CloudFront

Question 1

Which AWS service functions as a content delivery network (CDN) designed for high performance, security, and developer convenience?

Answer 1

Amazon CloudFront

Question 2

What is the primary purpose of Amazon CloudFront?

Answer 2

To reduce the load on origin servers and improve performance for globally distributed users

Question 3

Which AWS service integrates with CloudFront to provide SSL/TLS certificates for custom domain names?

Answer 3

AWS Certificate Manager (ACM)

Question 4

Does Amazon CloudFront support write caching?

Answer 4

No, CloudFront caches only downloads; uploads are always sent directly to the origin for processing

Question 5

What CloudFront component serves as the source of content and requires a publicly routable IPv4 address?

Answer 5

Origin (S3 Origin, Custom Origin)

Question 6

Which AWS CloudFront component serves as a unit of configuration deployed to the CloudFront network and pushed to edge locations?
Hint: Must be disabled before deletion

Answer 6

Distribution, as most settings are configured within it

Question 7

What is the CloudFront component within a Distribution that specifies how requests should be processed?

Answer 7

Behaviors

Question 8

What is the maximum number of behaviors allowed within a CloudFront distribution?

Answer 8

25 Behaviors, though higher limits can be requested

Question 9

Which Behavior in a CloudFront Distribution applies to all requests by default?

Answer 9

Default Behavior (wildcard) - Default (*)

Question 10

Which Behaviors take priority over the Default Behavior in a CloudFront Distribution?

Answer 10

Any specific Behavior defined within the Distribution takes priority over the default one

Question 11

Which CloudFront component enables a distribution to have multiple origins configured?

Answer 11

Behaviors, as they map request patterns to specific origins

Question 12

In which part of AWS’s global infrastructure is content cached locally for end users?

Answer 12

Edge Locations

Question 13

What AWS global infrastructure component acts as a larger version of an edge location, providing an additional caching layer?

Answer 13

Regional Edge Cache

Question 14

List all caching layers in CloudFront from the client to the origin.

Answer 14

Client → Local Edge Location → Regional Edge Cache → Origin (origin fetch)

Question 15

What price classes does AWS CloudFront support for Distributions?

Answer 15

• All Edge Locations (best performance, higher cost)
• North America and Europe (lower cost, limited coverage)
• North America, Europe, Asia, Middle East, and Africa (balanced option)

Question 16

What general configuration options does an AWS CloudFront Distribution support?

Answer 16

• Price class
• Supported HTTP versions
• Alternative domain names
• Custom SSL certificate
• Default root object
• Logging (enabled/disabled)
• IPv6 support (enabled/disabled)

Question 17

What type of security configuration can be applied to an AWS CloudFront Distribution?

Answer 17

Integration with AWS Web Application Firewall (WAF)

Question 18

What additional configuration options are available for an AWS CloudFront Distribution?

Answer 18

• Origins
• Behaviors
• Custom error pages
• Cache invalidations

Question 19

What configuration settings are supported within a CloudFront Behavior?

Answer 19

• Automatic compression of objects
• Viewer protocol policy
• Allowed HTTP methods
• Viewer access restrictions (trusted key groups, trusted signers)
• Cache key and origin request policies (cache policy, origin request policy, response header policy)
• Function associations (Edge Functions)

Question 20

Which AWS CloudFront setting determines how long objects are cached at Edge Locations and when they should be invalidated?

Answer 20

Time To Live (TTL), configured within CloudFront Distribution Behaviors

Question 21

What are the custom TTL settings available in CloudFront Distribution Behaviors?

Answer 21

• Minimum TTL: specifies the lowest allowable TTL for an object
• Maximum TTL: specifies the highest allowable TTL for an object
• Default TTL: specifies the default TTL used if no TTL is specified for the object

Question 22

When is the Minimum TTL setting applied in CloudFront Distribution Behavior?

Answer 22

When an object’s defined TTL is shorter than the Minimum TTL value

Question 23

When is the Maximum TTL setting applied in CloudFront Distribution Behavior?

Answer 23

When an object’s defined TTL exceeds the Maximum TTL value

Question 24

When is the Default TTL setting applied in CloudFront Distribution Behavior?

Answer 24

When an object has no TTL explicitly defined

Question 25

How can an origin (S3 or Custom) direct CloudFront to use object-specific TTL values?

Answer 25

Using headers:
- Cache-Control: e.g., Cache-Control: max-age=604800 (TTL in seconds)
- Expires: e.g., Expires: <specific-date>

For S3 Origins, object metadata can also define caching behavior

Question 26

Why is TTL configuration within CloudFront Distribution Behavior important?

Answer 26

It optimizes cache hits, which reduces the load on the origin and improves performance

Question 27

Which AWS CloudFront configuration expires cached objects immediately regardless of their TTL and applies across all Edge Locations?

Answer 27

Cache Invalidation
aws cloudfront create-invalidation --distribution-id <dist_id> --paths "/*"

Question 28

Is AWS CloudFront Distribution Cache Invalidation free of charge?

Answer 28

No, invalidation costs $0.005 per invalidated path

Question 29

What is a best practice for managing cached content in CloudFront to minimize invalidation requests?

Answer 29

Use versioned object names (e.g., object_v1.jpg, object_v2.jpg) instead of relying on invalidation to refresh cached content

Question 30

What is the default method of accessing a CloudFront Distribution?

Answer 30

• Via the CloudFront Distribution domain name automatically assigned after creation, such as d3xb1d3w4zy6mn.cloudfront.net
• Optionally, a custom domain can be configured for user-friendly access

Question 31

Does the default domain name provided by CloudFront Distribution support SSL?

Answer 31

Yes, it is automatically secured using a *.cloudfront.net SSL certificate

Question 32

Can a custom domain name be configured for a CloudFront Distribution?

Answer 32

Yes, custom domain names can be added via the Alternate Domain Names setting, but the domain must be validated using a corresponding SSL/TLS certificate

Question 33

What Viewer Protocol Policies are supported by CloudFront Distribution Behaviors?

Answer 33

• HTTP and HTTPS
• Redirect HTTP to HTTPS
• HTTPS only

Question 34

What extension to the TLS protocol allows a client to indicate the hostname it is trying to reach during the handshake, enabling multiple SSL certificates per host on a shared IP address?

Answer 34

Server Name Indication (SNI)

Question 35

When using CloudFront, how many SSL connections are involved in the process?

Answer 35

Two SSL connections:
- Client to Edge Location (viewer protocol)
- Edge Location to the Origin (origin protocol)

Question 36

What considerations should be taken when configuring CloudFront Client to Edge Location SSL connection (viewer protocol)?

Answer 36

• Only CA-signed (public) certificates are supported
• If using ACM, the certificate must be created in the us-east-1 region
• The certificate is applied to CloudFront
• Support for older browsers lacking SNI can be enabled for an additional $600/month

Question 37

What considerations should be taken when configuring CloudFront Edge Location to Origin SSL connection (origin protocol)?

Answer 37

• Only CA-signed (public) certificates are supported
• S3 natively handles certificates
• ALB can use ACM or external CA-signed (public) certificates
• On-prem and EC2 instances are not integrated with ACM and require an external CA-signed (public) certificate
• The certificate is applied directly to the origin

Question 38

Will a self-signed certificate work for establishing SSL connection either Client to Edge Location or Edge Location to the Origin?

Answer 38

No, both connections require a valid public (CA-signed) certificate

Question 39

How much does CloudFront charge for a dedicated IP address to support older browsers that do not support SNI?

Answer 39

An additional $600/month per IP

Question 39

What is the difference between a self-signed certificate and a CA-signed certificate?

Answer 39

• Self-signed certificate is created, signed, and issued by the entity it represents (the subject)
• CA-signed certificate is issued by a trusted Certificate Authority (CA), which validates the identity of the applicant before signing the certificate

Question 40

Which AWS CloudFront feature can be used to enhance origin resiliency?

Answer 40

Origin groups, which allow combining two or more origins into a group to provide failover support

Question 40

If you use an S3 bucket regional domain name (e.g., example.com.s3.us-east-1.amazonaws.com) as the CloudFront Distribution origin domain, how will CloudFront interpret this origin?

Answer 40

CloudFront will interpret it as an S3 Origin and apply all the supported S3 origin configurations

Question 41

If you use an S3 bucket static website DNS name (e.g., http://example.com.s3-website-us-east-1.amazonaws.com) as the CloudFront Distribution origin domain, how will CloudFront interpret this origin?

Answer 41

CloudFront will interpret it as a Custom Origin, and features like OAC and OAI will not be available

Question 42

What types of origins are supported by AWS CloudFront?

Answer 42

• S3 Origin
• MediaStore container endpoint (for serving video content)
• MediaPackage channel endpoint (for serving live video)
• Elastic Load Balancer (ELB)
• API Gateway (including Lambda integration)
• Custom Origin

Question 43

What configurations are required when setting up a CloudFront Distribution with an S3 Origin?

Answer 43

• Origin domain: The S3 bucket’s domain name
• Origin path: Optional path to append to the origin domain name
• Origin access configurations: Public, Origin Access Control (OAC), or legacy Origin Access Identity (OAI)
• Custom headers: Headers included in all requests sent to the origin
• Origin Shield: Enable/disable for an additional caching layer

Question 44

What configurations are required when setting up a CloudFront Distribution with a Custom Origin?

Answer 44

• Origin domain: The origin’s domain name (e.g., EC2, on-prem, or custom server)
• Origin path: Optional path to append to the origin domain name
• Protocol: HTTP/HTTPS, including custom ports and minimum SSL protocol versions
• Custom headers: Headers included in all requests sent to the origin
• Origin Shield: Enable/disable for an additional caching layer

Question 45

Do CloudFront Distributions with a Custom Origin support Origin Access Control (OAC) or Origin Access Identity (OAI)?

Answer 45

No, OAC and OAI are not available for Custom Origins

To secure a Custom Origin:
- Use Custom Headers
- Configure a traditional firewall to whitelist CloudFront’s IP ranges

Question 46

Which security component is used by CloudFront Distribution to securely access S3 buckets?

Answer 46

Origin Access Control (OAC) or legacy Origin Access Identity (OAI)

Question 47

When configuring a Behavior within CloudFront Distribution, which setting restricts access to objects?

Answer 47

“Restrict Viewer Access” option allows Behaviors to control object access:
- No: Open access to objects (default)
- Yes: Requires requests to use Signed URLs or Signed Cookies

Question 48

What additional configuration is required when “Restrict Viewer Access” is enabled in a CloudFront Distribution Behavior?

Answer 48

Trusted Authorization Type, which determines how access is managed:
- Trusted Key Groups: Defines which keys are used for generating Signed URLs or Signed Cookies
- Trusted Signers: Specifies entities authorized to create Signed URLs or Signed Cookies

Question 49

What security measure provides access to a single object when “Restrict Viewer Access” option is enabled on AWS CloudFront Distribution Behavior?

Answer 49

Signed URLs

Question 50

What security measure provides access to a group of objects when “Restrict Viewer Access” option is enabled on AWS CloudFront Distribution Behavior?

Answer 50

Signed Cookies

Question 51

What is a good use case for the Signed URLs security measure within CloudFront Distribution Behaviors?

Answer 51

• Restricted access to individual files is required, such as application downloads
• Clients do not support cookies, for example, Real-time Messaging Protocol (RTMP) applications

Question 52

What is a good use case for the Signed Cookies security measure within CloudFront Distribution Behaviors?

Answer 52

• When restricted access to multiple files is required, such as subscriber-only content
• When current URL should not be modified (e.g., application-specific URLs)

Question 53

What AWS CloudFront feature allows you to run code closer to application users, improving performance, reducing latency, and requiring no infrastructure management?

Answer 53

AWS Lambda@Edge

Question 54

What are the main use cases for AWS CloudFront Lambda@Edge?

Answer 54

• Control and prioritize traffic between the viewer and origin
• Perform A/B testing (viewer request)
• Migrate between S3 origins (origin request)
• Serve different objects based on the device (origin request)
• Display content based on the viewer’s country (origin request)

Question 55

What considerations should you take into account for AWS Lambda@Edge?

Answer 55

Limited feature set:
- Supports Node.js or Python runtimes only
- No VPC access
- Layers are not supported
- Execution and size limits differ:
- Viewer-side: 5 seconds runtime, 128 MB memory.
- Origin-side: 30 seconds runtime, 10,240 MB memory (same as AWS Lambda’s standard limits).

Question 56

Which AWS CloudFront Lambda@Edge lifecycle components can run functions?

Answer 56

• Viewer Request: Runs after receiving the request from the client →
• Origin Request: Runs before forwarding the request to the origin →
• Origin Response: Runs after receiving a response from the origin ←
• Viewer Response: Runs before sending the response to the client ←

Question 57

Which AWS CloudFront Lambda@Edge trigger executes a function after receiving a request from the client?

Answer 57

Viewer Request

Question 58

Which AWS CloudFront Lambda@Edge trigger executes a function before forwarding the request to the origin?

Answer 58

Origin Request

Question 59

Which AWS CloudFront Lambda@Edge trigger executes a function after receiving a response from the origin?

Answer 59

Origin Response

Question 60

Which AWS CloudFront Lambda@Edge trigger executes a function before sending a response to the client?

Answer 60

Viewer Response

Question 61

Which AWS CloudFront feature restricts access to content based on users’ geographic locations?

Answer 61

CloudFront Geo Restrictions (Geo Blocking)

Question 61

What are the two options available for implementing geographic restrictions in AWS CloudFront?

Answer 61

• CloudFront Geo Restriction: built-in feature to allow or block access by country
• Third-Party Geolocation Services: Lambda@Edge or custom logic to tailor restrictions based on finer geographic details

Question 62

Which AWS CloudFront geographic restriction option applies at the distribution level and allows whitelisting or blacklisting countries for content access?

Answer 62

CloudFront Geo Restriction, which relies on the GeoIP database to identify countries

Question 63

Which AWS CloudFront geographic restriction option offers greater customization by integrating with third-party geolocation services to restrict content access based on attributes like country, user, browser, and more?

Answer 63

Third-party Geolocation Service

Question 64

What AWS CloudFront feature adds an extra security layer to protect sensitive data, ensuring that only specific applications can access it?

Answer 64

Field-level encryption, applied at the edge

Question 65

What is the difference between Pre-signed URLs, Signed URLs, and Signed Cookies?

Answer 65

• Pre-signed URLs: A feature of S3 used to grant time-limited access to specific objects in a bucket for upload or download using security credentials of entity that generating the URL
• Signed URLs: A feature of CloudFront used to restrict access to private content (individual files)
• Signed Cookies: A feature of CloudFront used to restrict access to private content (multiple files)