Skip to content

Serving Content


General Info

  • CDN service
    • Deliver content using AWS Edge Locations
    • User is routed to the edge location that provides the lowest latency
    • Supported
      • Static Files (HTML, IMG, JS, CSS, downloads)
      • Dynamic Pages
      • Media Streaming (HTTP/RTMP)
  • NOT suitable if
    • Most requests come from a single location
    • Most requests come from a corporate VPN

Main Components

Distributions Identified by a DNS domain name (
  • When you create a distribution, you must specify the DNS name of the origin from which you want to get the definitive version of the files
  • Options: AWS (S3, EC2, ELB) + Route53, Non-AWS
Cache Control
  • Once requested & served from an edge location, objects stay in cache until they EXPIRE or get REPLACED by more frequently requested content
  • By default, expiration after 24h → next request forwarded to origin to verify object is unchanged or new version fetched
  • Can control how long stay in cache
    • CACHE-CONTROL headers set by origin server
    • MIN/MAX/DEFAULT TTL set in distribution
    • INVALIDATION API to remove object from each edge location

Advanced Features

Type Description
Serve Dynamic content & use >= 1 Origin Server
  • Cache Behaviours
    • Control which requests are served by which origin and how requests are cached
    • Configure functionalities for a given URL path patterns for files
  • You can configure
    • Which origin to forward requests to
    • Whether to forward query strings to origin
    • Whether accessing files requires signed URLs
    • Whether to require HTTPS
    • Amount of time to stay in cache
  • Applied in ORDER
  • Last pattern specified is * to match ALL files
Serve whole website
Serve Private content by restricting access
SIGNED URLsValid only between certain times/IP addresses
SIGNED COOKIESRequire auth via public/private key pairs
ORIGIN ACCESS IDENTITIES (OAI)Restrict access to S3 bucket only to Cloudfront user associated with distribution


Origin Access Identity
  • Control access to ORIGINAL COPIES IN S3
  • Associated with a DISTRIBUTION, distribution will use that identity to retrieve objects from S3
  • You can then use S3 ACL, which limits access to that Origin Access Identity so the original copy of the object is NOT PUBLICLY READABLE
  • Process
    1. Create an origin access identity for the distribution
    2. Create a bucket policy that blocks public access
    3. Allow the special: "Principal":{"CanonicalUser":"<CloudFront Origin Identity Canonical User ID>"}
Signed URLs
  • Control WHO CAN DOWNLOAD objects from EDGE LOCATIONS
  • Signed URLs take precedence over signed cookies
    • If you use both signed URLs and signed cookies to control access to the same files and a viewer uses a signed URL to request a file, CloudFront determines whether to return the file to the viewer based only on the signed URL
  • Process
    1. Create key pair & upload public to AWS account
    2. Configure CloudFront Distribution to indicate which accounts you would authorize to SIGN REQUESTS
    3. As you receive requests, you will create POLICY DOCS indicating the conditions under which you want CF to serve content
      • POLICY = name of object + date/time of request + IP of client
    4. Calculate SHA-1 hash of policy document & sign using private key
    5. Include encoded policy doc & signature as QUERY STRING PARAMETERS when you reference your objects
    6. When CF receives a request, it will decode the signature using public key
  • Field level encryption
    • Can encrypt specific POST fields with a public key you've configured
    • Reduces exposure of sensitive data as it passes through the backend
    • Can configure HTTP, redirect to HTTPS, or HTTPS only for client side
    • For origin side can do HTTP, match viewer, or HTTPS

API Gateway

General Info
  • Fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale
  • Integrates with WAF
  • Resource based policies
    • Can be attached to API, the only action is execute-api:Invoke
    • Can use to allow cross-account access, or in combo with conditions to constrain access to specific VPCs / VPC endpoints / IP ranges etc
  • Private APIs
    • Only accessible through VPC endpoints
  • Private integrations
    • Connect to non-public VPC resources behind the API
    • Create an ELB network load balancer in the VPC
    • API Gateway associates it with a vpclink VPC endpoint
  • CORS
    • Necessary to allow cross-origin requests
    • Will need to be configured if using the default API gateway URLs rather than proxying via CloudFront, otherwise browsers won't honor requests to the API
  • Verification
    • sigV4 signed requests with IAM
    • or Cognito User Pool token verification
    • or Lambda authorizers for other token verification
    • can configure with a 'client-side' certificate that API gateway uses for authenticating its requests to backend servers

Certificate Manager

General Info
  • Makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on AWS
  • Can use Amazon SSL certificates with both load balancers and CloudFront
  • Issuance can take a few hours
  • Certs are region-locked, unless CloudFront is used (w/ Virginia)
  • Validation
    • Email or DNS validation (CloudFormation only supports email validation)
    • Validates DNS CA Authorization records first
  • Crypto material
    • Private keys are KMS protected (CloudTrail shows services using KMS to get the keys)
    • Private CA
    • Allows export of the private key, whereas public standard only integrates with AWS services
  • Now possible to share ACM Private CAs cross-account