AWS CloudFront

Chloe McAree
2 min readFeb 22, 2021

This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

CloudFront Terminology

Edge Location → Location where content will be cached (different to an AWS Region). They are not just read, you can also write to them.

Origin → Location where all the files THAT the CDN will distribute are stored — can be an S3 Bucket, EC2, ELB etc.

Distribution → Name of the CDN, which consists of a collection of edge locations.

There are two types:

  • Web Distributions which are used for websites
  • RTMP Distributions which are used for streaming media

Invalidations → these can be files or subfolders that you can select to not be on the edge locations. Useful when you need to remove a file from an edge cache before it expires

Versioning → can be used to serve a different version of a file under a different name.

CloudFront Summary

CloudFront Logo —
  • It is a global service
  • Is a Content Delivery Network (CDN)
  • Securely delivers web applications, data, videos and other web content over a system of distributed servers to users based on their geographic location, with low latency and high transfer speeds.
  • Can be used for your whole website and can work with any AWS origin e.g. S3, EC2 ELB etc.
  • Requests to content are automatically routed to nearest geographical edge location for best possible performance.
  • Objects are cached for the Time To Live (TTL).
  • Can integrate with AWS Shied, Web Application Firewall and Route 53 to advance security.
  • Is possible to clear cached objects, however you will incur a charge.
  • If requested resources does not exist on CloudFront— it will query the original server and then cache it on the edge location

Restricting Access to CloudFront

  • You can restrict S3 access so that it is only accessible through CloudFront and not directly through the S3 URL.
  • You can restrict access using signed URLs or Signed Cookies. (1 File = 1 URL, but 1 Cookie = multiple files)

Features of a signed url

  • The signed url (key pair) is account wide & managed by the root user.
  • Has an associated policy statement (JSON) specifying restrictions on the URL.
  • Contains additional information e.g. expiration date/time.
  • Can have different origins and can utilise caching features.