Amazon CloudFront¶

What Is Amazon CloudFront?¶

Amazon CloudFront is AWS’s global Content Delivery Network (CDN).

It accelerates delivery by caching content closer to users using AWS edge locations.

CloudFront delivers:

websites
APIs
static content
media
dynamic applications

Think of CloudFront as:

Global edge delivery and protection for applications.

Why It Matters for Security¶

CloudFront improves security by:

reducing origin exposure
enforcing TLS globally
mitigating DDoS attacks
integrating edge security controls
protecting applications before traffic reaches origins

Security teams use CloudFront for:

secure public applications
origin protection
edge access enforcement
global application delivery

Core Concepts¶

edge locations
caching
origin protection
global distribution
TLS termination
edge security
content acceleration

Important Integrations¶

Amazon S3¶

Common origin for:

static websites
downloads
media

Application Load Balancer (ALB)¶

Common origin for:

applications
APIs

AWS WAF¶

Provides:

Layer 7 protection
rate limiting
bot control

Evaluated inside CloudFront.

Very important integration.

AWS Shield¶

CloudFront includes:

Shield Standard

Provides:

DDoS protection

Amazon Route 53¶

Supports:

DNS routing

AWS Certificate Manager (ACM)¶

Provides:

TLS certificates

Very important region nuance.

Lambda@Edge¶

Supports:

advanced request processing
dynamic responses

CloudFront Functions¶

Supports:

lightweight edge execution
redirects
authorization

Security Features¶

Origin Protection¶

Users access:

User
↓
CloudFront
↓
Origin

Not:

User
↓
Origin

Very important architecture principle.

TLS Termination¶

CloudFront supports:

HTTPS
TLS encryption

Protects:

users
applications
content delivery

Edge Caching¶

Benefits:

reduced latency
reduced origin load
increased resilience

Geographic Restrictions¶

Restrict content by:

country

Useful for:

compliance
regional policies

Signed URLs vs Signed Cookies¶

Signed URLs:

individual objects

Signed Cookies:

multiple objects

Very important distinction.

Origin Access Control (OAC)¶

Modern best practice.

Allows:

CloudFront
↓
Private S3

without public bucket access.

Supports:

SSE-KMS encrypted buckets

Very important modernization over OAI.

Advanced Security and Operational Concepts¶

ACM Certificate Region Trap¶

Custom HTTPS domains require:

ACM Certificate
↓
us-east-1

Applies regardless of:

origin region
user location

Very important deployment limitation.

CloudFront Functions vs Lambda@Edge¶

CloudFront Functions	Lambda@Edge
lightweight	advanced logic
JavaScript	Node.js / Python
sub-millisecond	longer execution
no network calls	network access
redirects	dynamic processing

Use Functions when:

headers
redirects
lightweight validation

Use Lambda@Edge when:

API calls
dynamic rendering
complex logic

Viewer Protocol vs Origin Protocol¶

Viewer Policy:

User
↓
CloudFront

Examples:

HTTP
Redirect HTTP → HTTPS
HTTPS only

Origin Policy:

CloudFront
↓
Origin

Examples:

HTTP only
HTTPS only
Match Viewer

Need true end-to-end encryption?

User
↓ HTTPS
CloudFront
↓ HTTPS
Origin

Very important distinction.

Architecture Example¶

Secure Global Content Delivery¶

flowchart LR

USER[Global Users]

R53[Route 53]

CF[CloudFront]

WAF[WAF Evaluation]

ALB[Application Load Balancer]

S3[Private S3]

APP[Application]

USER --> R53

R53 --> CF

CF --> WAF

WAF --> ALB

CF --> S3

ALB --> APP

classDef edge fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;

class USER,R53,CF edge;
class WAF,S3,ALB,APP security;

Use case: secure global application delivery using CloudFront edge security.

Content Delivery Workflow¶

sequenceDiagram

autonumber

participant USER

participant CF as CloudFront

participant ORIGIN

USER->>CF: Request object

alt Cache Hit

CF-->>USER: Return cached content

else Cache Miss

CF->>ORIGIN: Fetch content

ORIGIN-->>CF: Return response

CF-->>USER: Deliver object

end

Use case: accelerate delivery while reducing origin load.

Protected Application Workflow¶

sequenceDiagram

autonumber

participant USER

participant CF as CloudFront

participant WAF

participant ALB

participant APP

USER->>CF: Request

CF->>WAF: Evaluate WebACL

alt Allowed

WAF->>CF: Permit

CF->>ALB: Forward

ALB->>APP: Process

APP-->>USER: Response

else Blocked

WAF-->>USER: Block

end

Use case: edge security enforcement before origin access.

CloudFront vs Global Accelerator¶

CloudFront	Global Accelerator
CDN	network acceleration
caching	no caching
HTTP/HTTPS	TCP/UDP
content optimization	traffic optimization

Use CloudFront when:

delivering content

Use Global Accelerator when:

accelerating applications

CloudFront vs S3 Website¶

CloudFront	S3
delivery	storage
caching	hosting
edge protection	object storage

CloudFront vs API Gateway¶

CloudFront	API Gateway
edge delivery	API management
caching	authorization
acceleration	orchestration

Common Exam Traps¶

Trap 1 — CloudFront Does Not Store Data¶

CloudFront:

caches

S3:

stores

Trap 2 — Forgetting OAC¶

Modern secure pattern:

CloudFront
↓
OAC
↓
Private S3

Trap 3 — Forgetting ACM Region¶

CloudFront certificates:

→ us-east-1

Trap 4 — Confusing Functions and Lambda@Edge¶

Functions:

lightweight

Lambda@Edge:

advanced

Trap 5 — Encrypting Only Viewer Traffic¶

Need end-to-end TLS:

Viewer HTTPS

+

Origin HTTPS

Trap 6 — Assuming OAI Supports SSE-KMS¶

Need:

CloudFront
private S3
KMS

Answer:

→ OAC

5-Second Recall¶

Identity¶

CloudFront = global edge delivery and protection

Keywords¶

If the scenario mentions:

CDN
edge caching
origin protection
global delivery
secure content

Answer:

→ Amazon CloudFront

Need Secure Private S3?¶

→ CloudFront + OAC

Need Custom HTTPS Domain?¶

→ ACM in us-east-1

Need Redirects?¶

→ CloudFront Functions

Need Dynamic Edge Logic?¶

→ Lambda@Edge

Need DDoS Protection?¶

→ CloudFront + Shield

Quick Revision Notes¶

global CDN
edge caching
protects origins
integrates with WAF
includes Shield Standard
OAC replaces OAI
supports SSE-KMS
ACM must be us-east-1
signed URLs and cookies
CloudFront Functions
Lambda@Edge
viewer vs origin protocol