AWS Cloudfront Flashcards
1
Q
What is a AWS CloudFront?
A
CloudFront is a CDN but has extra functionality for dynamic content, RTMP and security such as geo-restriction..
2
Q
I need to mitigate DDOS attacks, is AWS CloudFront good mitigation and why?
A
Yes, it is because AWS CF has the ability to scale and AWS filters traffic the is not legit.
3
Q
I have an API and I want to provide caching for this API and also get the benefit of improving global performance, what options do I have?
A
Use CloudFront as it has the ability to deal with caching dynamic content from an origin, this includes API. The way it works is you set the TTL to 0, CF will perform a head request with the origin to know if the content has changed, if not it will serve the cached content if the content has changed them CF will do a get.
4
Q
What types of video stream can CF deal with?
A
On-demand
Pre-recorded
Live streaming
5
Q
From a video streaming perspective, what is the advantage of using CF.
A
You push the streaming content need the edge and users.
6
Q
How can I secure the content delivery by CloudFront?
A
- Signed URL’s
- Signed Cookies (Use Set_Cookie in request header)
7
Q
I am using HSL with CF, can I use signed URLs?
A
No, signed URLs are only good for static content, HLS is mead up of chunks and the viewer app has to keep requestion new chunks ever say 5sec, use signed cookies is the correct method.
8
Q
My company is using RTMP file and I want to make them available to users globally, what is my best option?
A
You can use s3 as the origin and CF to bring the content to the edge near the user, RTMP is supported for video streaming.
9
Q
I have an s3 origin and I request with HTTP, what will the CF to S3 be?
A
It will be HTTP as when s3 is the origin, protocol is matched. HTTP = HTTP and HTTPs = HTTPs
10
Q
I have an EC2 instance that accepts HTTP only, this is fronted by CF and the user requests HTTPS, what will happen?
A
Id HTTP only option on CF is set up the request will be sent to the origin as HTTP.
11
Q
I would like to server content for several origins, is this possible with CF?
A
Yes CF supports multiple origins.
12
Q
Can I have an on-prem as an origin for Cloudfront?
A
yes, you can point CF anywhere.
13
Q
can I invalidate CDN cache object or even everything?
A
Yes
14
Q
can I use my own SSL?
A
yes
15
Q
can I have custom error images?
A
yes?
16
Q
what HTTP methods are cached?
A
get
head
options
17
Q
For dynamic CF content, what does TTL 0 do?
A
If set to 0, CF will send a head request to see if anything in the content has changed, if it has then CF does a GET and stores the content.
18
Q
We want people from all around the world to upload files to our EC2 instances?
A
Use CF as it will allow upload and will send to EC2 over AWS backbone.
19
Q
Can we have CF send us to different origins based on the calling device?
A
Yes
20
Q
I have an S3 bucket that I want to use with CF to distribute the file, but I do not what users to be able to access directly with s3, what options do I have with CF?
A
Use origin access identity, this ensures CF is able to access the bucket.
21
Q
What is a multi-region CF origin design?
A
This is where we have multiple regions act as a origin for CloudFront.
22
Q
Can I use DNS names with CF?
A
Yes, you cna have CF look up any domain and where you use Route53, I can then have Route53 deliver based on latency-based routing.
23
Q
I want to use latency based routing with CF, what are my options.
A
You can point your CF CDN at route53 zone with latency based routing set up.
24
Q
With regard to cloudfront, what are the network benefits?
A
It reduces the number of hops
25
I need to stream RTMP, what is my best option?
As S3 is the only supported origin for RTMP and, put the file in S3 and front with CF.
26
I have to increase the security of information passing through cloudfront, I would like to encrypt fields in my data, is this possible?
Ye 100%, field level encryption is a feature of CF.
27
I require the ability to encrypt fields send for processing of card payment transactions through CF to the origin, what options do I have?
We can use the encrypt fields feature of CloudFront, this will encrypt the field data sent through CF. You specify the set of fields in the post you want to encrypt.
28
How many fields can I encrypt use field encryption with Cloudfront?
Up to 10.
29
How cna I make more requests hit the cache?
Increase the TTL, forcing.
30
How can we invalidate cached files without using invalidate to the caching server?
invalidate by using a different file name or a GUID attached tot he files name, this way the client is forced to go back and get the new file. You would update the file by generating a new name,
31
What would happen if I added Cache-Control max-age to my origin?
It would set the max time available where the client would not come back to the CDN and Origan for a file until the max time was reached. This would help with the number of hits the organ is taking.
32
How can I improve the hit ratio on the CDN?
- Cache-Control max-age
- Query string based caching
- Caching based on cookies
33
I have a web application that received a query string through CF, the query string is for each language. I would like CF to cache each language page separately, what options do I have?
You cna use query string based caching to have CF cache ech seperta languate gage.
34
What is query string based caching?
It enables you to have CF use the query string to cache sperate respon ces form the origan such as language file and then the next time the same querystring is used the casche will serve the content/file.
35
Need to be able to clock certan counteries from accessing content, what options do i have for CF?
Using Geo Restrictions you can blcok cenrtan counteries.
36
With S3 I need ot be able to block certan counteries from accessing content, what options do I have?
You cna add CF to the soliution and have CF blck certan GEOS.
37
What is a CloudFront Distribution?
It is the entity that contains the information for,
- Origin or origin groups
- Behaviours
- Error pages
- Restrictions
- Invalidation
- Tags
38
What type of streaming media is supported by CloudFront?
RTMP, but you can also distribute media files over HTTP and HTPPs
39
I have a set of a media file and I wnat to distribute them globally and want to have my user fast access to them, what can I do?
You cna use CF to distribute the files.
40
We are live streaming contents using HTTP and HTTPS in, I wnat to distribute this globally, what are my options?
You cna use CloudFront.
41
I am using RTMP and I wnat to use CloudFront, can I use my on-prem origin?
No, you have to use S3
42
What is a CloudFront distribution?
It is an entity that describes the functions and properties that apply to your instance of the CloudFront service.
43
What origins dose CloudFront support?
- s3
- EC2
- On-prem (any public endpoint with compatible content)
44
For CloudFront what type of distributions are supported?
- Web: static content, HTTP and HTTPS medial files, Update and delete objects and live to stream.
- RTMP
45
I am using RTMP, I wnat to store my file on-prem, how cna I configure this?
You can RTMP only supports s3.
46
What is the content origin?
It is where the data/file is living or coming from.
47
What is an Origin fetch?
This is where CloudFront fetches the content from the origin.
48
What is the viewer protocol?
This is the client protocol that is making requests to AWS?
49
What is the Origin protocol?
This is the protocol used to connect with the origin during and origin fetch?
50
I wnat to restrict access to the bucket and force people To access content through the CloudFront, how can do this?
CloudFront has a setting, you cna also set up an s3 policy on the s3 bucket to restrict any request to CloudFront.
51
What option do I have when the connecting to an Origin form CloudFront?
These are for other origins and, not s3.
- TLS v1.2, 1.1, 1
- HTTP and HTTPs, Match viewer
- Response time out
- HTTP Port
- HTPS Port
52
What viewer protocol setting can I have?
- HTTP + HTTPs
- Restrict HTTP to HTTPs
- HTTPs only.
- Restrict HTTP type requests like GET, HEAD, GET HEAD OPTIONS, all HEET requests.
53
What are the encrypted fields?
This is where you get to select an option for your distribution that encrypts all the fields in your request, do data is encrypted all the way to the origin.
54
For pricing on CloudFront, what are the options I have?
- US, Canada, Europe
- US, Canada, Europe and Afarica
- All locations.
55
I wnat to add a WAF to my CloudFront is this possible?
Yes
56
I am using CloudFront as a caching layer for my content and also as a gateway for my API, I am getting SQL injection attacks and would like to stop them, what options do I have?
Put a WAF in front of the CloudFront distribution.
57
What is Server Name Indication (SNI)?
It is a TLS feature that enables a host to say what host it wnat to connect with, this is so when the host connects to an LB or CDN the LB or CDN can return the correct cert.
58
For CloudFront, where do I get the cert form?
ACM
59
What is the order the CloudFront cache is checked?
Edge (local) cache and then regional cache and then the origin.
60
What is the Lambda edge used for?
It can be used to alter the request coming in or the response going back form CloudFront.
61
Can I geo restrict CloudFront?
Yes in your distribution you have the ability to create a geo whitelist of countries you wnat to allow.
62
What TLS version should you use for CloudFront?
TLSv1.1_2016
63
I have two origins, one for jpgs and the other for MPEGs, how cna I configure CloudFront distribute both origins content?
Set up distribution with two behaviours pointing to the two origins. One behaviour with a path pattern of images/*.jpg and the other origin of /video/*.mpg
64
What is a custom origin?
It is where you create the origin to be in
65
When I am looking to use a custom origin, can this be in a private network?
No, the custom origin must be in a publicly accessible network.
66
When I am using s3 as an origin can I access many of the origin setting such as TLS, Match viewer?
No.
67
How can I stop CloudFront been bypassed for s3?
When using s3 you can use the setting "Restrict bucket access", this will restrict bucket access to only requests coming from CloudFront.
68
How can I stop CloudFront been bypassed for custom origins?
You cna inject header to the request been sent to the origin form CloudFront
69
My organization requires me to encrypt all traffic end to end, how cna I have an end to end encryption with CloudFront CloudFront?
You can use HTTPS and set viewer policy to HTTPs. You can also use field-level encryption, but not on its own as fields are only encrypted from CloufFront to the origin and not from client to origin if HTTP was to be used.
70
I am using S3 as an origin for CloudFront, can I force any protocol?
No, the client protocol type will be used when doing an origin fetch to the origin form CloudFront.
71
I need an end to end encryption where I control the encryption and certs used and authenticate the server and client, can I use CloudFront?
CloudFront acts as a man in the middle, you connect with CloudFront and CloudFront connects with your origin client. For use cases where you have to have end to end control, CloudFront may not be suitable
72
A number of bad actors are sending malformed requests to your application, I have CloudFront deployed, should I be concerned?
No, CloudFront will only send good requests to the origin all malformed request will be filtered out.
73
Can I use a self-signed cert for my CloudFront client connections?
No, you have to use public trusted cert, this could be a ACM cert.
74
I am creating an ELB as an origin for CloudFront, what do I need to configure?
You will need a public trusted cert on the ELB, this cna be an ACM cert. You need to ensure the domain name of the cert matches the origin.
75
What is an OAI?
It is an origin access identity and is used to ensure thet users can not bypass the CloudFront.
76
How does an OAI work for CloudFront?
You create an OAI in a CF distribution behaviour, under restrict bucket access, this identity will be used by s3 bucket policy to ensure the request is coming from CloudFront. This policy can be added automatically to s3 form CloudFront console.
77
What is a pre-signed URL?
It is a time-limited URL that is signed by a user to enable another user to use the URL to access an object.
78
Can a user that does not have permissions to access object X in an s3 bucket create a signed URL for object X?
Yes, but the users of the URL will not be able to access object X, the permissions of the pre-signed URL to access the object X come from the singing user, if the users do not have permission then the user of the signed URL will not be able to access object X.
79
Can U use signed URL to access an origin bucket?
No, but signed cookie allows this but signed cookies may not be convenient to a user unless the user is using an app that hides the complexity.
80
What happens when I enable 'Restrict Viewer Access'?
The viewer must use signed URLs or Cookies.
81
What are the trusted signers?
They re the people that can sign URLs or cookies, this a be self or account
82
Is signed URLs or cookies applied to the CF distribution?
No, they are part of the behaviour
83
I am using RTMP, can I use single URL's?
No, only cookies.
84
Is it possible to create a blacklist for CF to restrict countries?
Yes
85
Is it possible to create a white list for CF to allow countries?
Yes
86
I wnat to use a third party check to restrict users from some countries accessing content via CF, how cna I do this?
CF has geo white/blacklisting but as you wnat to use a third party check on use geo, you cna use signed URLs. This is where the request for the file/object/image arrives at your server where you perform the go check and then redirect using signed URLs.
87
I need to use a private key to encrypt my CF field data and then use the same key on my custom host to decrypt the data, how can I configure this?
You use CF field level encryption and use you private customer key to encrypt the data at both the CF and the origin.
88
What is cache hist and miss?
- Hist is when the content you want is present on the cache.
| - Miss is when the content is not in the cache.
89
How can you optimise the cache so there are fewer hits on your web server?
Make the TTL longer.
90
I have web weather update site where updates happen every 10 seconds, I have a TTL of 5min with CF, how can I make it so the users see the content updates faster?
Reduce the TTL to 9sec so the content will refresh sooner.
91
By default how long will an object be cached for on CF?
24hrs (86400)
92
If an origin has a cache header will it be used or C?
Provided it is inside the min - mas asset in the CF behaviours if now the main and mas will be used to override the origins.
93
How can you deal with invalidating CF content when you have set long TTLs?
You can change the name of the file you are referencing, you would do this in your application first day, set it up as part of your build version. This means that for each new version of the app you get new static content.
94
By default does CloudFront pass on query strings?
No
95
In CF, for query strings, what can I do to have CF cache based on query strings?
You have the option to cache on 'all'
96
In CF, I am configuring cache based on the query string, I wnat to cache on language (language=fr) but not on other query values, how cna I configure this?
You can use the option to whitelist the quest string parameters you do not what to be in scope.
97
What re the Lambda HTTP events you can use with CF edge?
- Viewer request,
- Viewer response
- Origan request
- Origan responce
98
I wnat to see the total cache hits and misses and status codes form CF, how cna I do this?
CF provides Cache stats and you can also see them on CloudWatch.
99
Can I set alarms on the CloudFront?
Yes and also CloudWatch
100
I wnat to better understand the countries that are accessing my CloudFront, how can I do this?
Turn on access logs, these will be stored to s3.
101
I am using CF and I wnat to analyze my data, how can I do this?
You can enable the access logs to be exported to s3 bucket and use Atena to analyze the logs.
102
What is a distribution?
This is the container you use to define your distribution.
103
What type of CloudFront distribution can you have?
Web (web content)
| RTMP (Adobe Video) (!!!Endo of life and discontinued 31st Dec 2020)
104
What origins are supported with CloudFront?
- S3
- ELB
- Media package
- Media store
- Custom origin
105
I have a live video that is been encoded and the stream needs to be pushed to millions of subscribers all around the world, how can I do this?
Use elemental media store to receive the encoded video stream as a custom origin for CloudFront. elemental media store will receive the media stream store it and act as an origin for CloudFront.
106
How cna I filter CF requests?
You cna add a WAF and create an ACL
107
Where are the SSL certs stored for CF?
AWS Cert Manager
108
Does CF support IPv6?
Yes 100%, it is optional.
109
Can I use RTMP with origins other than S3?
No, you have to use S3
110
What is the viewer protocol policy?
This policy defines if the client can use HTTP, HTTPS or be redirected from HTTP to HTTPS or HTTPS only.
111
What is the allowed method option?
Get, HED
GET, HEAD, OPTIONS
GET, HEAD, OPTIONS, PUT, PATCH DELETE
112
Can I encrypt the data/body in an HTTP post with field-level encryption?
No, only the fields
113
Can I encrypt 11 fields with field-level encryption?
No, only 10 fields
114
What encryption is used for field-level encryption?
Asymmetric encryption, public-private.
115
How does field-level encryption work for CF?
- App owner sets up the fields to be encrypted in CF
- App owner creates a public-private key and shared the key with CF
- CF will use this key to encrypt the field data at the edge location
- When a client makes a request to CF the edge will encrypt the data using the key supplied by the app owner.
- The app will receive the request and use its private key to decrypt the data.
116
I wnat to ensure thet people can not go around CF and preform HTTP request directly to the S3 bucket?
You cna use the 'Restrict bucket access', I think this creates an S3 policy ensuring the request is coming form CF. You could alos apply this to the bucket direct.
117
What are the distribution locations?
- US, Canada, EU
- US, Canada, EU, ASIA and Africa
- All edge locations
118
Can you use your own certs, explain?
Yes you can import your own certs to ACM and use with CF
119
How can I use different origins with CF?
You can use 'behaviours' and create a match pattern to get CF to route to any origin you wnat.
120
How cna I restrict access?
Signed URL or Cookie
121
Are signed cookies per distribution or per behaviour, explain?
Per behaviour, they are configured on the behaviour so we can have different requirements based on the origin.
122
What is a regional cache?
This is wherein a region there is a larger cache node used to help edge location not have to reach all the way back to the origin for the content. What happens is the regional cache will fetch when asked by an edge cache node and if other edge nodes in the region ask for the same content it is already in the region cache so it cuts down on distance travelled for the request.
123
How would I use lambda at the edge?
You can use lambda to modify the edge,
- Viewer requests
- Viewer response
- Origan requests
- Origan response
124
I have content thet is now stale, what can I do?
You can invalidate the content, CF will delete the content you ask it to using 'invalidate content'
125
When you are creating and updating CF distributions, how long can it take?
Up to 45 min.
126
What is an origin group used for?
It is a set of origins thet can be used as a group with failover then one or more are not available.
127
Can you have more than a single origin?
Yes 100%, you can have many origins thet can use used with behaviours to a route request.
128
How does CF decide on the certs to use for HTTPS requests?
There are two options here,
- Use SNI, this is where the request is sent to the edge node by Route 53 deciding on the node to use. The request arrives at the node and the SSL handshake is performed and SNI used to get the correct cert.
- Dedicated IP edge nodes are used for browsers without SNI, Older browsers.
129
I have a client using browsers thet do not support SNI, what should I use with CF?
Dedicated IP, where edge nodes will have dedicated IP to receive requests. This costs way more.
130
What is the CF security policy?
This is a list of cyphers and encryption used by CF,
- TLSv1
- TLSv1_2016
- TLS1.1_2016 (recommended)
- TLSv1.2_2018
131
Can you select to use a different version of HTTPprotocal?
Yes
132
Can you enable and disable distributions?
Yes
133
Can you use custom origins with CF?
Yes, 100% you cna point CF at near any IP visible on the public internet.
134
Can you pass custom headers to the origin?
Yes, there is an option to define customer headers in the distribution set up and have them passed.
135
The client and the distribution are using the same origin headers, which will win out?
The ones defined in the CF distribution.
136
When using a custom origin and we have 'Match viewer', explain?
This means the origin fetch protocol will be using the same protocol as the request?
137
When it comes to security what advantages have CF got?
CF is filtering malformed HTTP requests at the edge.
138
I wnat to add an ACL to my CF distribution, how cna I do this?
Add a WAF to CF and add an ACL.
139
Can you use self-signed certificates with CF?
No, you have to use a valid public signed cert.
140
I have an on-prem origin and I wnat to add a cert, what do I need to ensure
You need to ensure the origin domain name matches the on-prem origin cert
141
I wnat to restrict people using my S3 direct without going through CF, how cna I do this?
Configure 'Origin identity'
142
Explain how Origin Identity works?
It creates an identity in CF they are sent in S3 request, S3 uses the policy to check, this way a user is unable to send a request with the origin identity and will be rejected.
143
How can I give a user a way to download or upload from a bucket for a time-limited period?
Use a pre-signed URL, you can generate a pre-signed URL.
144
What is a pre-signed URL?
This is a URL you generate that has a time limit and alos enables the user of the URL to upload or download.
145
What permissions do you have when using a pre-signed URL?
you have the permission of the user thet generated the URL
146
What is a CF trusted signer?
It means the CF behaviour is private and the origin cna only be accessed with signed URL's, It means that the only way to get access to the content vis CF and a signed URL or cookie.
147
I wnat to enable a user to access RTMP for a time period, how do I set up signed cookies?
Signed cookies can not be used with RTMP so you have to use signed URL's
148
Can you access whole areas in the distribution with a signed URL?
No, signed URLs are good for a single object, signed cookies can be used for whole areas.
149
I wnat to restrict a geo country, what options do I have?
You have the ability to use the build-in geo-restriction on the behaviour and white or black like based on the country.
150
I have a web app, I own the code, how can I ensure my app only works while the user is in one of the US cities I have licence into download content from CF?
You cna have you app take it geo form the mobile phone and send it as part of a request to a server-side app thet will generate not a signed URL.
151
How does field-level encryption work?
- You generate a public and private key and give CF the private key, CF pushes the private key out to edge nodes. Edge nodes use signed key to encrypt up to 10 fields and then send the HTTP request through the system to the application, the application used the private key to unencrypt the data.
152
Where cna I see the cache hits?
In the CloudFront stats.
153
What is the Default TTL used for?
This is the TTL value given if the origin has not given a TTL.
154
What happen in CF if the TTL is shot say 60sec?
A client makes a request, the edge does not have the object and reached out to the regional location and the region location reaches out to the origin and the origin responds with no TTL and the CF puts in the default and the region saves the object with the default TTL and the edge saves the object using the TTL and after 60sec the TT expires and all objects are removed from both the edge and region locations.
155
How cna you override the TTL sent from an origin?
Use the Min and Max, they override the origin TTL.
156
What is the default behaviour of the CF with query strings?
Not to pass the query strings on to the origin, you can change this and have query strings passed to the origin. You can also create a white list so we cache on the day the language in the query string.
157
What are the way you can influence how CF caches?
- Cookies
- Query strings
- Headers
158
Are lambda functions at the edge based on distribution?
No, thye are based on behaviour
159
Where is the lambda function executedCF/ in reference to
The lambda function is pushed out to the edge.
