- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
- Path
Pattern – what files to get from what
origin
- Viewer Protocol Policy - connection b/w User and CloudFront:
parameter on CloudFront Cache setting
§ HTTP
§ HTTPS
§ Redirect HTTP->HTTPS
- Origin Protocol Policy - connection b/w CouldFront and origin:
§ HTTPS Only
§ MatchViewer derive the protocol setting from Viewer Protocol Policy
§ Exception: CloudFront to S3 website – only HTTP, no S
- Use signed URLs for the following cases:- Viewer Protocol Policy - connection b/w User and CloudFront:
parameter on CloudFront Cache setting
§ HTTP
§ HTTPS
§ Redirect HTTP->HTTPS
- Origin Protocol Policy - connection b/w CouldFront and origin:
§ HTTPS Only
§ MatchViewer derive the protocol setting from Viewer Protocol Policy
§ Exception: CloudFront to S3 website – only HTTP, no S
- Allowed HTTP Methods:
-
Forward
Cookies - Select whether you want
CloudFront to include all user cookies in the request URLs that it forwards to
your origin (All), only selected cookies (Whitelist), or no cookies (None). If
you select Whitelist, add the names of the cookies to the Whitelist Cookies
field. Note that Amazon S3 and some HTTP servers do not process cookies.
- TTL - The min/max/default amount of time, in seconds, that you want objects to stay in CloudFront before CloudFront forwards another request to your origin to determine whether the object has been updated.
- Lambda Function Associations - Specify Lambda function ARNs to associate with specific event types, up to one ARN per event type. By selecting Include Body, you can also choose to read the request body for viewer request and origin request events.
- Field-level Encryption Config – ensuring that content is encrypted all the way to the actual application running @ origin (ex: credit card info) – and not decrypted at origin entry, past firewall etc.
- WAF – AWS Web Access Firewall, restricting access to CloudFront
Serving private content
Restrict user access to objects in CloudFront locations and S3 buckets:
- Signed URL – A signed URL is a URL that provides limited permission and time to make a request. Signed URLs contain authentication information in their query string, allowing users without credentials to perform specific actions on a resource. Ex: user authenticates; user is provided a temp URL for access of an object that can expire soon.
- Signed cookies – similar to the above. Use if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website. Or if you don't want to change your current URLs - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html
| § GET, HEAD – response to these is cached
by default § GET, HEAD, OPTIONS § GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE |
- TTL - The min/max/default amount of time, in seconds, that you want objects to stay in CloudFront before CloudFront forwards another request to your origin to determine whether the object has been updated.
- Lambda Function Associations - Specify Lambda function ARNs to associate with specific event types, up to one ARN per event type. By selecting Include Body, you can also choose to read the request body for viewer request and origin request events.
- Field-level Encryption Config – ensuring that content is encrypted all the way to the actual application running @ origin (ex: credit card info) – and not decrypted at origin entry, past firewall etc.
- WAF – AWS Web Access Firewall, restricting access to CloudFront
Serving private content
Restrict user access to objects in CloudFront locations and S3 buckets:
- Signed URL – A signed URL is a URL that provides limited permission and time to make a request. Signed URLs contain authentication information in their query string, allowing users without credentials to perform specific actions on a resource. Ex: user authenticates; user is provided a temp URL for access of an object that can expire soon.
- Signed cookies – similar to the above. Use if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website. Or if you don't want to change your current URLs - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html
§ You want to use an RTMP distribution. Signed cookies aren't supported for RTMP distributions.
§ You want to restrict access to individual files, for example, an installation download for your application.
§ Your users are using a client (for example, a custom HTTP client) that doesn't support cookies
- Use signed cookies for the following cases:
§ You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of a website.
§ You don't want to change your
current URLs
Object Invalidation
- If you want to force CF to re-request object copy from the origin. Chargeable – if need to invalidate too many objects, create a new distribution altogether, let the older ones expire
- Can not cancel an invalidation request once submitted
Logging
- CF can enable Logging to detail all user requests (when, IP, etc.). Logs are delivered on best-effort basis – not reliable enough to be used for billing. Can redirect logs to S3
- Access logs – detail of request origins and content (who, what when, where)
- CloudTrail – captures info on all requests via API, CL, SDK. Send to S3
Billing
- S3 storage
- Data Transfer IN/OUT: to clients and for uploading objects to origin through CF
- HTTPS requests
- Object Invalidation
- Requests w Field-level encryption
- No charge for transfer from AWS origin to CF
- Yes charge for transfer form custom (incl S3-hosted website) to CF
Benefits of using CloudFront
- Additional security features
- Even if your content is dynamic – Origin-to-CloudFront is free and overall cost might end up being cheaper than service directly from EC2 or S3
- OAI – Origin Access Identity - a special CloudFront user
associated with your CloudFront distribution. Configure permissions so that
CloudFront can use the OAI to access and serve files to your users, but users
can't use a direct URL to the S3 bucket to access a file there
- S3 as origin - need to manually change access levels on S3 bucket to restrict non-CloudFront access
- IMPORTANT: when using custom origin and Signed URL or Signed cookies – need to make sure objects at the origin are protected to prevent outside users from coming around CloudFront directly into the origin
- S3 as origin - need to manually change access levels on S3 bucket to restrict non-CloudFront access
- IMPORTANT: when using custom origin and Signed URL or Signed cookies – need to make sure objects at the origin are protected to prevent outside users from coming around CloudFront directly into the origin
- If you want to force CF to re-request object copy from the origin. Chargeable – if need to invalidate too many objects, create a new distribution altogether, let the older ones expire
- Can not cancel an invalidation request once submitted
SNI Custom SSL
- Server Name Indication (SNI) Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address. Amazon CloudFront delivers your content from each edge location and offers the same security as the Dedicated IP Custom SSL feature
- CF can enable Logging to detail all user requests (when, IP, etc.). Logs are delivered on best-effort basis – not reliable enough to be used for billing. Can redirect logs to S3
- Access logs – detail of request origins and content (who, what when, where)
- CloudTrail – captures info on all requests via API, CL, SDK. Send to S3
- S3 storage
- Data Transfer IN/OUT: to clients and for uploading objects to origin through CF
- HTTPS requests
- Object Invalidation
- Requests w Field-level encryption
- No charge for transfer from AWS origin to CF
- Yes charge for transfer form custom (incl S3-hosted website) to CF
- Additional security features
- Even if your content is dynamic – Origin-to-CloudFront is free and overall cost might end up being cheaper than service directly from EC2 or S3
-
If content is cache-able –
delivery is improved
No comments:
Post a Comment