Amazon CloudFront Documentation

Amazon CloudFront is a content delivery network (CDN) service that is designed to securely deliver data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

CloudFront offers security capabilities, such as field level encryption and HTTPS support, integrated with AWS Shield, AWS Web Application Firewall and Amazon Route 53 to protect against multiple types of attacks, including network and application layer DDoS attacks. These services co-reside at edge networking locations and are globally scaled and connected via the AWS network backbone.

CloudFront works with AWS origins, such as Amazon S3, Amazon EC2, and Elastic Load Balancing and with custom HTTP origins. You can customize your content delivery through CloudFront using CloudFront Functions and AWS Lambda@Edge.

Network Connectivity and Backbone

Amazon CloudFront peers with Tier 1/2/3 telecom carriers globally, is connected with major access networks, and has hundreds of terabits of deployed capacity. CloudFront Edge locations are connected to AWS Regions through the AWS network backbone, which comprises multiple, redundant parallel fiber links around the globe and which also links with third-party networks to improve origin fetches and dynamic content acceleration.

To deliver content to end users with lower latency, Amazon CloudFront uses a global network of 310+ Points of Presence (300+ Edge locations and 13+ regional mid-tier caches) in 90+ cities across 47+ countries. Amazon CloudFront Edge locations are located in North America, Europe, Asia, Australia & New Zealand, South America, Middle East, Africa, and China. 


Protection against Network and Application Layer Attacks

Amazon CloudFront, AWS Shield, AWS Web Application Firewall (WAF), and Amazon Route 53 work together to create a layered security perimeter against multiple types of attacks, including network and application layer DDoS attacks. All of these services co-reside at the AWS edge and are designed to provide a scalable, reliable, and high-performance security perimeter for applications and content. With CloudFront as the “front door” to an application and infrastructure, the primary attack surface is moved away from critical content, data, code and infrastructure.

SSL/TLS Encryptions and HTTPS

With Amazon CloudFront, content, APIs or applications can be delivered over HTTPS using Transport Layer Security to encrypt and secure communications between viewer clients and CloudFront. AWS Certificate Manager (ACM) can be used to create custom SSL certificates and deploy the certificates to CloudFront distributions. Additionally, CloudFront provides a number of TLS optimizations and advanced capabilities, such as full/half bridge HTTPS connections, OCSP stapling, Session Tickets, TLS Protocol Enforcements, Field-Level Encryption, and the Perfect Forward Secrecy feature.

Access Control

Access is restricted to content through a number of capabilities. With Signed URLs and Signed Cookies, Token Authentication is supported to restrict access to only authenticated viewers. Geo-restriction prevents CloudFront from distributing content based on the geographic regions associated with the IP addresses of requesting clients. The Origin Access Identity (OAI) feature enables you to restrict access to an Amazon S3 bucket origin so that it is accessible only from CloudFront.


CloudFront infrastructure and processes are designed to be compliant with PCI-DSS Level 1, HIPAA, ISO 9001, ISO/IEC 27001:2013, 27017:2015, 27018:2019, SOC (1, 2 and 3), and FedRAMP Moderate.


Origin Shield

Origin Shield reduces the frequency of cache hits by consolidating object requests across regions. 

Enabling redundancy for origins

CloudFront supports multiple origins for backend architecture redundancy. CloudFront’s native origin failover capability is designed to automatically serve content from a backup origin when the primary origin is unavailable. CloudFront’s origin failover feature supports combinations of AWS origins, such as EC2 instances, Amazon S3 buckets, and Media Services, or non-AWS origins, such as on-premises HTTP servers. Additionally, you can implement origin failover capabilities using Lambda@Edge.

Edge Computing

CloudFront Functions

Amazon CloudFront offers programmable and secure edge CDN computing capabilities through CloudFront Functions and AWS Lambda@Edge. CloudFront Functions can be used for high-scale and latency-sensitive operations like HTTP header manipulations, URL rewrites/redirects, and cache-key normalizations. 


AWS Lambda@Edge is a general-purpose, serverless compute feature that supports a wide range of computing needs and customizations. Lambda@Edge is designed for computationally intensive operations, including computations that take several milliseconds to seconds to complete, computations that depend on external third-party libraries, computations that are integrated with other AWS services (e.g., S3, DynamoDB), and computations that make networks calls for data processing. 

Real-time Metrics and Logging

Real-time Metrics

Amazon CloudFront is integrated with Amazon CloudWatch and automatically publishes operational metrics per distribution, which are displayed as graphs in the CloudFront console. Additional metrics are available through the console or CloudFront APIs.

Standard and Real-time Logging

When enabled, CloudFront will automatically publish logs of CloudFront requests in a W3C-extended format into an Amazon S3 bucket that you specify. You can also configure CloudFront to deliver real-time logs of CloudFront requests to Amazon Kinesis Data Streams according to a sampling rate that you specify.

DevOps Friendly

Fast Change Propagation and Invalidations

CloudFront is designed to propagate your changes and execute your invalidation requests within minutes.

APIs and DevOps Tools

CloudFront provides an API that can be used to create, configure and maintain CloudFront distributions. Developers can also use developer tools, such as AWS CloudFormation, CodeDeploy, CodeCommit and AWS SDKs, to configure and deploy their CloudFront workloads.

Edge behaviors

CloudFront provides options for configuring how requests will be processed, including customizing headers and metadata forwarded to your origin, creating content variants using cache-key manipulation, and support for various compression modes. With built-in device detection, CloudFront can detect the client device type (Desktop, Tablet, Smart TV, or Mobile device) and pass that information in the form of new HTTP Headers to your application to enable content variants or other custom responses. Amazon CloudFront can also detect the country-level location of the requesting user’s IP address for further customization of the response.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at, or other agreement between you and AWS governing your use of AWS’s services.