Monitors HTTP and HTTPS requests forwarded to CloudFront.
Controls access to content based on defined conditions.
Web Access Control List (Web ACL):
Defines conditions to shield access to content.
Conditions include:
Origin IP address.
Values in query strings.
Response Handling:
CloudFront responds to requests with either:
The requested content.
HTTP 403 status code (forbidden), based on AWS WAF rules.
Custom Error Pages:
CloudFront can be configured to deliver a custom error page in case of forbidden access.
Association with Distribution:
Relevant CloudFront distribution needs to be associated with the configured web ACL to enforce access controls.
Security
PCI DSS Compliance:
CloudFront is PCI DSS compliant but caching credit card information at edge locations is not recommended.
HIPAA Compliance:
HIPAA compliant and classified as a HIPAA eligible service, ensuring it meets healthcare data security standards.
DDoS Protection:
CloudFront provides DDoS protection by distributing traffic across multiple edge locations and filtering requests. It ensures that only valid HTTP(S) requests are forwarded to backend hosts. Geo-blocking can also be employed to prevent requests from specific geographic locations.
Domain Names
CloudFront Domain Names:
CloudFront automatically generates domain names like a232323.cloudfront.net.
Alias Records:
Alternate domain names can be added using an alias record in Route 53.
CNAME for Other Service Providers:
When using other service providers, CNAME records are used. However, zone apex cannot be used with CNAME.
Moving Domain Names:
Subdomains:
Subdomains can be moved between distributions by the user.
Root Domain:
For the root domain, AWS support needs to be engaged for assistance in moving domain names between distributions.
High Availability with CloudFront
Caching Content:
CloudFront caches content at Edge Locations globally.
Cached objects reduce requests to the origin server, decreasing load and latency.
Origin Failover:
CloudFront supports origin failover for high availability scenarios. Refer: