diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md
index 8df63a5..517d97e 100644
--- a/lab-3/LAB-REPORT.md
+++ b/lab-3/LAB-REPORT.md
@@ -10,7 +10,7 @@
 - [x] Create & Connect to a Git*** repository
   - [x] https://git.dropbear-minnow.ts.net/
 - [x] Modify and make a second commit
-![image of terminal](./assets/prep-console.png)
+    ![image of terminal](./assets/prep-console.png)
 - [x] Test to see if gitea actions works
 - [x] Have an existing s3 bucket
 
@@ -27,10 +27,56 @@
   ![permissions](./assets/permissions.jpg)
 - [x] Attach the Role to your EC2 Instance
 - [x] Verify is3 access from the EC2 Instance
+  * HTTPS outbound was not set up
+    * I did not check outbound rules (even when the lab explicitly called this out)
+      because it mentioned lab 2, so my assumption was that it had already been set up
+      (it was not). When connection to s3 failed I double checked lab 3 instructions
   ![screenshot of listing s3 contents](./assets/s3-access-screenshot.jpg)
 
 ### Stretch
 - [ ] Create a bucket policy that blocks all public access but allows your IAM role
+- [ ] **Experiment** with requiring MFA or VPC conditions.
+  - [ ] MFA conditions
+    * MFA did not work out of the box after setting it in the s3 bucket policy. 
+      The ways I found you can configure MFA:
+      * [stackoverflow](https://stackoverflow.com/questions/34795780/how-to-use-mfa-with-aws-cli)
+        * via cli roles
+        * configuration via ~/.aws/credentials
+        * 1Password CLI with AWS Plugin
+          * I use bitwarden, which also has an AWS Plugin
+          * This is probably what I will gravitate towards for a more 
+            long-term setup, because having all of these credentials
+            floating around in various areas on my computer/virtualbox
+            envs gets confusing. Not a fan.
+          * I've seen a lot more recommendations (TBH it's more like 2 vs 0)
+            for 1password for password credential setup. Wonder why?
+        * other apps that handle this
+          * I did not look into this because I didn't want to install
+            yet another specialized CLI that I didn't understand
+  - [ ] VPC
+- [ ] **Host a static site**
+  - [ ] Enable a static website hosting (`index.html`)
+  - [ ] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
+  - [ ] Deploy CloudFront with ACM certificate for HTTPS
+  #### Private "Innvite-Only" Resume Hosting
+  1. **Pre-signed URLs**
+    `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+  2. **IAM-only access**
+    - [ ] Store under `private/`
+    - [ ] Write a bucket policy allowing only the role `EC2-S3-Access-Role-daphodell` to `GetObject`
+  3. **Restrict to IP address**
+    - [ ] copy pasta json into bucket policy
+
+## Further Reading
+- [ ]
+- [ ] 
+- [ ] 
+
+## Reflection
+* What I built
+* Challenges
+* Security concerns
+  On scale and security at scale
 
 ## Terms
 ### Identity Access Management
@@ -43,9 +89,14 @@ graph LR
   classDef aside fill:#fffbe6,stroke:#bbb,stroke-dasharray: 5 5,stroke-width:2px;
 ```
 
+## Problems encountered
+
+    more carefully. Note to self: always double check.
+
 ## End lab
-- [ ] Clean up
-  - [ ] Custom roles
-  - [ ] Custom policies
-- [ ] Stop ec2 Instance
-- [ ] Remove s3 bucket
\ No newline at end of file
+- [ ] On June 20, 2025, do the following:
+  - [ ] Clean up
+    - [ ] Custom roles
+    - [ ] Custom policies
+  - [ ] Stop ec2 Instance
+  - [ ] Remove s3 bucket
\ No newline at end of file