AWS Content Delivery – Cheat Sheet

CloudFront

  • provides low latency and high data transfer speeds for distribution of static, dynamic web or streaming content to web users
  • delivers the content through a worldwide network of data centers called Edge Locations — over 600+ Points of Presence (PoPs) and 13 regional edge caches in 100+ cities across 50+ countries
  • supports Embedded POPs deployed directly within ISP/telco networks for highly scaled capacity during peak traffic events
  • keeps persistent connections with the origin servers so that the files can be fetched from the origin servers as quickly as possible.
  • dramatically reduces the number of network hops that users’ requests must pass through
  • supports multiple origin server options, like AWS hosted service for e.g. S3, EC2, ELB or an on premise server, which stores the original, definitive version of the objects
  • single distribution can have multiple origins and Path pattern in a cache behavior determines which requests are routed to the origin
  • supports Web distribution only (RTMP Streaming distribution was deprecated on Dec 31, 2020)
    • Web distribution supports static, dynamic web content, on demand using progressive download & HLS and live streaming video content
    • RTMP distribution was discontinued on December 31, 2020. Use HTTP-based streaming protocols (HLS, DASH) instead.
  • supports HTTP/1.0, HTTP/1.1, HTTP/2, and HTTP/3 (QUIC)
    • HTTP/3 uses QUIC, a UDP-based, stream-multiplexed, secure transport protocol that improves upon TCP and TLS
    • HTTP/2 and HTTP/3 can be enabled per distribution
  • supports gRPC delivery (launched Nov 2024) for lightweight, high-performance remote procedure calls over HTTP/2, ideal for microservices architectures
  • supports WebSocket connections automatically with any distribution, including through VPC origins (May 2026)
  • supports HTTPS using either
    • dedicated IP address, which is expensive as dedicated IP address is assigned to each CloudFront edge location
    • Server Name Indication (SNI), which is free but supported by modern browsers only with the domain name available in the request header
  • For E2E HTTPS connection,
    • Viewers -> CloudFront needs either self signed certificate, or certificate issued by CA or ACM
    • CloudFront -> Origin needs certificate issued by ACM for ELB and by CA for other origins
  • Security
    • Origin Access Control (OAC) is the recommended way to restrict S3 origin content to be accessible from CloudFront only
      • OAC supports SigV4, SSE-KMS, POST method in all regions, and granular policy configurations
      • OAC replaced the legacy Origin Access Identity (OAI) which is deprecated — new distributions since March 2026 can only use OAC
      • Migration from OAI to OAC is recommended for all existing distributions
    • VPC Origins (launched Nov 2024) allow CloudFront to point directly to ALBs, NLBs, or EC2 instances in private subnets, eliminating the need for public internet exposure
      • Supports cross-account VPC origins (Nov 2025)
      • CloudFront becomes the single entry point, enhancing security posture
    • supports Geo restriction (Geo-Blocking) to whitelist or blacklist countries that can access the content
    • Signed URLs
      • to restrict access to individual files, for e.g., an installation download for your application.
      • users using a client, for e.g. a custom HTTP client, that doesn’t support cookies
    • Signed Cookies
      • provide access to multiple restricted files, for e.g., video part files in HLS format or all of the files in the subscribers’ area of a website.
      • don’t want to change the current URLs
    • integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configured based on IP addresses, HTTP headers, and custom URI strings
    • Security Dashboard (launched Nov 2023) provides a unified CDN and security experience with one-click WAF protections against common web threats (OWASP Top 10, IP reputation, scanners/probes)
    • integrates with AWS Shield Standard automatically for DDoS protection at no extra cost
  • supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get object & object headers, add, update, and delete objects
    • only caches responses to GET and HEAD requests and, optionally, OPTIONS requests
    • does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are proxied back to the origin
  • object removal from cache
    • would be removed upon expiry (TTL) from the cache, by default 24 hrs
    • can be invalidated explicitly, but has a cost associated, however might continue to see the old version until it expires from those caches
    • change object name, versioning, to serve different version
  • Cache Policies and Origin Request Policies
    • Cache Policies control what is included in the cache key (headers, cookies, query strings) and TTL settings
    • Origin Request Policies specify what information to forward to the origin (independent of cache key)
    • Managed policies are provided for common use cases (CachingOptimized, CachingDisabled, etc.)
    • Managed cache policies for web applications added July 2024
  • Response Headers Policies
    • Add HTTP headers (security, CORS, custom) to responses without modifying origin
    • Managed policies include security headers (Strict-Transport-Security, X-Frame-Options, Content-Security-Policy) and CORS configurations
  • supports adding or modifying custom headers before the request is sent to origin which can be used to
    • validate if user is accessing the content from CDN
    • identifying CDN from which the request was forwarded from, in case of multiple CloudFront distribution
    • for viewers not supporting CORS to return the Access-Control-Allow-Origin header for every request
  • supports Partial GET requests using range header to download object in smaller units improving the efficiency of partial downloads and recovery from partially failed transfers
  • supports compression to compress and serve compressed files when viewer requests include Accept-Encoding: gzip in the request header
  • supports different price class to include all regions, to include only least expensive regions and other regions to exclude most expensive regions
  • Flat-rate pricing plans (launched Nov 2025) combine CloudFront CDN, WAF, DDoS protection, bot management, Route 53 DNS, CloudWatch Logs, serverless edge compute, and S3 storage credits into a single monthly price with no overage charges
  • Origin Shield
    • additional centralized caching layer between regional edge caches and the origin
    • helps increase cache hit ratio by collapsing requests across regions into a single origin request per object
    • reduces origin load and operating costs, particularly beneficial for multi-CDN deployments
  • Edge Compute — CloudFront Functions and Lambda@Edge
    • CloudFront Functions — lightweight JavaScript functions running at edge locations for viewer request/response manipulation (URL rewrites, header manipulation, redirects, JWT validation)
      • Sub-millisecond startup, millions of requests/second
      • KeyValueStore (launched Nov 2023) — globally distributed, low-latency data store for CloudFront Functions enabling dynamic routing, feature flags, A/B testing, and tenant routing without code redeployment
    • Lambda@Edge — Node.js/Python functions running at regional edge caches for more complex processing (origin request/response events, network calls, larger compute)
  • Continuous Deployment
    • Test and validate configuration changes with a staging distribution using a percentage of live production traffic (up to 15%)
    • Supports header-based or weight-based traffic routing for safe blue/green deployments
    • Promote changes to primary distribution when validated
  • Access Logs
    • Standard logs (v2) — delivered via CloudWatch vended logs to S3, CloudWatch Logs, or Data Firehose (Nov 2024)
    • Real-time logs — delivered within seconds to Amazon Kinesis Data Streams for real-time monitoring
    • Legacy standard logs delivered to S3 with up to several minutes delay