Currently, s3 is creating a state like a web server.
Although the predecessor has designed and nobody can touch the current situation, I do not know the details,
For all files (js, img, css, etc.) in which basic authentication is read occasionally (may or may not come out) in IE, edge, etc.
You will not be able to see the page unless you put ipass in it.
Is there a way to improve it?
The following is the current flow.


s3 :.
CloudFront: As a filter for Basic authentication
lambda: Implement basic authentication triggered by access to CloudFront
route53: Subdomain configuration
cloudFormation: Batch configuration of the above services with yaml file

Here is the yaml file.

AWSTemplateFormatVersion: '2013-03-03'
Description: Static contents distribution using S3 and CloudFront with basic authentication by lambda @ Edge
    Description: ID for basic authentication
    Type: String
    Default: user
    Description: Password for basic authentication
    Type: String
    Default: password
    Description: CloudFront Alternate Domain Names (CNAMEs)
    Type: String
    Default: .test.com
    Description: Select blue/green deployment
    Type: String
    Default: blue
  CloudFrontAliaseEnable:! Not [! Equals [! Ref 'CloudFrontAliase', 'none']]
  LambdaVersionIsBlue:! Equals [! Ref 'SelectLambdaDeployment', 'blue']
  LambdaVersionIsGreen:! Equals [! Ref 'SelectLambdaDeployment', 'green']
    Type: AWS :: S3 :: Bucket
    DeletionPolicy: Retain
      BucketName:! Sub '${AWS :: StackName} .test.com'
      AccessControl: PublicRead
        IndexDocument: index.html
        ErrorDocument: error.html
        Status: Enabled
    Type: AWS :: S3 :: BucketPolicy
      Bucket:! Ref 'S3Bucket'
          -Action: s3: GetObject
            Effect: Allow
            Resource:! Sub 'arn: aws: s3 ::: ${S3Bucket}/*'
              AWS:! Sub 'arn: aws: iam :: cloudfront: user/CloudFront Origin Access Identity
                ${CloudFrontOriginAccessIdentity} '
    Type: AWS :: S3 :: Bucket
    DeletionPolicy: Retain
      BucketName:! Sub 'cloudfrontlog-${AWS :: StackName} .test.com'
        -Id: AutoDelete
          Status: Enabled
          ExpirationInDays: 15
    Type: AWS :: CloudFront :: Distribution
          -Id: S3Origin
            DomainName:! GetAtt 'S3Bucket.DomainName'
              OriginAccessIdentity:! Sub 'origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}'
        Enabled: true
        DefaultRootObject: index.html
        Comment:! Sub '${AWS :: StackName} distribution'
          IncludeCookies: 'false'
          Bucket:! GetAtt 'S3BucketCloudFrontLog.DomainName'
          Prefix:! Sub '${AWS :: StackName}/${SelectLambdaDeployment}'
          -! If
            -CloudFrontAliaseEnable-! Ref 'CloudFrontAliase'
            -! Ref 'AWS :: NoValue'
          TargetOriginId: S3Origin
            QueryString: true
              Forward: all
          ViewerProtocolPolicy: allow-all
          DefaultTTL: '0'
          MaxTTL: '0'
          MinTTL: '0'
            -EventType: viewer-request
              LambdaFunctionARN:! If
                -! Ref 'LambdaFunctionVersionBlue'
                -! Ref 'LambdaFunctionVersionGreen'
            TargetOriginId: S3Origin
              QueryString: false
            PathPattern: '/favicon.ico'
            ViewerProtocolPolicy: allow-all
            DefaultTTL: '86400'
            MaxTTL: '86400'
            MinTTL: '86400'
    Type: AWS :: CloudFront :: CloudFrontOriginAccessIdentity
        Comment:! Ref 'AWS :: StackName'
    Type: AWS :: Route53 :: RecordSet
      HostedZoneName: test.com
      Name:! Sub '${AWS :: StackName} .test.com
. '
      Type: A
        HostedZoneId: Z2FDTNDATAQYW2
        DNSName:! GetAtt 'CloudFrontDistribution.DomainName'
    Type: AWS :: Logs :: LogGroup
      LogGroupName:! Sub '/ aws/lambda/${LambdaFunction}'
      RetentionInDays: 7
    Type: AWS :: IAM :: Role
        Version: '2012-10-17'
          -Effect: Allow
              -sts: AssumeRole
      Path:/service-role /
        -PolicyName: root
            Version: '2012-10-17'
              -Effect: Allow
                  -logs: CreateLogGroup
                  -logs: CreateLogStream
                  -logs: PutLogEvents
                Resource: arn: aws: logs: *: *: *
    Type: AWS :: Lambda :: Function
      Handler: index.handler
      Role:! GetAtt 'LambdaRole.Arn'
        ZipFile:! Sub |
          'use strict';
          exports.handler = (event, context, callback) =>{
            // Get request and request headersconst request = event.Records [0] .cf.request;
            const headers = request.headers;
            // Configure authentication
            const authUser = '${AuthUser}';
            const authPass = '${AuthPass}';
            // Construct the Basic Auth string
            const authString = 'Basic' + new Buffer (authUser + ':' + authPass) .toString ('base64');
            // Require Basic authentication
            if (typeof headers.authorization == 'undefined' || headers.authorization [0] .value! = authString) {
              const body = 'Unauthorized';
              const response = {
                status: '401',
                statusDescription: 'Unauthorized',
                body: body,
                headers: {
                  'www-authenticate': [{key: 'WWW-Authenticate', value: 'Basic'}]

              // Debug log
              console.log ("request:" + JSON.stringify (request));
              callback (null, response);
            // Instead of index document processing
            var olduri = request.uri;
            var newuri = olduri.replace (/ \/$/, '\ /index.html');
            if (olduri! = newuri) {
              console.log ("Old URI:" + olduri);
              console.log ("New URI:" + newuri);
            request.uri = newuri;
            // Continue request processing if authentication passed
            callback (null, request);
      Runtime: nodejs6.10
      MemorySize: 128
      Timeout: 1
      Description: Basic authentication with Lambda @ Edge
        -Key: CloudformationArn
          Value:! Ref 'AWS :: StackId'
    Type: AWS :: Lambda :: Version
    Condition: LambdaVersionIsBlue
      FunctionName:! Ref 'LambdaFunction'
    Type: AWS :: Lambda :: Version
    Condition: LambdaVersionIsGreen
      FunctionName:! Ref 'LambdaFunction'
    Type: AWS :: IAM :: Group
      GroupName:! Sub 'iam-group-s3-access-${S3Bucket}'
      -PolicyName: PolicieAllow
          Version: '2012-10-17'
          -Effect: Allow
            -s3: List *
            -s3: GetBucketLocation
            -arn: aws: s3 ::: *
          -Effect: Allow
            -s3: *
            -! Sub 'arn: aws: s3 ::: ${S3Bucket}/*'
          -Effect: Deny
            -s3: PutBucket *
            -s3: PutObjectAcl
            -s3: PutObjectVersionAcl
            -arn: aws: s3 ::: *
    Type: AWS :: IAM :: User
      UserName:! Sub 'iam-user-s3-access-${S3Bucket}'
      -! Ref 'IamGroup'
    Value:! Sub 'http: // ${CloudFrontDistribution.DomainName}'
    Value:! Ref 'IamUser'