CloudFront 1

Question 1

CloudFront

What is Restrict Viewer Access?

Answer 1

CF requires and validates signed URLs for all requests to the behavior.

Question 2

CloudFront

How does WAF integrate with CloudFront?

Answer 2

Just pick a WAF ACL and associate with a distro, nothing special.

Question 3

CloudFront

Can CloudFront support IPv6?

Answer 3

Easily, just turn it on (off by default)

Question 4

Behaviors

Where can you turn on Restrict Viewer Access

important

Answer 4

Per-Behavior

Question 5

Origins

How do you do security for S3 Origins?

Answer 5

OAI: Origin Access Identity: can list an OAI in a Buckeet Policy to give R/O access.

Question 6

Origins

How do you secure a custom Origin so only CloudFront can call it?

Answer 6

Like OAI: require CF to send a secret token in a custom header.

Question 7

Origins

Two ways to restrict access to a bucket to only the CF distro?

Answer 7

Origin Access Identities (OAI) (legacy), Origin Access Controls (recommended)

Question 8

Origins

How do you config an OAI?

Answer 8

Associate OAI with Origin in CF, S3 bucket policy allows OAI

Question 9

Origins

How can you restrict a custom Origin so it only serves content from CF?

Answer 9

Restrict to CF CIDRs and/or CF sends a secret header to Origin