diff --git a/.env.example b/.env.example
index db73b71..ab87b55 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,6 @@
 MFA_IDENTIFIER="ARN",
 S3_ROLE="ARN",
 SESSION_TYPE=""
+AWS_DEFAULT_REGION="us-east-2"
 BW_AWS_ACCOUNT_SECRET_ID=""
 BW_SESSION=""
\ No newline at end of file
diff --git a/lab-3/LAB-REPORT.md b/lab-3/LAB-REPORT.md
index c041021..8cb106e 100644
--- a/lab-3/LAB-REPORT.md
+++ b/lab-3/LAB-REPORT.md
@@ -43,7 +43,11 @@
 - [x] Create a bucket policy that blocks all public access but allows your IAM role
   - [ ] Implmented: [guide](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/)
 
+<<<<<<< HEAD
 ![restrict to role](./assets/restrict-to-role.jpg)
+=======
+![restrict to role](./assets/restrict-to-role.png)
+>>>>>>> 1437cee (Add resume pdf & html)
 
 - [x] **Experiment** with requiring MFA or VPC conditions.
   - [x] MFA conditions
@@ -98,9 +102,19 @@ aws s3 ls s3://witch-lab-3
   - [x] Configure route 53 alias or CNAME for `resume.<yourdomain>` to the bucket endpoint.
   - [x] Deploy CloudFront with ACM certificate for HTTPS
     * see: [resume](https://resume.wizards.cafe)
+<<<<<<< HEAD
 - [ ] **Private "Invite-Only" Resume Hosting**
   1. [ ] **Pre-signed URLs**
     `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+=======
+    * Cloudflare Edge Certificate -> Cloudfront -> S3 Bucket
+    * In this step, I disabled "static website hosting" on the s3 bucket
+**Private "Invite-Only" Resume Hosting**
+1. [x] **Pre-signed URLs**
+  `aws s3 presign s3://<YOUR_BUCKET_NAME>/resume.pdf --expires-in 3600`
+
+![presigned url](./assets/create-presigned-url.jpg)
+>>>>>>> 1437cee (Add resume pdf & html)
 
 ### Further Exploration
 1. [ ] Snapshots & AMIs
diff --git a/lab-3/assets/create-presigned-url.jpg b/lab-3/assets/create-presigned-url.jpg
new file mode 100644
index 0000000..cc6bbd2
Binary files /dev/null and b/lab-3/assets/create-presigned-url.jpg differ
diff --git a/lab-3/assets/restrict-to-role.png b/lab-3/assets/restrict-to-role.png
new file mode 100644
index 0000000..4167afe
Binary files /dev/null and b/lab-3/assets/restrict-to-role.png differ
diff --git a/utilities/setup_aws/use-s3.sh b/utilities/setup_aws/use-s3.sh
index 7f481c5..d85885f 100755
--- a/utilities/setup_aws/use-s3.sh
+++ b/utilities/setup_aws/use-s3.sh
@@ -1,6 +1,12 @@
 #!/bin/bash
 
 MFA_TOKEN=$1
+<<<<<<< HEAD
+=======
+# Capture everything from second argument onward as a command
+shift
+COMMAND=("$@")
+>>>>>>> 1437cee (Add resume pdf & html)
 
 if [ -z "$1" ]; then
   echo "Error: Run with MFA token!"
@@ -25,5 +31,13 @@ export AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SecretA
 #echo $AWS_SESSION_TOKEN
 #echo $AWS_ACCESS_KEY_ID
 #echo $AWS_SECRET_ACCESS_KEY
+<<<<<<< HEAD
 aws s3 ls s3://witch-lab-3
-echo "finished!"
\ No newline at end of file
+echo "finished!"
+=======
+# aws s3 ls s3://witch-lab-3
+
+if command -v "$COMMAND" >/dev/null 2>&1; then
+  "${COMMAND[@]}"
+fi
+>>>>>>> 1437cee (Add resume pdf & html)