Amazon CloudFront Documentation

Amazon CloudFront is a content delivery network (CDN) service that is designed to securely deliver data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

CloudFront offers security capabilities, such as field level encryption and HTTPS support, integrated with AWS Shield, AWS Web Application Firewall and Amazon Route 53 to protect against multiple types of attacks, including network and application layer DDoS attacks. These services co-reside at edge networking locations and are globally scaled and connected via the AWS network backbone.

CloudFront works with AWS origins, such as Amazon S3, Amazon EC2, and Elastic Load Balancing and with custom HTTP origins. You can customize your content delivery through CloudFront using CloudFront Functions and AWS Lambda@Edge.

Amazon CloudFront peers with Tier 1/2/3 telecom carriers globally, is connected with major access networks, and has hundreds of terabits of deployed capacity. CloudFront edge locations are connected to AWS Regions through the AWS network backbone, which comprises multiple, redundant parallel fiber links around the globe and which also links with third-party networks to improve origin fetches and dynamic content acceleration.

To deliver content to end users with lower latency, Amazon CloudFront uses a global network of 550+ Points of Presence and 13 regional edge caches in 100+ cities across 50 countries.

Amazon CloudFront, AWS Shield, AWS Web Application Firewall (WAF), and Amazon Route 53 work together to create a layered security perimeter against multiple types of attacks, including network and application layer DDoS attacks. All of these services co-reside at the AWS edge and are designed to provide a scalable, reliable, and high-performance security perimeter for applications and content. With CloudFront as the “front door” to an application and infrastructure, the primary attack surface is moved away from critical content, data, code and infrastructure.

With Amazon CloudFront, content, APIs or applications can be delivered over HTTPS using Transport Layer Security to encrypt and secure communications between viewer clients and CloudFront. AWS Certificate Manager (ACM) can be used to create custom SSL certificates and deploy the certificates to CloudFront distributions. Additionally, CloudFront provides a number of TLS optimizations and advanced capabilities, such as full/half bridge HTTPS connections, OCSP stapling, Session Tickets, TLS Protocol Enforcements, Field-Level Encryption, and the Perfect Forward Secrecy feature.

Access is restricted to content through a number of capabilities. With Signed URLs and Signed Cookies, Token Authentication is supported to restrict access to only authenticated viewers. CloudFront's geo-restriction feature can be used to prevent CloudFront from distributing content based on the geographic regions associated with the IP addresses of requesting clients. The Origin Access Identity (OAI) feature enables you to restrict access to an Amazon S3 bucket origin so that it is accessible only from CloudFront.

CloudFront infrastructure and processes are designed to be compliant with PCI-DSS Level 1, HIPAA, ISO 9001, ISO/IEC 27001:2013, 27017:2015, 27018:2019, SOC (1, 2 and 3), and FedRAMP Moderate.

Origin Shield reduces the frequency of cache hits by consolidating object requests across regions. 

CloudFront supports multiple origins for backend architecture redundancy. CloudFront’s native origin failover capability is designed to automatically serve content from a backup origin when the primary origin is unavailable. CloudFront’s origin failover feature supports combinations of AWS origins, such as EC2 instances, Amazon S3 buckets, and Media Services, or non-AWS origins, such as on-premises HTTP servers. Additionally, you can implement origin failover capabilities using Lambda@Edge.

Amazon CloudFront offers programmable and secure edge CDN computing capabilities through CloudFront Functions and AWS Lambda@Edge. CloudFront Functions can be used for high-scale and latency-sensitive operations like HTTP header manipulations, URL rewrites/redirects, and cache-key normalizations. 

AWS Lambda@Edge is a general-purpose, serverless compute feature that supports a wide range of computing needs and customizations. Lambda@Edge is designed for computationally intensive operations, including computations that take several milliseconds to seconds to complete, computations that depend on external third-party libraries, computations that are integrated with other AWS services (e.g., S3, DynamoDB), and computations that make networks calls for data processing. 

Amazon CloudFront is integrated with Amazon CloudWatch and automatically publishes operational metrics per distribution, which are displayed as graphs in the CloudFront console. Additional metrics are available through the console or CloudFront APIs.

When enabled, CloudFront will automatically publish logs of CloudFront requests in a W3C-extended format into an Amazon S3 bucket that you specify. You can also configure CloudFront to deliver real-time logs of CloudFront requests to Amazon Kinesis Data Streams according to a sampling rate that you specify.

CloudFront is designed to propagate your changes and execute your invalidation requests within minutes.

CloudFront provides an API that can be used to create, configure and maintain CloudFront distributions. Developers can also use developer tools, such as AWS CloudFormation, CodeDeploy, CodeCommit and AWS SDKs, to configure and deploy their CloudFront workloads.

CloudFront provides options for configuring how requests will be processed, including customizing headers and metadata forwarded to your origin, creating content variants using cache-key manipulation, customizing headers for HTTP responses, and support for various compression modes. With built-in device detection, CloudFront can detect the client device type (Desktop, Tablet, Smart TV, or Mobile device) and pass that information in the form of new HTTP Headers to your application to enable content variants or other custom responses. Amazon CloudFront can also detect the country-level location of the requesting user’s IP address for further customization of the response.

CloudFront provides the option of deploying two separate but identical environments that can be integrated into your continuous integration and delivery (CI/CD) pipelines so that you can roll out releases gradually without making domain name system (DNS) changes. Additionally, you can compare the performance of your changes by monitoring standard and real-time logs and revert to the previous configuration when a change negatively impacts a service.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.