Your internal docs are wide open. That Docusaurus site you deployed to S3? The one with your API specs, runbooks, onboarding guides? Anyone with the URL can read it. S3 + CloudFront gives you HTTPS, caching, and global distribution out of the box. What it doesn't give you is a login page. Most teams solve this by moving docs to a platform (Notion, Confluence, whatever) and giving up control. Or they shove everything behind a VPN and call it a day. Both options work. Both have trade-offs that get annoying fast. I wanted a third option: keep the static site exactly as it is (Docusaurus in my case, but anything works), keep it on S3 + CloudFront (cheap, fast, zero maintenance), and add a real authentication layer in front of it without touching the site's code or build pipeline. The result is docusaurus-cognito-auth — a fully serverless auth layer built with Lambda@Edge and AWS Cognito. This article is a walkthrough of the architecture, the decisions behind it, and the things that bit me along the way.…