (all 3 domains) • NS records delegated to Route 53
Movie Showtimes Function
AWS Lambda • Movie showtimes API
~$0.00/mo
| Runtime | Python 3.12 |
| Handler | app.handler |
| Architecture | x86_64 |
| Memory | 256 MB |
| Timeout | 30 seconds |
| Code Size | 3.2 MB (zip) |
| Ephemeral Storage | 512 MB |
| Framework | Flask + apig-wsgi |
Scrapes Cinemark Century Boulder showtimes and returns JSON at
/api/movies.
Invoked via API Gateway HTTP API. Free tier covers 1M requests and 400,000 GB-seconds/month.
Movie API Endpoint
Amazon API Gateway • HTTP API (v2)
~$0.00/mo
| Protocol | HTTP (v2) |
| Stage | $default (auto-deploy) |
| Integration | AWS_PROXY → Lambda (payload v2.0) |
| Routing | Default route catches all requests |
HTTP APIs cost $1.00 per million requests. Free tier covers first 1M requests/month for 12 months.
Traffic routed through CloudFront at
/api/*.
Lambda Execution Role
AWS IAM • Lambda execution role
$0.00/mo
| Type | Service role (lambda.amazonaws.com) |
| Managed Policies | AWSLambdaBasicExecutionRole |
| Inline Policies | None |
| Permissions | CloudWatch Logs: CreateLogGroup, CreateLogStream, PutLogEvents |
Lambda Log Group
Amazon CloudWatch • Lambda logs
$0.00/mo
| Retention | 14 days |
| Stored Data | ~0 bytes (minimal traffic) |
| Ingestion Cost | $0.50/GB (negligible at this scale) |
Terraform State Bucket
Amazon S3 • Terraform remote state
~$0.00/mo
| Region | us-east-1 |
| Versioning | Enabled (state history) |
| Encryption | SSE-S3 (AES-256) |
| Public Access | Fully blocked |
Stores Terraform state remotely instead of in git. Versioning provides state rollback.
Cost is negligible for a single ~70 KB state file.
Terraform Lock Table
Amazon DynamoDB • State locking
$0.00/mo
| Region | us-east-1 |
| Billing Mode | Pay-per-request (on-demand) |
| Partition Key | LockID (String) |
Prevents concurrent Terraform operations from corrupting state.
Pay-per-request billing means zero cost at this usage level.
Terraform State
| Provider | hashicorp/aws v5.100.0 |
| Terraform | >= 1.5 (using 1.14.3) |
| State Backend | S3 + DynamoDB locking |
| Modules | modules/static-site • modules/movie-app |
| Resources | 37 managed |
| Data Sources | 1 (IAM policy document) |
Optimization Opportunities
-
SAVE
Switch CloudFront from
PriceClass_AlltoPriceClass_100(US/Canada/Europe). Audience is North America; no need for Asia/Pacific edge locations. - SAVE Reduce Lambda memory from 256 MB to 128 MB. A lightweight Flask scraper doesn't need the extra headroom.
- SECURITY Disable the API Gateway execute-api endpoint to force all traffic through CloudFront, preventing direct access bypass.
- IMPROVE Enable S3 versioning for rollback capability on site content.
- IMPROVE Enable CloudFront access logging to an S3 bucket for traffic analytics.