Build vs. Buy: S3 + Cognito vs. Managed Gated Publishing

What the DIY stack looks like

The standard AWS-native implementation for authenticated static hosting has four components:

• S3 — stores the HTML, CSS, and JS files
• CloudFront — CDN distribution, handles edge caching
• Cognito — user pool for authentication (Google or Microsoft OAuth)
• Lambda@Edge — runs at the CDN edge to check auth tokens before serving content

Infrastructure cost: $5–20/month depending on traffic volume.

This works. Engineers who know AWS can build it and it functions correctly. The question is what it actually costs.

What it actually costs

Engineering time to build: 1–2 days (16–32 hours)

For a senior engineer familiar with AWS: create the S3 bucket, configure the CloudFront distribution, set up the Cognito user pool, write and deploy the Lambda@Edge function, wire the auth flow together. At $150/hour in fully-loaded cost, that's $2,400–4,800 in engineering time.

For someone less AWS-familiar: add another day. The Lambda@Edge + CloudFront interaction has known gotchas (cache behavior, header propagation, cold start behavior). Budget for the debugging time.

Multi-IdP support is not free

Cognito supports Google or Microsoft separately, but running both on the same user pool with proper domain restriction requires configuring a Cognito Identity Pool on top of the User Pool, or using a custom Lambda trigger for domain validation. Each new identity provider is additional configuration and testing time.

Ongoing maintenance

Certificate renewals. Cognito API updates when Google or Microsoft changes their OAuth flows. Lambda@Edge version updates. CloudFront distribution updates. Access policy changes when your company's IdP configuration changes.

More importantly: this infrastructure belongs to whoever built it. When that engineer leaves or moves to a different team, you have an orphaned authentication system that nobody fully understands and everyone is afraid to change.

No publishing CLI or MCP

You upload files to S3 via the AWS console, the AWS CLI, or custom scripts you write yourself. There's no aws-publish ./report.html command that returns a URL in 15 seconds. Non-technical users (PMs, analysts) have no path to publish at all.

The actual Year 1 cost comparison

The infrastructure cost is low. The engineering cost is not.

When DIY makes sense

You have spare DevOps capacity and the setup + maintenance burden is acceptable within your existing team's workload.

You need deep customization — custom auth flows, network-level access control, device posture checks, or compliance requirements that a SaaS can't satisfy.

You're in a regulated industry with specific cloud provider requirements — must use AWS GovCloud, must not send data outside a specific region, must use your own Cognito tenant for compliance documentation.

Your security team requires on-premise or VPC-deployed solutions and won't approve external SaaS for content hosting.

When managed makes sense

You don't want to maintain infrastructure. The publishing problem isn't your core product. Owning the hosting stack for internal artifacts is overhead, not value.

You need multi-IdP at $49/month. Google Workspace AND Microsoft 365 SSO, without federation configuration, on the same plan.

You want a publishing CLI and MCP. One command. Non-technical users publish from Claude Desktop without a terminal.

You want compliance documentation to be simple. "Display is our vendor — here's their SOC 2" is a better audit answer than "we built this ourselves, here's our CloudTrail export from March."