CloudFront Flashcards
This deck aims to help retain concepts related to the CloudFront service.
Which AWS service functions as a content delivery network (CDN) designed for high performance, security, and developer convenience?
Amazon CloudFront
What is the primary purpose of Amazon CloudFront?
To reduce the load on origin servers and improve performance for globally distributed users
Which AWS service integrates with CloudFront to provide SSL/TLS certificates for custom domain names?
AWS Certificate Manager (ACM)
Does Amazon CloudFront support write caching?
No, CloudFront caches only downloads; uploads are always sent directly to the origin for processing
What CloudFront component serves as the source of content and requires a publicly routable IPv4 address?
Origin (S3 Origin, Custom Origin)
Which AWS CloudFront component serves as a unit of configuration deployed to the CloudFront network and pushed to edge locations?
Hint: Must be disabled before deletion
Distribution, as most settings are configured within it
What is the CloudFront component within a Distribution that specifies how requests should be processed?
Behaviors
What is the maximum number of behaviors allowed within a CloudFront distribution?
25 Behaviors, though higher limits can be requested
Which Behavior in a CloudFront Distribution applies to all requests by default?
Default Behavior (wildcard) - Default (*)
Which Behaviors take priority over the Default Behavior in a CloudFront Distribution?
Any specific Behavior defined within the Distribution takes priority over the default one
Which CloudFront component enables a distribution to have multiple origins configured?
Behaviors, as they map request patterns to specific origins
In which part of AWS’s global infrastructure is content cached locally for end users?
Edge Locations
What AWS global infrastructure component acts as a larger version of an edge location, providing an additional caching layer?
Regional Edge Cache
List all caching layers in CloudFront from the client to the origin.
Client → Local Edge Location → Regional Edge Cache → Origin (origin fetch)
What price classes does AWS CloudFront support for Distributions?
- All Edge Locations (best performance, higher cost)
- North America and Europe (lower cost, limited coverage)
- North America, Europe, Asia, Middle East, and Africa (balanced option)
What general configuration options does an AWS CloudFront Distribution support?
- Price class
- Supported HTTP versions
- Alternative domain names
- Custom SSL certificate
- Default root object
- Logging (enabled/disabled)
- IPv6 support (enabled/disabled)
What type of security configuration can be applied to an AWS CloudFront Distribution?
Integration with AWS Web Application Firewall (WAF)
What additional configuration options are available for an AWS CloudFront Distribution?
- Origins
- Behaviors
- Custom error pages
- Cache invalidations
What configuration settings are supported within a CloudFront Behavior?
- Automatic compression of objects
- Viewer protocol policy
- Allowed HTTP methods
- Viewer access restrictions (trusted key groups, trusted signers)
- Cache key and origin request policies (cache policy, origin request policy, response header policy)
- Function associations (Edge Functions)
Which AWS CloudFront setting determines how long objects are cached at Edge Locations and when they should be invalidated?
Time To Live (TTL), configured within CloudFront Distribution Behaviors
What are the custom TTL settings available in CloudFront Distribution Behaviors?
- Minimum TTL: specifies the lowest allowable TTL for an object
- Maximum TTL: specifies the highest allowable TTL for an object
- Default TTL: specifies the default TTL used if no TTL is specified for the object
When is the Minimum TTL setting applied in CloudFront Distribution Behavior?
When an object’s defined TTL is shorter than the Minimum TTL value
When is the Maximum TTL setting applied in CloudFront Distribution Behavior?
When an object’s defined TTL exceeds the Maximum TTL value
When is the Default TTL setting applied in CloudFront Distribution Behavior?
When an object has no TTL explicitly defined
How can an origin (S3 or Custom) direct CloudFront to use object-specific TTL values?
Using headers:
- Cache-Control: e.g., Cache-Control: max-age=604800 (TTL in seconds)
- Expires: e.g., Expires: <specific-date>
For S3 Origins, object metadata can also define caching behavior
Why is TTL configuration within CloudFront Distribution Behavior important?
It optimizes cache hits, which reduces the load on the origin and improves performance
Which AWS CloudFront configuration expires cached objects immediately regardless of their TTL and applies across all Edge Locations?
Cache Invalidationaws cloudfront create-invalidation --distribution-id <dist_id> --paths "/*"
Is AWS CloudFront Distribution Cache Invalidation free of charge?
No, invalidation costs $0.005 per invalidated path
What is a best practice for managing cached content in CloudFront to minimize invalidation requests?
Use versioned object names (e.g., object_v1.jpg, object_v2.jpg) instead of relying on invalidation to refresh cached content
What is the default method of accessing a CloudFront Distribution?
- Via the CloudFront Distribution domain name automatically assigned after creation, such as d3xb1d3w4zy6mn.cloudfront.net
- Optionally, a custom domain can be configured for user-friendly access
Does the default domain name provided by CloudFront Distribution support SSL?
Yes, it is automatically secured using a *.cloudfront.net SSL certificate
Can a custom domain name be configured for a CloudFront Distribution?
Yes, custom domain names can be added via the Alternate Domain Names setting, but the domain must be validated using a corresponding SSL/TLS certificate
What Viewer Protocol Policies are supported by CloudFront Distribution Behaviors?
- HTTP and HTTPS
- Redirect HTTP to HTTPS
- HTTPS only
What extension to the TLS protocol allows a client to indicate the hostname it is trying to reach during the handshake, enabling multiple SSL certificates per host on a shared IP address?
Server Name Indication (SNI)
When using CloudFront, how many SSL connections are involved in the process?
Two SSL connections:
- Client to Edge Location (viewer protocol)
- Edge Location to the Origin (origin protocol)
What considerations should be taken when configuring CloudFront Client to Edge Location SSL connection (viewer protocol)?
- Only CA-signed (public) certificates are supported
- If using ACM, the certificate must be created in the us-east-1 region
- The certificate is applied to CloudFront
- Support for older browsers lacking SNI can be enabled for an additional $600/month
What considerations should be taken when configuring CloudFront Edge Location to Origin SSL connection (origin protocol)?
- Only CA-signed (public) certificates are supported
- S3 natively handles certificates
- ALB can use ACM or external CA-signed (public) certificates
- On-prem and EC2 instances are not integrated with ACM and require an external CA-signed (public) certificate
- The certificate is applied directly to the origin
Will a self-signed certificate work for establishing SSL connection either Client to Edge Location or Edge Location to the Origin?
No, both connections require a valid public (CA-signed) certificate
How much does CloudFront charge for a dedicated IP address to support older browsers that do not support SNI?
An additional $600/month per IP
What is the difference between a self-signed certificate and a CA-signed certificate?
- Self-signed certificate is created, signed, and issued by the entity it represents (the subject)
- CA-signed certificate is issued by a trusted Certificate Authority (CA), which validates the identity of the applicant before signing the certificate
Which AWS CloudFront feature can be used to enhance origin resiliency?
Origin groups, which allow combining two or more origins into a group to provide failover support
If you use an S3 bucket regional domain name (e.g., example.com.s3.us-east-1.amazonaws.com) as the CloudFront Distribution origin domain, how will CloudFront interpret this origin?
CloudFront will interpret it as an S3 Origin and apply all the supported S3 origin configurations
If you use an S3 bucket static website DNS name (e.g., http://example.com.s3-website-us-east-1.amazonaws.com) as the CloudFront Distribution origin domain, how will CloudFront interpret this origin?
CloudFront will interpret it as a Custom Origin, and features like OAC and OAI will not be available
What types of origins are supported by AWS CloudFront?
- S3 Origin
- MediaStore container endpoint (for serving video content)
- MediaPackage channel endpoint (for serving live video)
- Elastic Load Balancer (ELB)
- API Gateway (including Lambda integration)
- Custom Origin
What configurations are required when setting up a CloudFront Distribution with an S3 Origin?
- Origin domain: The S3 bucket’s domain name
- Origin path: Optional path to append to the origin domain name
- Origin access configurations: Public, Origin Access Control (OAC), or legacy Origin Access Identity (OAI)
- Custom headers: Headers included in all requests sent to the origin
- Origin Shield: Enable/disable for an additional caching layer
What configurations are required when setting up a CloudFront Distribution with a Custom Origin?
- Origin domain: The origin’s domain name (e.g., EC2, on-prem, or custom server)
- Origin path: Optional path to append to the origin domain name
- Protocol: HTTP/HTTPS, including custom ports and minimum SSL protocol versions
- Custom headers: Headers included in all requests sent to the origin
- Origin Shield: Enable/disable for an additional caching layer
Do CloudFront Distributions with a Custom Origin support Origin Access Control (OAC) or Origin Access Identity (OAI)?
No, OAC and OAI are not available for Custom Origins
To secure a Custom Origin:
- Use Custom Headers
- Configure a traditional firewall to whitelist CloudFront’s IP ranges
Which security component is used by CloudFront Distribution to securely access S3 buckets?
Origin Access Control (OAC) or legacy Origin Access Identity (OAI)
When configuring a Behavior within CloudFront Distribution, which setting restricts access to objects?
“Restrict Viewer Access” option allows Behaviors to control object access:
- No: Open access to objects (default)
- Yes: Requires requests to use Signed URLs or Signed Cookies
What additional configuration is required when “Restrict Viewer Access” is enabled in a CloudFront Distribution Behavior?
Trusted Authorization Type, which determines how access is managed:
- Trusted Key Groups: Defines which keys are used for generating Signed URLs or Signed Cookies
- Trusted Signers: Specifies entities authorized to create Signed URLs or Signed Cookies
What security measure provides access to a single object when “Restrict Viewer Access” option is enabled on AWS CloudFront Distribution Behavior?
Signed URLs
What security measure provides access to a group of objects when “Restrict Viewer Access” option is enabled on AWS CloudFront Distribution Behavior?
Signed Cookies
What is a good use case for the Signed URLs security measure within CloudFront Distribution Behaviors?
- Restricted access to individual files is required, such as application downloads
- Clients do not support cookies, for example, Real-time Messaging Protocol (RTMP) applications
What is a good use case for the Signed Cookies security measure within CloudFront Distribution Behaviors?
- When restricted access to multiple files is required, such as subscriber-only content
- When current URL should not be modified (e.g., application-specific URLs)
What AWS CloudFront feature allows you to run code closer to application users, improving performance, reducing latency, and requiring no infrastructure management?
AWS Lambda@Edge
What are the main use cases for AWS CloudFront Lambda@Edge?
- Control and prioritize traffic between the viewer and origin
- Perform A/B testing (viewer request)
- Migrate between S3 origins (origin request)
- Serve different objects based on the device (origin request)
- Display content based on the viewer’s country (origin request)
What considerations should you take into account for AWS Lambda@Edge?
Limited feature set:
- Supports Node.js or Python runtimes only
- No VPC access
- Layers are not supported
- Execution and size limits differ:
- Viewer-side: 5 seconds runtime, 128 MB memory.
- Origin-side: 30 seconds runtime, 10,240 MB memory (same as AWS Lambda’s standard limits).
Which AWS CloudFront Lambda@Edge lifecycle components can run functions?
- Viewer Request: Runs after receiving the request from the client →
- Origin Request: Runs before forwarding the request to the origin →
- Origin Response: Runs after receiving a response from the origin ←
- Viewer Response: Runs before sending the response to the client ←
Which AWS CloudFront Lambda@Edge trigger executes a function after receiving a request from the client?
Viewer Request
Which AWS CloudFront Lambda@Edge trigger executes a function before forwarding the request to the origin?
Origin Request
Which AWS CloudFront Lambda@Edge trigger executes a function after receiving a response from the origin?
Origin Response
Which AWS CloudFront Lambda@Edge trigger executes a function before sending a response to the client?
Viewer Response
Which AWS CloudFront feature restricts access to content based on users’ geographic locations?
CloudFront Geo Restrictions (Geo Blocking)
What are the two options available for implementing geographic restrictions in AWS CloudFront?
- CloudFront Geo Restriction: built-in feature to allow or block access by country
- Third-Party Geolocation Services: Lambda@Edge or custom logic to tailor restrictions based on finer geographic details
Which AWS CloudFront geographic restriction option applies at the distribution level and allows whitelisting or blacklisting countries for content access?
CloudFront Geo Restriction, which relies on the GeoIP database to identify countries
Which AWS CloudFront geographic restriction option offers greater customization by integrating with third-party geolocation services to restrict content access based on attributes like country, user, browser, and more?
Third-party Geolocation Service
What AWS CloudFront feature adds an extra security layer to protect sensitive data, ensuring that only specific applications can access it?
Field-level encryption, applied at the edge
What is the difference between Pre-signed URLs, Signed URLs, and Signed Cookies?
- Pre-signed URLs: A feature of S3 used to grant time-limited access to specific objects in a bucket for upload or download using security credentials of entity that generating the URL
- Signed URLs: A feature of CloudFront used to restrict access to private content (individual files)
- Signed Cookies: A feature of CloudFront used to restrict access to private content (multiple files)
What type of AWS CloudFront signer credentials can only be created by the AWS Account root user?
CloudFront Key Pair
What is the maximum number of active AWS CloudFront key pairs allowed per AWS account?
Up to two active key pairs
