AWS GovCloud (US)
User Guide

Setting Up Amazon CloudFront with Your AWS GovCloud (US) Resources

Amazon CloudFront is a web service that uses a global network of edge locations to deliver content to end users with low latency and high data transfer speeds. CloudFront is an AWS global service that you can leverage with your AWS GovCloud (US) resources. Requests for your content are routed to the nearest edge location, so content is delivered with the best possible performance. CloudFront is optimized to work with other Amazon Web Services, like Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon Route 53.

CloudFront also works seamlessly with any non-AWS origin server, which stores the original, definitive versions of your files. Due to the isolation of the AWS GovCloud (US) Region, using CloudFront with your AWS GovCloud (US) resources is analogous to using CloudFront with a non-AWS origin server.


If you use CloudFront with AWS GovCloud (US), be sure that you use the correct credentials:

  • To use CloudFront with your AWS GovCloud (US) resources, you must have an AWS GovCloud (US) account. If you don't have an account, see Signing Up for AWS GovCloud (US) for more information.

  • To set up CloudFront, sign in to the CloudFront console by using your standard AWS credentials. You cannot use your AWS GovCloud (US) account credentials to sign in to the standard AWS Management Console.

Tips for Setting Up CloudFront

As you set up CloudFront to serve your AWS GovCloud (US) content, keep the following in mind:

  • You will be setting up CloudFront to distribute content from a custom origin server.

  • Because you will be using a custom origin server, you do not have the option to restrict bucket access using a CloudFront Origin Access Identity.

  • If you want to restrict viewer access and use signed URLs, you must:

    • Use your standard AWS account and one of its CloudFront key pairs to create the signed URLs. As with other AWS regions, you use the CloudFront key pair with your code or third-party console to create the signed URLs.

    • You can further restrict access to your content by blocking requests not originating from CloudFront IP addresses. You can use bucket policies to accomplish this for original content stored in AWS GovCloud (US) Amazon S3 buckets. A list of IP addresses is maintained on a best-effort basis at For more information, see AWS IP Address Ranges.

  • If you want CloudFront to log all viewer requests for files in your distribution, select an Amazon S3 bucket in an AWS standard region as a destination for the log files.

  • Since CloudFront is not within the AWS GovCloud (US) Region, CloudFront is not within the ITAR boundary. If you want to use CloudFront to distribute your ITAR-regulated content, encrypt your content in transit.

  • Integrated support for CloudFront Live Streaming is not available for origins located in the AWS GovCloud (US) Region.

  • Streaming prerecorded media using Adobe’s Real-Time Messaging Protocol (RTMP) is not supported with CloudFront for custom origins.

  • For detailed information about CloudFront, see the CloudFront documentation.


To help protect your websites and web applications from attacks, you can integrate CloudFront with AWS WAF, a web application firewall. With AWS WAF, you can filter traffic based on conditions you specify, such as the IP addresses from which requests originate or values that appear in headers or query strings. CloudFront responds to HTTP and HTTPS requests with either the requested content or an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked.

For more information about AWS WAF, see the AWS WAF Developer Guide. For information about how to add the ID for an AWS WAF web access control list (web ACL) to a CloudFront distribution, see the Values that You Specify When You Create or Update a Web Distribution topic in the Amazon CloudFront Developer Guide.