WIXLIB

Amazon CloudFrontDeveloper GuideAmazon CloudFront: Developer GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon CloudFront Developer GuideAmazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Amazon CloudFront Developer GuideTable of ContentsWhat is Amazon CloudFront? . 1How you set up CloudFront to deliver content . 1Use cases . 3Accelerate static website content delivery . 3Serve video on demand or live streaming video . 3Encrypt specific fields throughout system processing . 4Customize at the edge . 4Serve private content by using Lambda@Edge customizations . 4How CloudFront delivers content . 5How CloudFront delivers content to your users . 5How CloudFront works with regional edge caches . 6Locations and IP address ranges of CloudFront edge servers . 8Use the CloudFront managed prefix list . 8Accessing CloudFront . 8How to get started with Amazon CloudFront . 9AWS Identity and Access Management . 9CloudFront pricing . 9Savings bundle . 11Choosing the price class for a CloudFront distribution . 14Setting up . 16Sign up for AWS . 16Access your account . 16Access the console . 17Access the API, AWS CLI, AWS Tools for Windows PowerShell, or the AWS SDKs . 17Create an IAM user . 17Set up the AWS Command Line Interface or AWS Tools for Windows PowerShell . 19Download an AWS SDK . 19Getting started . 20Getting started with a simple distribution . 20Prerequisites . 20Step 1: Upload your content to Amazon S3 and grant object permissions . 21Step 2: Create a CloudFront distribution . 22Step 3: Access your content through CloudFront . 22Getting started with AWS for WordPress . 23Prerequisites . 24Step 1: Install the plugin . 26Step 2: Configure and use CloudFront with the plugin . 26(Optional) Deactivate site acceleration . 28(Optional) Remove site acceleration and delete the CloudFront distribution . 29(Optional) Deactivate and remove the plugin . 29(Optional) Create a CloudFront distribution for Amazon Polly content . 30Troubleshooting . 30Getting started with a secure static website . 32Solution overview . 33Deploying the solution . 34Working with distributions . 37Overview of distributions . 37Actions you can use with distributions . 38Required fields for creating and updating distributions . 38Creating, updating, and deleting distributions . 40Steps for creating a distribution . 40Creating a distribution . 41Values that you specify . 42Values that are displayed . 64iii

Amazon CloudFront Developer GuideTesting a distribution . 65Updating a distribution . 66Tagging a distribution . 67Deleting a distribution . 68Using various origins . 69Using an Amazon S3 bucket . 70Using a MediaStore container or a MediaPackage channel . 73Using an Application Load Balancer . 73Using a Lambda function URL . 73Using Amazon EC2 (or another custom origin) . 74Using CloudFront origin groups . 75Using custom URLs . 75Adding an alternate domain name . 75Moving an alternate domain name to a different distribution . 78Removing an alternate domain name . 81Using wildcards in alternate domain names . 82Requirements for using alternate domain names . 83Restrictions on using alternate domain names . 84Using WebSockets . 85How the WebSocket protocol works . 85WebSocket requirements . 85Working with policies . 87Controlling the cache key . 87Creating cache policies . 88Understanding cache policies . 91Using the managed cache policies . 95Understanding the cache key . 97Controlling origin requests . 99Creating origin request policies . 100Understanding origin request policies . 103Using the managed origin request policies . 105Adding the CloudFront HTTP headers . 106Headers for determining the viewer’s device type . 107Headers for determining the viewer’s location . 107Other CloudFront headers . 108Adding response headers . 108Creating response headers policies . 109Using the managed response headers policies . 113Understanding response headers policies . 116Adding, removing, or replacing content . 122Adding and accessing content . 122Updating existing content . 122Updating existing files using versioned file names . 123Updating existing content using the same file names . 123Removing content so CloudFront won’t distribute it . 124Customizing file URLs . 124Using your own domain name (example.com) . 124Using a trailing slash (/) in URLs . 125Creating signed URLs for restricted content . 125Specifying a default root object . 125How to specify a default root object . 125How headers work with default root objects . 126How CloudFront works if you don’t define a root object . 127Invalidating files . 128Choosing between invalidating files and using versioned file names . 128Determining which files to invalidate . 129Specifying the files to invalidate . 129iv

Amazon CloudFront Developer GuideInvalidating files using the console .Invalidating files using the CloudFront API .Concurrent invalidation request maximum .Paying for file invalidation .Serving compressed files .Configuring CloudFront to compress objects .How CloudFront compression works .Notes about CloudFront compression .File types that CloudFront compresses .ETag header conversion .Generating custom error responses .Configuring error response behavior .Creating a custom error page for specific HTTP status codes .Storing objects and custom error pages in different locations .Changing response codes returned by CloudFront .Controlling how long CloudFront caches errors .Configuring secure access and restricting access to content .Using HTTPS with CloudFront .Requiring HTTPS between viewers and CloudFront .Requiring HTTPS to a custom origin .Requiring HTTPS to an Amazon S3 origin .Supported protocols and ciphers between viewers and CloudFront .Supported protocols and ciphers between CloudFront and the origin .Charges for HTTPS connections .Using alternate domain names and HTTPS .Choosing how CloudFront serves HTTPS requests .Requirements for using SSL/TLS certificates with CloudFront .Quotas on using SSL/TLS certificates with CloudFront (HTTPS between viewers andCloudFront only) .Configuring alternate domain names and HTTPS .Determining the size of the public key in an SSL/TLS RSA certificate .Increasing the quotas for SSL/TLS certificates .Rotating SSL/TLS certificates .Reverting from a custom SSL/TLS certificate to the default CloudFront certificate .Switching from a custom SSL/TLS certificate with dedicated IP addresses to SNI .Restricting content with signed URLs and signed cookies .Overview of serving private content .Task list for serving private content .Specifying signers .Choosing between signed URLs and signed cookies .Using signed URLs .Using signed cookies .Using Linux commands and OpenSSL for base64 encoding and encryption .Code examples for signed URLs .Restricting access to Amazon S3 content .Overview of OAI setup .Creating a CloudFront OAI and adding it to your distribution .Granting the OAI permission to read files in your Amazon S3 bucket .Using an OAI in Amazon S3 regions that support only signature version 4 authentication .Restricting access to Application Load Balancers .Configuring CloudFront to add a custom HTTP header to requests .Configuring an Application Load Balancer to only forward requests that contain a specificheader .(Optional) Improve the security of this solution .Using AWS WAF to control access to your content .Geographically restricting content .Using CloudFront geographic restrictions 30231235235236237

Amazon CloudFront Developer GuideUsing a third-party geolocation service . 238Using field-level encryption to help protect sensitive data . 239Overview of field-level encryption . 241Setting up field-level encryption . 242Decrypting data fields at your origin . 245Optimizing caching and availability . 248Caching with edge locations . 248Improving your cache hit ratio . 248Specifying how long CloudFront caches your objects . 249Using Origin Shield . 249Caching based on query string parameters . 249Caching based on cookie values . 250Caching based on request headers . 250Remove Accept-Encoding header when compression is not needed . 251Serving media content by using HTTP . 251Using Origin Shield . 251Use cases for Origin Shield . 252Choosing the AWS Region for Origin Shield . 255Enabling Origin Shield . 256Estimating Origin Shield costs . 258Origin Shield high availability . 258How Origin Shield interacts with other CloudFront features . 258Increasing availability with origin failover . 259Creating an origin group . 260Controlling origin timeouts and attempts . 261Use origin failover with Lambda@Edge functions . 262Use custom error pages with origin failover . 262Managing cache expiration . 263Using headers to control cache duration for individual objects . 264Specifying the amount of time that CloudFront caches objects . 264Adding headers to your objects using the Amazon S3 console . 267Caching and query string parameters . 268Console and API settings for query string forwarding and caching . 269Optimizing caching . 269Query string parameters and CloudFront standard logs (access logs) . 270Caching content based on cookies . 270Caching content based on request headers . 272Headers and distributions – overview . 273Selecting the headers to base caching on . 274Configuring CloudFront to respect CORS settings . 274Configuring caching based on the device type . 275Configuring caching based on the language of the viewer . 275Configuring caching based on the location of the viewer . 275Configuring caching based on the protocol of the request . 275Configuring caching for compressed files . 275How caching based on headers affects performance . 276How the case of headers and header values affects caching . 276Headers that CloudFront returns to the viewer . 276Troubleshooting . 277Troubleshooting distribution issues . 277CloudFront returns an InvalidViewerCertificate error when I try to add an alternate domainname . 277I can’t view the files in my distribution . 278Error message: Certificate: certificate-id is being used by CloudFront . 279Troubleshooting error responses from your origin . 280HTTP 400 status code (Bad Request) . 280HTTP 500 status code (Lambda execution error) . 281vi

Amazon CloudFront Developer GuideHTTP 502 status code (Bad Gateway) . 281HTTP 502 status code (Lambda validation error) . 283HTTP 503 status code (Lambda limit exceeded) . 283HTTP 503 status code (Service Unavailable) . 284HTTP 504 status code (Gateway Timeout) . 284Load testing CloudFront . 287Request and response behavior . 289Request and response behavior for Amazon S3 origins . 289How CloudFront processes HTTP and HTTPS requests . 289How CloudFront processes and forwards requests to your Amazon S3 origin . 289How CloudFront processes responses from your Amazon S3 origin . 294Request and response behavior for custom origins . 295How CloudFront processes and forwards requests to your custom origin . 295How CloudFront processes responses from your custom origin . 305Request and response behavior for origin groups . 308Adding custom headers to origin requests .

Amazon CloudFront Developer Guide Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confu