diff --git a/cloudfront.tf b/cloudfront.tf
index 93236a8..7e4948e 100755
--- a/cloudfront.tf
+++ b/cloudfront.tf
@@ -1,42 +1,29 @@
-resource "random_string" "header_value" {
-  length           = 20
-  special          = true
-  upper = true
-  lower = true
-  number = true
+resource "aws_cloudfront_origin_access_identity" "website_OAI" {
+  comment = "The OAI used to access our website buckets."
+}
+
+locals {
+  primary_s3_origin = "${var.root_domain_name}"
+  backup_s3_origin = "backup-${var.root_domain_name}"
 }
 
 resource "aws_cloudfront_distribution" "website_distribution" {
   origin {
-    custom_origin_config {
-      http_port              = "80"
-      https_port             = "443"
-      origin_protocol_policy = "http-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
-    }
+    domain_name = aws_s3_bucket.website.bucket_regional_domain_name
+    origin_id   = local.primary_s3_origin
 
-    domain_name = "${aws_s3_bucket_website_configuration.website-bucket-config.website_endpoint}"
-    origin_id   = "${var.root_domain_name}"
-    custom_header {
-          name  = "${var.custom_header}"
-          value = random_string.header_value.result
-        }
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.website_OAI.cloudfront_access_identity_path
+    }
   }
 
   origin {
-    custom_origin_config {
-      http_port              = "80"
-      https_port             = "443"
-      origin_protocol_policy = "http-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
-    }
+    domain_name = aws_s3_bucket.backup-website.bucket_regional_domain_name
+    origin_id   = local.backup_s3_origin
 
-    domain_name = "${aws_s3_bucket_website_configuration.backup-website-bucket-config.website_endpoint}"
-    origin_id   = "backup-${var.root_domain_name}"
-    custom_header {
-          name  = "${var.custom_header}"
-          value = random_string.header_value.result
-        }
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.website_OAI.cloudfront_access_identity_path
+    }
   }
 
     origin_group {
@@ -47,11 +34,12 @@ resource "aws_cloudfront_distribution" "website_distribution" {
     }
 
     member {
-      origin_id = "${var.root_domain_name}"
+      origin_id = local.primary_s3_origin
     }
 
     member {
-      origin_id = "backup-${var.root_domain_name}"
+      origin_id = local.backup_s3_origin
+      
     }
   }
 
@@ -64,9 +52,20 @@ resource "aws_cloudfront_distribution" "website_distribution" {
   tags = {
     Name = "website_distribution"
   }
+  default_root_object = "index.html"
+  custom_error_response {
+    error_code = "404"
+    response_code = "404"
+    response_page_path = "/error.html"
+  }
+  custom_error_response {
+    error_code = "403"
+    response_code = "403"
+    response_page_path = "/error.html"
+  }
 
   default_cache_behavior {
-    viewer_protocol_policy = "redirect-to-https"
+    viewer_protocol_policy = "https-only"
     compress               = true
     allowed_methods        = ["GET", "HEAD"]
     cached_methods         = ["GET", "HEAD"]
diff --git a/custom_header_lambda.zip b/custom_header_lambda.zip
deleted file mode 100755
index 19a844d..0000000
Binary files a/custom_header_lambda.zip and /dev/null differ
diff --git a/custom_header_lambda/rotate_custom_headers.py b/custom_header_lambda/rotate_custom_headers.py
deleted file mode 100755
index ed5d683..0000000
--- a/custom_header_lambda/rotate_custom_headers.py
+++ /dev/null
@@ -1,53 +0,0 @@
-import boto3
-import json
-import random
-import string
-import os
-
-def get_bucket_policy(client, bucket_name):
-	result = client.get_bucket_policy(Bucket=f"{bucket_name}")
-	result = json.loads(result['Policy'])
-	return result
-
-def update_bucket_policy(client, bucket_name, bucket_policy, value):
-	bucket_policy['Statement'][1]['Condition']['StringNotLike'] = {'aws:Referer': f'{value}'}
-	bucket_policy = json.dumps(bucket_policy)
-	client.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
-	print(bucket_policy)
-
-def random_pass():
-	length = 20
-	chars = string.ascii_letters + string.digits + '!@#$%^&*'
-
-	rnd = random.SystemRandom()
-	password = ''.join(rnd.choice(chars) for i in range(length))
-	return password
-
-def get_cloudfront_headers(client, value):
-	distro = client.get_distribution_config(Id=f'{os.environ['cf_dist_id']}')
-	distro['DistributionConfig']['Origins']['Items'][0]['CustomHeaders']['Items'] = [{'HeaderName': 'Referer', 'HeaderValue': f'{value}'}]
-	distro['DistributionConfig']['Origins']['Items'][1]['CustomHeaders']['Items'] = [{'HeaderName': 'Referer', 'HeaderValue': f'{value}'}]
-	return distro['DistributionConfig'], distro['ETag']
-
-
-
-
-
-def lambda_handler(event, context):
-	s3 = boto3.client('s3')
-	bucket = os.environ['primary_bucket']
-	backup_bucket = os.environ['backup_bucket']
-	value = random_pass()
-	policy = get_bucket_policy(s3, bucket)
-	backup_policy = get_bucket_policy(s3, backup_bucket)
-	update_bucket_policy(s3, bucket, policy, value)
-	update_bucket_policy(s3, backup_bucket, backup_policy, value)
-
-	cloudfront = boto3.client('cloudfront')
-	updated_distro = get_cloudfront_headers(cloudfront, value)
-	update_distro_request = updated_distro[0]
-	etag = updated_distro[1]
-    dist_id = cloudfront.list_distributions()
-    dist_id = dist_id['DistributionList']['Items'][0]['Id']
-	print(update_distro_request)
-	cloudfront.update_distribution(DistributionConfig=update_distro_request, Id=dist_id, IfMatch=etag)
\ No newline at end of file
diff --git a/lambda_rotate_header.tf b/lambda_rotate_header.tf
deleted file mode 100755
index 127aced..0000000
--- a/lambda_rotate_header.tf
+++ /dev/null
@@ -1,105 +0,0 @@
-data "archive_file" "custom_header_lambda_zip" {
-    type        = "zip"
-    source_dir  = "./custom_header_lambda"
-    output_path = "custom_header_lambda.zip"
-}
-
-resource "aws_iam_role" "iam_for_custom_header_lambda" {
-  name = "rotate_custom_headers-assume-role-s3-static-website"
-  path          = "/service-role/"
-
-  assume_role_policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-
-POLICY
-}
-
-resource "aws_lambda_function" "rotate_custom_header_lambda" {
-  filename      = "custom_header_lambda.zip"
-  function_name = "rotate_custom_headers-s3-static-website"
-  role          = aws_iam_role.iam_for_custom_header_lambda.arn
-  handler       = "rotate_custom_headers.lambda_handler"
-
-  source_code_hash = "${data.archive_file.custom_header_lambda_zip.output_base64sha256}"
-  environment {
-    variables = {
-      primary_bucket = "${var.root_domain_name}"
-      backup_bucket = "www.${var.root_domain_name}"
-      cf_dist_id = aws_cloudfront_distribution.website_distribution.id
-    }
-  }
-  runtime = "python3.8"
-  timeout = 300
-  tags = {
-    Name = "rotate_custom_headers-s3-static-website"
-  }
-}
-
-resource "aws_iam_policy" "custom_header_lambda_iam_policy" {
-  name = "rotate_custom_headers-LambdaBasicExecutionRole-s3-static-website"
-  path = "/service-role/"
-  policy = <<POLICY
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "VisualEditor0",
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "cloudfront:GetDistributionConfig",
-                "logs:PutLogEvents"
-            ],
-            "Resource": [
-                "arn:aws:cloudfront::${local.account_id}:distribution/${aws_cloudfront_distribution.website_distribution.id}",
-                "arn:aws:logs:us-east-2:${local.account_id}:log-group:/aws/lambda/${aws_lambda_function.rotate_custom_header_lambda.function_name}:*"
-            ]
-        },
-        {
-            "Sid": "VisualEditor1",
-            "Effect": "Allow",
-            "Action": [
-                "s3:PutBucketPolicy",
-                "cloudfront:UpdateDistribution",
-                "logs:CreateLogGroup",
-                "s3:GetBucketPolicy"
-            ],
-            "Resource": [
-                "arn:aws:logs:us-east-2:${local.account_id}:*",
-                "arn:aws:cloudfront::${local.account_id}:distribution/${aws_cloudfront_distribution.website_distribution.id}",
-                "${aws_s3_bucket.website.arn}",
-                "${aws_s3_bucket.backup-website.arn}"
-            ]
-        }
-    ]
-}
-
-POLICY
-}
-
-resource "aws_iam_role_policy_attachment" "lambda_attach" {
-  role       = aws_iam_role.iam_for_custom_header_lambda.name
-  policy_arn = aws_iam_policy.custom_header_lambda_iam_policy.arn
-}
-
-resource "aws_cloudwatch_event_rule" "rotate_custom_headers" {
-  name        = "rotate_custom_header-s3-static-website"
-  schedule_expression = "${var.cron_schedule}"
-
-}
-
-resource "aws_cloudwatch_event_target" "custom_header_lambda_target" {
-  rule      = aws_cloudwatch_event_rule.rotate_custom_headers.name
-  arn       = aws_lambda_function.rotate_custom_header_lambda.arn
-}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
index bc7339b..21143e1 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -8,11 +8,6 @@ output "cloudfront_distribution_domain_name" {
   description = "The domain name of the Cloudfront distribution."
 }
 
-output "lambda_function_name" {
-  value = aws_lambda_function.rotate_custom_header_lambda.function_name
-  description = "The name of the lambda function that rotates the secret string."
-}
-
 output "primary_bucket_arn" {
   value = aws_s3_bucket.website.arn
   description = "The arn of the primary website bucket."
diff --git a/s3.tf b/s3.tf
index eaf2ece..51bcaa6 100755
--- a/s3.tf
+++ b/s3.tf
@@ -6,11 +6,15 @@ resource "aws_s3_bucket" "website" {
   }
 }
 
-resource "aws_s3_bucket_acl" "website_bucket_acl" {
-  bucket = aws_s3_bucket.website.id
-  acl    = "private"
+resource "aws_s3_bucket_public_access_block" "s3Public" {
+bucket = "${aws_s3_bucket.website.id}"
+block_public_acls = true
+block_public_policy = true
+restrict_public_buckets = true
+ignore_public_acls = true
 }
 
+
 resource "aws_s3_bucket_website_configuration" "website-bucket-config" {
   bucket = aws_s3_bucket.website.bucket
 
@@ -58,36 +62,21 @@ resource "aws_s3_bucket_lifecycle_configuration" "website-bucket-lifecycle-rule"
   }
 }
 
-resource "aws_s3_bucket_policy" "website-bucket-policy" {
-  bucket = aws_s3_bucket.website.bucket
-  policy = <<POLICY
-{
-    "Version": "2008-10-17",
-    "Id": "PolicyForCloudFrontPrivateContent",
-    "Statement": [
-        {
-            "Sid": "AllowPublicAccess",
-            "Effect": "Allow",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "${aws_s3_bucket.website.arn}/*"
-        },
-        {
-            "Sid": "DenyAccessWithoutCustomHeader",
-            "Effect": "Deny",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "${aws_s3_bucket.website.arn}/*",
-            "Condition": {
-                "StringNotLike": {
-                    "aws:${var.custom_header}": "${random_string.header_value.result}"
-                }
-            }
-        }
-    ]
+data "aws_iam_policy_document" "primary_s3_policy" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.website.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.website_OAI.iam_arn]
+    }
+  }
 }
 
-POLICY
+resource "aws_s3_bucket_policy" "website-bucket-policy" {
+  bucket = aws_s3_bucket.website.id
+  policy = data.aws_iam_policy_document.primary_s3_policy.json
 }   
 
 ################################################################################################################################################
@@ -104,12 +93,16 @@ resource "aws_s3_bucket" "backup-website" {
   }
 }
 
-resource "aws_s3_bucket_acl" "backup-website_bucket_acl" {
-  bucket = aws_s3_bucket.backup-website.id
-  provider    = aws.backup-website-region
-  acl    = "private"
+resource "aws_s3_bucket_public_access_block" "backup-s3Public" {
+bucket = "${aws_s3_bucket.backup-website.id}"
+provider    = aws.backup-website-region
+block_public_acls = true
+block_public_policy = true
+restrict_public_buckets = true
+ignore_public_acls = true
 }
 
+
 resource "aws_s3_bucket_website_configuration" "backup-website-bucket-config" {
   bucket = aws_s3_bucket.backup-website.bucket
   provider    = aws.backup-website-region
@@ -144,38 +137,23 @@ resource "aws_s3_bucket_lifecycle_configuration" "website-backup-bucket-lifecycl
   }
 }
 
-resource "aws_s3_bucket_policy" "backup-website-bucket-policy" {
-  bucket = aws_s3_bucket.backup-website.bucket
-  provider = aws.backup-website-region
-  policy = <<POLICY
-{
-    "Version": "2008-10-17",
-    "Id": "PolicyForCloudFrontPrivateContent",
-    "Statement": [
-        {
-            "Sid": "AllowPublicAccess",
-            "Effect": "Allow",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "${aws_s3_bucket.backup-website.arn}/*"
-        },
-        {
-            "Sid": "DenyAccessWithoutCustomHeader",
-            "Effect": "Deny",
-            "Principal": "*",
-            "Action": "s3:GetObject",
-            "Resource": "${aws_s3_bucket.backup-website.arn}/*",
-            "Condition": {
-                "StringNotLike": {
-                    "aws:${var.custom_header}": "${random_string.header_value.result}"
-                }
-            }
-        }
-    ]
+data "aws_iam_policy_document" "backup_s3_policy" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.backup-website.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.website_OAI.iam_arn]
+    }
+  }
 }
 
-POLICY 
-}  
+resource "aws_s3_bucket_policy" "backup-website-bucket-policy" {
+  bucket = aws_s3_bucket.backup-website.id
+  provider    = aws.backup-website-region
+  policy = data.aws_iam_policy_document.backup_s3_policy.json
+}   
 
 
 resource "aws_iam_role" "replication" {
diff --git a/s3_static_website_arch.png b/s3_static_website_arch.png
index 2de4d52..56d5563 100644
Binary files a/s3_static_website_arch.png and b/s3_static_website_arch.png differ
diff --git a/variables.tf b/variables.tf
index f723801..7e92715 100755
--- a/variables.tf
+++ b/variables.tf
@@ -3,12 +3,6 @@ variable "root_domain_name" {
   description = "The domain name of your website."
 }
 
-variable "custom_header" {
-  type = string
-  default = "Referer"
-  description = "The header value for the secret string passed from Cloudfront to S3."
-}
-
 variable "cron_schedule" {
   type = string
   default = "cron(0 6 1 * ? *)"