How can I restrict users in certain locations from accessing web content served by my CloudFront distribution?
Last updated: 2021-11-24
I want to restrict users in certain countries from accessing the web content served by my Amazon CloudFront distribution. How can I do that?
Turn on CloudFront geo restriction for your distribution by following these steps:
- Open the CloudFront console.
- Choose the distribution that you want to apply geo restriction to.
- Choose the Geographic Restrictions tab.
- Choose Edit.
- To allow access to countries, for Restriction type choose Allow List. To block access from certain countries, choose Block List.
- For Countries, select the countries that you want to allow or block. Then, choose Add.
- Choose Save Changes.
Note: You can set your CloudFront distribution to return a custom error message when a user from a blocked country tries to access content.
Consider these additional ways to restrict access to your content served through CloudFront:
- Be sure that any AWS security groups on your CloudFront origin have restricted HTTP or HTTPS access to the CloudFront IP address ranges. This prevents access to those IP addresses from outside of CloudFront. For more information, see Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda.
- You can use AWS WAF to monitor and restrict HTTP and HTTPS requests, and to control access to your content.