CloudFront
- provides low latency and high data transfer speeds for distribution of static, dynamic web or streaming content to web users
- delivers the content through a worldwide network of data centers called Edge Locations — over 600+ Points of Presence (PoPs) and 13 regional edge caches in 100+ cities across 50+ countries
- supports Embedded POPs deployed directly within ISP/telco networks for highly scaled capacity during peak traffic events
- keeps persistent connections with the origin servers so that the files can be fetched from the origin servers as quickly as possible.
- dramatically reduces the number of network hops that users’ requests must pass through
- supports multiple origin server options, like AWS hosted service for e.g. S3, EC2, ELB or an on premise server, which stores the original, definitive version of the objects
- single distribution can have multiple origins and Path pattern in a cache behavior determines which requests are routed to the origin
- supports Web distribution only (RTMP Streaming distribution was deprecated on Dec 31, 2020)
- Web distribution supports static, dynamic web content, on demand using progressive download & HLS and live streaming video content
RTMP distribution was discontinued on December 31, 2020. Use HTTP-based streaming protocols (HLS, DASH) instead.
- supports HTTP/1.0, HTTP/1.1, HTTP/2, and HTTP/3 (QUIC)
- HTTP/3 uses QUIC, a UDP-based, stream-multiplexed, secure transport protocol that improves upon TCP and TLS
- HTTP/2 and HTTP/3 can be enabled per distribution
- supports gRPC delivery (launched Nov 2024) for lightweight, high-performance remote procedure calls over HTTP/2, ideal for microservices architectures
- supports WebSocket connections automatically with any distribution, including through VPC origins (May 2026)
- supports HTTPS using either
- dedicated IP address, which is expensive as dedicated IP address is assigned to each CloudFront edge location
- Server Name Indication (SNI), which is free but supported by modern browsers only with the domain name available in the request header
- For E2E HTTPS connection,
- Viewers -> CloudFront needs either self signed certificate, or certificate issued by CA or ACM
- CloudFront -> Origin needs certificate issued by ACM for ELB and by CA for other origins
- Security
- Origin Access Control (OAC) is the recommended way to restrict S3 origin content to be accessible from CloudFront only
- OAC supports SigV4, SSE-KMS, POST method in all regions, and granular policy configurations
- OAC replaced the legacy Origin Access Identity (OAI) which is deprecated — new distributions since March 2026 can only use OAC
- Migration from OAI to OAC is recommended for all existing distributions
- VPC Origins (launched Nov 2024) allow CloudFront to point directly to ALBs, NLBs, or EC2 instances in private subnets, eliminating the need for public internet exposure
- Supports cross-account VPC origins (Nov 2025)
- CloudFront becomes the single entry point, enhancing security posture
- supports Geo restriction (Geo-Blocking) to whitelist or blacklist countries that can access the content
- Signed URLs
- to restrict access to individual files, for e.g., an installation download for your application.
- users using a client, for e.g. a custom HTTP client, that doesn’t support cookies
- Signed Cookies
- provide access to multiple restricted files, for e.g., video part files in HLS format or all of the files in the subscribers’ area of a website.
- don’t want to change the current URLs
- integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configured based on IP addresses, HTTP headers, and custom URI strings
- Security Dashboard (launched Nov 2023) provides a unified CDN and security experience with one-click WAF protections against common web threats (OWASP Top 10, IP reputation, scanners/probes)
- integrates with AWS Shield Standard automatically for DDoS protection at no extra cost
- Origin Access Control (OAC) is the recommended way to restrict S3 origin content to be accessible from CloudFront only
- supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get object & object headers, add, update, and delete objects
- only caches responses to GET and HEAD requests and, optionally, OPTIONS requests
- does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are proxied back to the origin
- object removal from cache
- would be removed upon expiry (TTL) from the cache, by default 24 hrs
- can be invalidated explicitly, but has a cost associated, however might continue to see the old version until it expires from those caches
- change object name, versioning, to serve different version
- Cache Policies and Origin Request Policies
- Cache Policies control what is included in the cache key (headers, cookies, query strings) and TTL settings
- Origin Request Policies specify what information to forward to the origin (independent of cache key)
- Managed policies are provided for common use cases (CachingOptimized, CachingDisabled, etc.)
- Managed cache policies for web applications added July 2024
- Response Headers Policies
- Add HTTP headers (security, CORS, custom) to responses without modifying origin
- Managed policies include security headers (Strict-Transport-Security, X-Frame-Options, Content-Security-Policy) and CORS configurations
- supports adding or modifying custom headers before the request is sent to origin which can be used to
- validate if user is accessing the content from CDN
- identifying CDN from which the request was forwarded from, in case of multiple CloudFront distribution
- for viewers not supporting CORS to return the Access-Control-Allow-Origin header for every request
- supports Partial GET requests using range header to download object in smaller units improving the efficiency of partial downloads and recovery from partially failed transfers
- supports compression to compress and serve compressed files when viewer requests include Accept-Encoding: gzip in the request header
- supports different price class to include all regions, to include only least expensive regions and other regions to exclude most expensive regions
- Flat-rate pricing plans (launched Nov 2025) combine CloudFront CDN, WAF, DDoS protection, bot management, Route 53 DNS, CloudWatch Logs, serverless edge compute, and S3 storage credits into a single monthly price with no overage charges
- Origin Shield
- additional centralized caching layer between regional edge caches and the origin
- helps increase cache hit ratio by collapsing requests across regions into a single origin request per object
- reduces origin load and operating costs, particularly beneficial for multi-CDN deployments
- Edge Compute — CloudFront Functions and Lambda@Edge
- CloudFront Functions — lightweight JavaScript functions running at edge locations for viewer request/response manipulation (URL rewrites, header manipulation, redirects, JWT validation)
- Sub-millisecond startup, millions of requests/second
- KeyValueStore (launched Nov 2023) — globally distributed, low-latency data store for CloudFront Functions enabling dynamic routing, feature flags, A/B testing, and tenant routing without code redeployment
- Lambda@Edge — Node.js/Python functions running at regional edge caches for more complex processing (origin request/response events, network calls, larger compute)
- CloudFront Functions — lightweight JavaScript functions running at edge locations for viewer request/response manipulation (URL rewrites, header manipulation, redirects, JWT validation)
- Continuous Deployment
- Test and validate configuration changes with a staging distribution using a percentage of live production traffic (up to 15%)
- Supports header-based or weight-based traffic routing for safe blue/green deployments
- Promote changes to primary distribution when validated
- Access Logs
- Standard logs (v2) — delivered via CloudWatch vended logs to S3, CloudWatch Logs, or Data Firehose (Nov 2024)
- Real-time logs — delivered within seconds to Amazon Kinesis Data Streams for real-time monitoring
- Legacy standard logs delivered to S3 with up to several minutes delay