Cloudfront Flashcards
AWS Cloudfront
CDN - content delivery network
DDoS protection, WAF, etc.
CF origins
- S3 buckets - distribute files and cache them at the edge
- enhanced security with origin access identity (OAI)
- iam role for cloudfront origin
- cloudfront used as an ingress to upload to S3
- Custom Origin (HTTP)
- ALB, ec2, s3 website
- ec2 instances MUST be public (if no ALB)
- security group must allow public IPs of edge location
- ALB, ec2, s3 website
Cloudfront vs cross region replication
- cloudfront good for static content to be displayed around the world
- s3 cross region replication must be setup for each region, near real time updates, read only, good for dynamic content
Cloudfront caching
- cache based on headers, cookies, query string parameters
- cache lives at each edge location
- invalidate part of the cache using the api
- good to use separate cache for dynamic and static content
Cloudfront Security
- http to https redirect, or https only - viewer protocol policy
- origin protocol policy
- https only or match viewer (http → http / https → https)
- s3 bucket websites only support http
Cloudfront signed urls / cookies
- signed url - access to individual files (think PAID content)
- signers
- trusted key group (recommended)
- create private/public RSA key, public is uploaded to CF, private is used by app
- an aws account that contains a cloudfront key pair
- requires root account credentials (not recommended)
- trusted key group (recommended)
- signers
- cookies - reusable, many files
cloudfront signed url vs s3 pre signed url
- cloudfront- allow access to a path no matter origin, account wide
- s3 pre-signed - issue a request as the person who pre-signed the url
- limited lifetime
cloudfront key pairs
only root account can create them in the aws console
you can have only up to two active key pairs per account
cloudfront key groups
Whereas, with CloudFront key groups, you can associate a higher number of public keys with your CloudFront distribution, giving you more flexibility in how you use and manage the public keys. By default, you can associate up to four key groups with a single distribution, and you can have up to five public keys in a key group.
cloudfront parameter types
String – A literal string
Number – An integer or float
List<Number> – An array of integers or floats
CommaDelimitedList – An array of literal strings that are separated by commas
AWS::EC2::KeyPair::KeyName – An Amazon EC2 key pair name
AWS::EC2::SecurityGroup::Id – A security group ID
AWS::EC2::Subnet::Id – A subnet ID
AWS::EC2::VPC::Id – A VPC ID
List<AWS::EC2::VPC::Id> – An array of VPC IDs
List<AWS::EC2::SecurityGroup::Id> – An array of security group IDs
List<AWS::EC2::Subnet::Id> – An array of subnet IDs</Number>
Cloudfront origin groups / failover
CloudFront routes all incoming requests to the primary origin, even when a previous request failed over to the secondary origin. CloudFront only sends requests to the secondary origin after a request to the primary origin fails.
only one primary origin
CloudFront fails over to the secondary origin only when the HTTP method of the viewer request is GET, HEAD, or OPTIONS. CloudFront does not failover when the viewer sends a different HTTP method (for example POST, PUT, and so on).
