CloudFront 4 Flashcards
Private Distros
What’s a Private Distribution?
Requires signed cookies or signed URLs for all access.
Private Distros
How do you set certain parts of a Distro to be private?
Per Behavior
Private Distros
Old way to sign things for a Private Distribution?
important
Use the account’s single CloudFront Key (one per account) to sign it.
Private Distros
Who creates CloudFront Keys?
important
Only the account root user
Private Distros
What’s a Trusted Signer?
important
The account that owns a CloudFront Key: account can sign URLs and cookies with the key
Private Distros
What’s the new way to sign URLs and cookies?
important
Trusted Key Groups
Private Distros
Why are Trusted Key Groups preferred (2)?
Can have multiple keys (flexibility), don’t need root user to create them
Private Distros
2 reasons to use a signed cookie over a signed URL?
important
Grant bulk access to groups of things, want clean URL space
Private Distros
2 reasons to use a Signed URL over a Signed Cookie?
important
One-off access to a Single Object or if client doesn’t support cookies
Geo Restriction
How does Geo Restriction work?
important
Pick countries to allow-list or deny-list. Works at country-level only.
Geo Restriction
How accurate are Geo Restrictions?
Uses GeoIP database that claims 99.8% accuracy
Geo Restriction
Where do you set Geo Restriction?
On an entire CF Distribution only
Geo Restriction
What’s the sequence for GeoRestriction when a HTTP request comes in?
Edge looks-up source IP in AWS GeoIP DB. If allowed, serves the request.
Geo Restriction
What is “3rd party geo location”?
important
Completely customizable way to restrict access based on custom compute you provide
Geo Restriction
What happens if a request comes in that isn’t allowed due to Geo Restriction or 3rd party Geo location?
403 (Forbidden) returned by CF
Geo Restriction
Examples of what a 3rd party geo location can restrict based on?
Username, license agreement, your own geo database, time of day, anything
Geo Restriction
What’s the sequence of requests for 3rd party geo location?
Browser -> your app server, gets signed thing back, browser calls CF with signed thing, CF grants access
Geo Restriction
How does CF know if your 3rd party code approves or denies access to content?
Your 3rd party code gave the browser a signed URL or cookie, CF checks for this
Geo Restriction
What happens if a browser doesn’t supply a valid signed URL/cookie to CF when 3rd party enabled?
Denied: this completely delegates all logic to a server prior to calling CF
Geo Restriction
What’s wrong with the name “3rd party geo location”?
Has nothing to do with GEO. Your code can make decisions on anything it wants
Geo Restriction
Key thing to pay attention to in questions asking about restrictions?
important
If country code, use Geo Restriction. Everything else is 3rd party.
Geo Restriction
What do you call a CF distro that only serves content signed by your app server?
“Private Distribution”: alwasy 403 unless request is signed.
Lambda@Edge
Where do you configure Lambda@Edge functions?
Per-Behavior
Lambda@Edge
Why are Lambda@Edge functions considered “lightweight”?
Only Node & Python, not in VPC, no Layers, smaller limits on sizes
Lambda@Edge
Example use case for Lambda@Edge viewer request function?
Redirect user to login page if certain auth header not present
Lambda@Edge
Example use case for Lambda@Edge origin request function?
React to browser type or screen size
Lambda@Edge
Example use case for Lambda@Edge origin response function?
Send a pretty 200-status page if certain origin errors
Lambda@Edge
How can you use Lambda@Edge for better deployments?
A/B testing via Viewer Request function
Lambda@Edge
How can you use Lambda@Edge to customize content?
Origin Request picks content based on client device
