What

A light AWS setup to hold two things: your files (bills) and your data (transactions).

Why

S3 bucket for web hosting (public read)
- Create a bucket for the static site (e.g., my-expenses-web).
- Make it public-read so the HTML/CSS/JS can be fetched by browsers.
- Optionally use CloudFront in front; with OAC you can keep the bucket private and still serve publicly via the CDN.
- Alternative hosts: Netlify, Vercel, or any simple web server.
S3 bucket for documents (private)
- Create a separate bucket for bills/receipts (e.g., my-expenses-docs).
- Block public access. Do not expose this bucket directly.
- Files are only opened via the backend (temporary links or redirects).
- Optional: lifecycle rule to move older files to cheaper storage.
PostgreSQL on RDS (or use your own Postgres)
- A small instance is enough to start.
- Create a database and run the two tables from Part 2.
IAM users/roles
- Backend role/user (documents bucket): allow only s3:PutObject, s3:GetObject, s3:DeleteObject, and s3:ListBucket on the docs bucket (preferably scoped to a prefix).
- Deployment user (web bucket): allow s3:PutObject and s3:ListBucket on the web bucket to upload new site files.
- If using CloudFront, also allow cloudfront:CreateInvalidation for your distribution.
- Keep permissions limited to specific ARNs.
Networking & HTTPS
- Expose your backend over HTTPS (any domain or IP works).
- If you use a domain, add DNS (Route 53 or any registrar) and a certificate (ACM or your TLS setup).

Keep the documents/images bucket private and access it only via API; the web hosting bucket is public-read (or private behind CloudFront with OAC).
Watch storage costs if you upload many large images—use lifecycle rules.
Keep database and bucket in the same region for speed.
Backups: enable RDS automated backups; consider bucket versioning for safety.