CACHING, DELIVERY AND EDGE

Question 1

What is best practice in the context of Amazon CloudFront to ensure that users will always receive the latest version of a file, instead of a cached one.

Answer 1

Using versioned file names, e.g. “foo_v1.jpg” rather than “foo.jpg”

Question 2

How do you set the TTL or “expiry date & time” for an object in the context of Amazon CloudFront? (for Custom Origins and S3)

Answer 2

Custom Origin: via headers

S3: via object metadata

Question 3

What are the Minimum TTL and Maximum TTL, that are set on the behavior of a CloudFront distribution, used for?

Answer 3

They define lower and upper limits for TTLs values. For instance, if for a object a TTL is defined that is higher than the Maximum TTL, CloudFront will use the Maximum TTL value, rather than the TTL defined for the object.

Question 4

What’s the “Expires” header used for in the context of Amazon CloudFront?

Answer 4

Defines the expiry date & time for an individual object distributed by CloudFront

Question 5

What are the “Cache-Control max-age” and “Cache-Control s-maxage” headers used for in the context of Amazon CloudFront?

Answer 5

Define the TTL for an individual object distributed by CloudFront (in seconds)

Question 6

What’s the default TTL used by Amazon CloudFront?

Answer 6

24 hours (defined at behavior level)

Question 7

What is a “Trusted Signer” in the context of Amazon CloudFront?

Answer 7

A party that is allowed to generate signed-URLs for a given CloudFront distribution.

Question 8

Does CloudFront support read, write, or both for it’s caching?

Answer 8

Only read

Question 9

Between which parties does CloudFront establish its two SSL connections when serving a request?

Answer 9

1: Viewer -> CloudFront
2: CloudFront -> Origin
(Both need valid public certificates!)

Question 10

What’s SNI (in the context of CloudFront)?

Answer 10

Server Name Indication - a TLS extension allow a client to tell the server the desired hostname as part of the TLS handshake. This allows distribution of more than 1 SSL certificate via the same IP address.

Question 11

When providing CloudFront content from an EC2 instance or On-Prem location (Custom Origin), can you use certificates generated by ACM, by a 3rd party, or both?

Answer 11

Only those of a 3rd party

Question 12

What are the two high-level origin types that exist with CloudFront?

Answer 12

• S3 Origins

- Custom Origins

Question 13

Which origin type of CloudFront do you need to use when a specific SSL Protocol (TLSv1, TLS1.2, etc.), Protocol Policy (HTTP Only, HTTPS Only, etc.) or HTTP/HTTPS Port shall be used for the Origin?

Answer 13

Custom Origin (and not S3 or any of the “Media” ones)

Question 14

If an application requires query-string parameters in an URL, what needs to be considered when setting up CloudFront?

Answer 14

Query-string parameters aren’t forwarded to the application by default, so this needs to be activated.

Also, CloudFront should be configured with an allow-list of parameters where the parameter influences what’s being returned to the viewer (for instance “color” when viewing fashion photos).

Question 15

Which Origin Type do you need to select when using Origin Access Identities (OAI) with CloudFront?

Answer 15

S3 Origin

Question 16

What are the two options you have to secure a Custom Origin in CloudFront from being accessed directly (i.e. to ensure it can only be accessed via CloudFront)?

Answer 16

1: Via a custom header that is set by the CloudFront Edge node. Only if that header is present, the Custom Origin will serve the request.
2: Via an IP address restriction. Only if the request is coming from an IP address that matches CloudFront’s edge network, the Custom Origin will serve the request.

Note: these two options can also be combined.

Question 17

When you need to provide private access to multiple S3 files via CloudFront, what’s the right thing to do?

Answer 17

Use signed cookies

Question 18

For Legacy RTMP distributions, do you have to use signed cookies or signed URLs with CloudFront?

Answer 18

Signed URLs, as signed cookies aren’t supported by Legacy RTMP distributions.

Question 19

What’s the advantage of 3rd party Geolocation vs using CloudFront Geo Restrictions?

Answer 19

CloudFront Geo Restrictions work on the country level only, while 3rd party Geolocation is completely customizable and therefore can also use any other kind of attribute.

Question 20

What’s the purpose of field-level encryption provided by CloudFront?

Answer 20

It can be used as an additional layer of security, encrypting individual sensitive data fields (such as credit card information) at the CloudFront Edge using a public key. This effectively enforces end-to-end encryption for these fields as even when the HTTPS tunnel is resolved into an HTTP flow at the origin (and therefore becoming plain text data), the fields encrypted at the Edge remain encrypted and can only be unencrypted by the party with the private key.

Question 21

What are the five different types available within a CloudFront Custom Origin?

Answer 21

• S3 Bucket with Static Website Hosting enabled
• Any HTTP server (incl. EC2 and on-prem)
• Elastic Load Balancer
• AWS Elemental MediaPackage endpoint
• AWS Elemental MediaStore container

Question 22

Which part of a CloudFront distribution is used to set things like the path pattern, origin, allowed HTTP methods, TTL values, … ?

Answer 22

Behavior

Question 23

Can you use API Gateway along with CloudFront?

Answer 23

Yes! Edge-optimized API Gateways actually use CloudFront behind the scenes. But you can also create a CloudFront distribution manually and set the API Gateway URL as Origin.