Amazon CloudFront: A Comprehensive Cheat Sheet

What is Amazon CloudFront?

Amazon CloudFront is a global Content Delivery Network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. It integrates seamlessly with other AWS services to accelerate the distribution of your static and dynamic web content. By caching content in edge locations close to your users, CloudFront reduces latency and improves performance.

How CloudFront Delivers Content

CloudFront uses a global network of Points of Presence (PoPs) to deliver content. This network consists of two types of locations:

• Edge Locations: These are data centers where CloudFront caches copies of your content. When a user requests content, they are routed to the nearest edge location, which provides the lowest latency. If the content is not in the cache, CloudFront retrieves it from the origin.

• Regional Edge Caches: These are larger cache locations situated between your origin server and the global edge locations. They have a larger cache-width than individual edge locations. When content expires at a local edge location, that edge location can retrieve it from the Regional Edge Cache instead of going all the way back to the origin, further improving performance.

Core Components

• Distribution: This is the core configuration of your CDN. It tells CloudFront which origins to get your content from and how to behave regarding caching, security, and delivery.

• Origin: The origin is the source of your content. This can be an AWS service like an Amazon S3 bucket, an EC2 instance, an Elastic Load Balancer, or a custom origin, such as your own HTTP web server. You can configure multiple origins for a single distribution for redundancy using an Origin Group.

• Cache Behavior: These settings allow you to configure a variety of CloudFront functionalities for a given URL path pattern. You can define how CloudFront handles caching based on request headers, query strings, and cookies. You can also specify which HTTP methods (GET, HEAD, POST, etc.) are allowed.

Security: Controlling Access to Your Content

CloudFront provides multiple layers of security to protect your content from unauthorized access and web-based attacks.

Restricting Access to S3 Origins

To prevent users from bypassing CloudFront and accessing your S3 content directly, you must restrict access to the S3 bucket.

• Origin Access Identity (OAI): The legacy method. OAI creates a special CloudFront user that you grant read permissions to in your S3 bucket policy. This ensures that only CloudFront can access the files in the bucket.

• Origin Access Control (OAC): The new and recommended method. OAC is more secure and feature-rich than OAI. It uses IAM service principals and supports enhanced security practices like short-term credentials and frequent credential rotation.

  • Key advantages of OAC over OAI:

    • Supports all HTTP methods (GET, PUT, POST, DELETE, etc.).

    • Supports Server-Side Encryption with AWS Key Management Service (SSE-KMS).

    • Works in all AWS Regions.

Restricting Access for End-Users

To control which users can access your content through CloudFront, you can use signed URLs and signed cookies.

• Signed URLs: Use a signed URL to provide temporary, restricted access to a single file. This is ideal for scenarios like providing a download link for a purchased video or a software update.

• Signed Cookies: Use signed cookies to provide temporary, restricted access to multiple files. This is perfect for use cases like providing access to a premium content library for a subscribed user, allowing them to browse the entire set of restricted files.

For both signed URLs and cookies, you can define restrictions such as an expiration date/time and the IP address range allowed to access the content.

Encryption

• HTTPS/SSL/TLS: You can configure your distribution to require viewers to use HTTPS, ensuring data is encrypted in transit between the viewer and CloudFront. CloudFront provides a default domain certificate or you can use your own custom SSL certificates.

• Field-Level Encryption: This allows you to further enhance security by encrypting specific data fields in an HTTPS POST request. Only specific applications at your origin have the public key to decrypt the data.

AWS WAF Integration

You can integrate AWS WAF (Web Application Firewall) with your CloudFront distribution to protect your web applications from common web exploits like SQL injection and cross-site scripting (XSS) attacks.

Performance and Optimization

• Caching Policies: You can finely tune how long objects are cached (Time to Live or TTL) and which parts of a request (headers, cookies, query strings) are part of the cache key.

• Compression: CloudFront can automatically compress certain file types (like HTML, CSS, and JS) using Gzip and serve the compressed versions to viewers that support it, which speeds up download times.

• HTTP Methods: CloudFront supports all common HTTP methods, including GET, HEAD, POST, PUT, DELETE, OPTIONS, and PATCH, allowing you to accelerate both static and dynamic content.

Content Management

• Cache Invalidation: You can force the removal of an object from the CloudFront cache before its TTL expires. This is useful when you need to update a file (e.g., a new version of style.css) and want the change to propagate immediately. You can invalidate specific files, directories, or use a wildcard (*).

Monitoring and Logging

• Amazon CloudWatch: CloudFront is integrated with CloudWatch, providing real-time metrics to monitor your distribution's performance, such as request counts, error rates, and cache hit ratio.

• AWS CloudTrail: To log and audit API calls made to the CloudFront service, you must ensure your CloudTrail trail is configured to include global services.

• Access Logs: You can configure CloudFront to create log files that contain detailed information about every user request it receives. These logs can be stored in an S3 bucket for analysis.