diff --git a/terraform/modules/cloudfront/main.tf b/terraform/modules/cloudfront/main.tf
index 42119a4..32d30a8 100644
--- a/terraform/modules/cloudfront/main.tf
+++ b/terraform/modules/cloudfront/main.tf
@@ -18,6 +18,14 @@ resource "aws_cloudfront_distribution" "this" {
       origin_id   = lookup(origin.value, "origin_id", origin.key)
       origin_path = lookup(origin.value, "origin_path", "")
 
+      dynamic "s3_origin_config" {
+        for_each = length(keys(lookup(origin.value, "s3_origin_config", {}))) == 0 ? [] : [lookup(origin.value, "s3_origin_config", {})]
+
+        content {
+          origin_access_identity = s3_origin_config.value.origin_access_identity
+        }
+      }
+
       dynamic "custom_origin_config" {
         for_each = length(lookup(origin.value, "custom_origin_config", "")) == 0 ? [] : [lookup(origin.value, "custom_origin_config", "")]
 
diff --git a/terraform/modules/route53/main.tf b/terraform/modules/route53/main.tf
index cc84af2..1f57964 100644
--- a/terraform/modules/route53/main.tf
+++ b/terraform/modules/route53/main.tf
@@ -13,6 +13,8 @@ resource "aws_route53_record" "this" {
   zone_id = data.aws_route53_zone.this.zone_id
   name    = each.value.name
   type    = each.value.type
+  ttl     = lookup(each.value, "ttl", null)
+  records = try(each.value.records, null)
 
   dynamic "alias" {
     for_each = length(keys(lookup(each.value, "alias", {}))) == 0 ? [] : [true]
diff --git a/terraform/modules/s3/datasources.tf b/terraform/modules/s3/datasources.tf
index cb435fa..a685a0f 100644
--- a/terraform/modules/s3/datasources.tf
+++ b/terraform/modules/s3/datasources.tf
@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "this" {
     actions = ["s3:GetObject"]
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = [aws_cloudfront_origin_access_identity.this.iam_arn]
     }
     resources = ["${aws_s3_bucket.this.arn}/*"]
   }
diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/main.tf
index 41f9b6f..ea05d35 100644
--- a/terraform/modules/s3/main.tf
+++ b/terraform/modules/s3/main.tf
@@ -75,3 +75,22 @@ resource "aws_s3_object" "index" {
   content_type  = "text/html"
   storage_class = "STANDARD"
 }
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  count = var.type == 1 ? 1 : 0
+
+  bucket = aws_s3_bucket_policy.this[0].id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_cloudfront_origin_access_identity" "this" {
+  comment = "bsmsapp_s3"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/terraform/modules/s3/outputs.tf b/terraform/modules/s3/outputs.tf
index f497144..c5211ff 100644
--- a/terraform/modules/s3/outputs.tf
+++ b/terraform/modules/s3/outputs.tf
@@ -16,3 +16,13 @@ output "website_endpoint" {
   description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
   value       = var.type == 1 ? aws_s3_bucket_website_configuration.this[0].website_endpoint : ""
 }
+
+output "domain_name" {
+  description = "The bucket region-specific domain name."
+  value = aws_s3_bucket.this.bucket_regional_domain_name
+}
+
+output "cloudfront_access_identity" {
+  description = "The cloudfront OAI access identity path."
+  value = aws_cloudfront_origin_access_identity.this.cloudfront_access_identity_path
+}
diff --git a/terraform/organization/cloudfront.tf b/terraform/organization/cloudfront.tf
index 8b1a357..d74d07e 100644
--- a/terraform/organization/cloudfront.tf
+++ b/terraform/organization/cloudfront.tf
@@ -14,10 +14,12 @@ module "cloudfront" {
   enabled    = true
   web_acl_id = module.waf.web_acl_arn
   aliases = [
-    local.domain
+    local.domain,
+    "www.${local.domain}"
   ]
 
   acm_certificate_arn = module.acm.certificate_arn
+  default_root_object = "index.html"
 
   origin = {
     api-gateway = {
@@ -32,13 +34,10 @@ module "cloudfront" {
       }
     }
     s3 = {
-      domain_name = module.s3["website"].website_endpoint
+      domain_name = module.s3["website"].domain_name
 
-      custom_origin_config = {
-        http_port              = 80
-        https_port             = 443
-        origin_protocol_policy = "http-only"
-        origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+      s3_origin_config = {
+        origin_access_identity = module.s3["website"].cloudfront_access_identity
       }
     }
   }
diff --git a/terraform/organization/locals.tf b/terraform/organization/locals.tf
index ca59e04..169b75b 100644
--- a/terraform/organization/locals.tf
+++ b/terraform/organization/locals.tf
@@ -6,7 +6,7 @@ locals {
     website = {
       type        = 1
       bucket_name = local.bucket_name
-      bucket_acl  = "public-read"
+      bucket_acl  = "private"
       path        = "../resources"
 
       website = {
@@ -26,19 +26,6 @@ locals {
       }
     }
 
-    www-website = {
-      type = 1
-      website = {
-        redirect_all_requests_to = {
-          host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com"
-          protocol  = "http"
-        }
-      }
-
-      bucket_name = "www.${local.bucket_name}"
-      bucket_acl  = "public-read"
-    }
-
     logs = {
       type        = 2
       bucket_name = "${local.bucket_name}-logs"
diff --git a/terraform/organization/route53.tf b/terraform/organization/route53.tf
index 385cca1..4f8b377 100644
--- a/terraform/organization/route53.tf
+++ b/terraform/organization/route53.tf
@@ -12,13 +12,20 @@ module "route53" {
   zone_name = local.domain
 
   records = {
-    record = {
+    root = {
       name = local.domain
       type = "A"
       alias = {
         name    = module.cloudfront.distribution_domain_name
         zone_id = module.cloudfront.distribution_hosted_zone_id
       }
+    },
+    www = {
+      name = "www.${local.domain}"
+      type = "A"
+      alias = {
+        name    = local.domain
+      }
     }
   }
 }