CloudFront 4 Flashcards
Private Distros
What’s a Private Distribution?
Requires signed cookies or signed URLs for all access.
Private Distros
How do you set certain parts of a Distro to be private?
Per Behavior
Private Distros
Old way to sign things for a Private Distribution?
important
Use the account’s single CloudFront Key (one per account) to sign it.
Private Distros
Who creates CloudFront Keys?
important
Only the account root user
Private Distros
What’s a Trusted Signer?
important
The account that owns a CloudFront Key: account can sign URLs and cookies with the key
Private Distros
What’s the new way to sign URLs and cookies?
important
Trusted Key Groups
Private Distros
Why are Trusted Key Groups preferred (2)?
Can have multiple keys (flexibility), don’t need root user to create them
Private Distros
2 reasons to use a signed cookie over a signed URL?
important
Grant bulk access to groups of things, want clean URL space
Private Distros
2 reasons to use a Signed URL over a Signed Cookie?
important
One-off access to a Single Object or if client doesn’t support cookies
Geo Restriction
How does Geo Restriction work?
important
Pick countries to allow-list or deny-list. Works at country-level only.
Geo Restriction
How accurate are Geo Restrictions?
Uses GeoIP database that claims 99.8% accuracy
Geo Restriction
Where do you set Geo Restriction?
On an entire CF Distribution only
Geo Restriction
What’s the sequence for GeoRestriction when a HTTP request comes in?
Edge looks-up source IP in AWS GeoIP DB. If allowed, serves the request.
Geo Restriction
What is “3rd party geo location”?
important
Completely customizable way to restrict access based on custom compute you provide
Geo Restriction
What happens if a request comes in that isn’t allowed due to Geo Restriction or 3rd party Geo location?
403 (Forbidden) returned by CF