Ref: https://learn.cantrill.io/courses/1820301/lectures/41301522

• Summary:
• Contents:

CF Distribution-level Settings

• 💡 Higher-level settings
• Price class
  • Determines which edge locations a distribution is deployed to
  • Trade-off → Deploying to less edge locations means:
    • Cheaper price
    • Less performance for users far from selected regions
  • Screenshot
• Alternate domain names (CNAMEs)
  • 💡 By default, a distribution has a unique domain name ending in cloudfront.net
    • Use alternate domain names for your own custom domain names
• SSL certificates
  • Default certificate for default domain name (no extra configuration)
  • Custom SSL certificates for alternate domain names
    • Uses AWS Certificate Manager (ACM) to issue certificates
    • SNI and non-SNI certificates
  • Screenshot
• Security policy
  • Various different security policies supported
    • AWS updates these periodically - Reference:
      • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
  • ❗ Trade-off between security and accessibility:
    • More recent policies are more secure
    • More recent policies prevent older browsers from accessing the distribution
  • Screenshot
• Other:
  • HTTP versions
  • Logging
    • Standard CF logs delivered to CW
    • Real-time logs delivered to a Kinesis Data Stream
  • Web Application Firewall (WAF)
    • Create a WEBACL (within WAF product), then associate it with a CF distribution
  • Default root object
    • Object that should be loaded when user requests root URL (/) i.e. only queries distribution name but without specifying an object
    • Once distribution is created, one can also define error pages (what should be loaded when user is 403 forbidden or when user requests object that doesn't exist i.e. 404)
  • IPv6
  • …
  • Screenshot

CF Behavior-level Settings

• 💡 Lower-level settings, remember a distribution has 1+ behaviors
• Path pattern (e.g. * → default path)
  • Requests incoming to an edge location are pattern-matched against any paths defined in behaviors
    • If pattern matches → custom behavior applied
    • If no pattern matches → default behavior applied
  • Screenshot
• Origin & Origin Groups
  • Screenshot
• Viewer settings
  • Viewer protocol policy
    • Allow/restrict HTTP connections (HTTPS connections always supported)
  • Allowed HTTP methods
  • Restrict viewer access
    • ‼️ Different from restricting access to an S3 origin!
    • Sets entire behavior to be restricted/private
      • accessing content will require stuff like signed cookies or signed URLs
    • If enabled, must specify trusted authorization type
      • key groups (new) or trusted signers (legacy)
    • 💡 Many distributions have non-restricted behaviors e.g. SSO and then restricted behaviors which control access to sensitive content
  • Screenshot
• Cache key and origin requests
  • Newer cache policy + origin request policy or legacy cache settings
    • Can specify minimum, maximum and default TTL
  • Screenshot
• Response headers policy
  • Enable if you want to cache based on request headers
  • Options: Non-whitelist or all
  • Screenshot
• Function associations
  • e.g. associate Lambda@Edge functions with CF
  • Screenshot