Amazon.CloudFront.Model

Access denied.

A list of key groups, and the public keys in each key group, that CloudFront can use to verify the signatures of signed URLs and signed cookies.

A list of Amazon Web Services accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.

A complex type that contains information about CNAMEs (alternate domain names), if any, for this distribution.

Amazon Web Services services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions. The status is returned in the CloudFront response; you can't configure it yourself.

For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with Amazon Web Services services in China.

A complex type that controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin. There are three choices:

• CloudFront forwards only GET and HEAD requests.

• CloudFront forwards only GET, HEAD, and OPTIONS requests.

• CloudFront forwards GET, HEAD, OPTIONS, PUT, PATCH, POST, and DELETE requests.

If you pick the third choice, you may need to restrict access to your Amazon S3 bucket or to your custom origin so users can't perform operations that you don't want them to. For example, you might not want users to have permissions to delete objects from your origin.

An Anycast static IP list.

The Anycast static IP list collection.

An abbreviated version of the AnycastIpList structure. Omits the allocated static IP addresses (AnycastIpList$AnycastIps).

Container for the parameters to the AssociateAlias operation. Associates an alias (also known as a CNAME or an alternate domain name) with a CloudFront distribution.

With this operation you can move an alias that's already in use on a CloudFront distribution to a different distribution in one step. This prevents the downtime that could occur if you first remove the alias from one distribution and then separately add the alias to another distribution.

To use this operation to associate an alias with a distribution, you provide the alias and the ID of the target distribution for the alias. For more information, including how to set up the target distribution, prerequisites that you must complete, and other restrictions, see Moving an alternate domain name to a different distribution in the Amazon CloudFront Developer Guide.

This is the response object from the AssociateAlias operation.

Invalidation batch specified is too large.

A complex type that describes how CloudFront processes requests.

You must create at least as many cache behaviors (including the default cache behavior) as you have origins if you want CloudFront to serve objects from all of the origins. Each cache behavior specifies the one origin from which you want CloudFront to get objects. If you have two origins and only the default cache behavior, the default cache behavior will cause CloudFront to get objects from one of the origins, but the other origin is never used.

For the current quota (formerly known as limit) on the number of cache behaviors that you can add to a distribution, see Quotas in the Amazon CloudFront Developer Guide.

If you don't want to specify any cache behaviors, include only an empty CacheBehaviors element. Don't specify an empty individual CacheBehavior element, because this is invalid. For more information, see CacheBehaviors.

To delete all cache behaviors in an existing distribution, update the distribution configuration and include only an empty CacheBehaviors element.

To add, change, or remove one or more cache behaviors, update the distribution configuration and specify all of the cache behaviors that you want to include in the updated distribution.

For more information about cache behaviors, see Cache Behavior Settings in the Amazon CloudFront Developer Guide.

A complex type that contains zero or more CacheBehavior elements.

A complex type that controls whether CloudFront caches the response to requests using the specified HTTP methods. There are two choices:

• CloudFront caches responses to GET and HEAD requests.

• CloudFront caches responses to GET, HEAD, and OPTIONS requests.

If you pick the second choice for your Amazon S3 Origin, you may need to forward Access-Control-Request-Method, Access-Control-Request-Headers, and Origin headers for the responses to be cached correctly.

A cache policy.

When it's attached to a cache behavior, the cache policy determines the following:

• The values that CloudFront includes in the cache key. These values can include HTTP headers, cookies, and URL query strings. CloudFront uses the cache key to find an object in its cache that it can return to the viewer.

• The default, minimum, and maximum time to live (TTL) values that you want objects to stay in the CloudFront cache.

The headers, cookies, and query strings that are included in the cache key are also included in requests that CloudFront sends to the origin. CloudFront sends a request when it can't find a valid object in its cache that matches the request's cache key. If you want to send values to the origin but not include them in the cache key, use OriginRequestPolicy.

A cache policy with this name already exists. You must provide a unique name. To modify an existing cache policy, use UpdateCachePolicy.

A cache policy configuration.

This configuration determines the following:

• The values that CloudFront includes in the cache key. These values can include HTTP headers, cookies, and URL query strings. CloudFront uses the cache key to find an object in its cache that it can return to the viewer.

• The default, minimum, and maximum time to live (TTL) values that you want objects to stay in the CloudFront cache.

The headers, cookies, and query strings that are included in the cache key are also included in requests that CloudFront sends to the origin. CloudFront sends a request when it can't find a valid object in its cache that matches the request's cache key. If you want to send values to the origin but not include them in the cache key, use OriginRequestPolicy.

An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the cache key and in requests that CloudFront sends to the origin.

An object that determines whether any HTTP headers (and if so, which headers) are included in the cache key and in requests that CloudFront sends to the origin.

Cannot delete the cache policy because it is attached to one or more cache behaviors.

A list of cache policies.

An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the cache key and in requests that CloudFront sends to the origin.

Contains a cache policy.

You can't change the value of a public key.

The entity cannot be deleted while it is in use.

The entity cannot be updated while it is in use.

CloudFront origin access identity.

If the CallerReference is a value you already sent in a previous request to create an identity but the content of the CloudFrontOriginAccessIdentityConfig is different from the original request, CloudFront returns a CloudFrontOriginAccessIdentityAlreadyExists error.

Origin access identity configuration. Send a GET request to the /CloudFront API version/CloudFront/identity ID/config resource.

The Origin Access Identity specified is already in use.

Lists the origin access identities for CloudFront.Send a GET request to the /CloudFront API version/origin-access-identity/cloudfront resource. The response includes a CloudFrontOriginAccessIdentityList element with zero or more CloudFrontOriginAccessIdentitySummary child elements. By default, your entire list of origin access identities is returned in one single page. If the list is long, you can paginate it using the MaxItems and Marker parameters.

Summary of the information about a CloudFront origin access identity.

Paginators for the CloudFront service

The CNAME specified is already defined for CloudFront.

An alias (also called a CNAME) and the CloudFront distribution and Amazon Web Services account ID that it's associated with. The distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don't own.

A list of aliases (also called CNAMEs) and the CloudFront distributions and Amazon Web Services accounts that they are associated with. In the list, the distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don't own.

A field-level encryption content type profile.

The configuration for a field-level encryption content type-profile mapping.

Field-level encryption content type-profile.

A continuous deployment policy.

A continuous deployment policy with this configuration already exists.

Contains the configuration for a continuous deployment policy.

You cannot delete a continuous deployment policy that is associated with a primary distribution.

Contains a list of continuous deployment policies.

A summary of the information about your continuous deployment policies.

This configuration determines which HTTP requests are sent to the staging distribution. If the HTTP request contains a header and value that matches what you specify here, the request is sent to the staging distribution. Otherwise the request is sent to the primary distribution.

Contains the percentage of traffic to send to a staging distribution.

Contains a list of cookie names.

This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.

If you want to include cookies in the cache key, use CookiesConfig in a cache policy. See CachePolicy.

If you want to send cookies to the origin but not include them in the cache key, use CookiesConfig in an origin request policy. See OriginRequestPolicy.

A complex type that specifies whether you want CloudFront to forward cookies to the origin and, if so, which ones. For more information about forwarding cookies to the origin, see Caching Content Based on Cookies in the Amazon CloudFront Developer Guide.

Container for the parameters to the CopyDistribution operation. Creates a staging distribution using the configuration of the provided primary distribution. A staging distribution is a copy of an existing distribution (called the primary distribution) that you can use in a continuous deployment workflow.

After you create a staging distribution, you can use UpdateDistribution to modify the staging distribution's configuration. Then you can use CreateContinuousDeploymentPolicy to incrementally move traffic to the staging distribution.

This API operation requires the following IAM permissions:

• GetDistribution

• CreateDistribution

• CopyDistribution

This is the response object from the CopyDistribution operation.

Container for the parameters to the CreateAnycastIpList operation. Creates an Anycast static IP list.

This is the response object from the CreateAnycastIpList operation.

Container for the parameters to the CreateCachePolicy operation. Creates a cache policy.

After you create a cache policy, you can attach it to one or more cache behaviors. When it's attached to a cache behavior, the cache policy determines the following:

• The values that CloudFront includes in the cache key. These values can include HTTP headers, cookies, and URL query strings. CloudFront uses the cache key to find an object in its cache that it can return to the viewer.

• The default, minimum, and maximum time to live (TTL) values that you want objects to stay in the CloudFront cache.

The headers, cookies, and query strings that are included in the cache key are also included in requests that CloudFront sends to the origin. CloudFront sends a request when it can't find an object in its cache that matches the request's cache key. If you want to send values to the origin but not include them in the cache key, use OriginRequestPolicy.

For more information about cache policies, see Controlling the cache key in the Amazon CloudFront Developer Guide.

This is the response object from the CreateCachePolicy operation.

Container for the parameters to the CreateCloudFrontOriginAccessIdentity operation. Creates a new origin access identity. If you're using Amazon S3 for your origin, you can use an origin access identity to require users to access your content using a CloudFront URL instead of the Amazon S3 URL. For more information about how to use origin access identities, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.

The returned result of the corresponding request.

Container for the parameters to the CreateContinuousDeploymentPolicy operation. Creates a continuous deployment policy that distributes traffic for a custom domain name to two different CloudFront distributions.

To use a continuous deployment policy, first use CopyDistribution to create a staging distribution, then use UpdateDistribution to modify the staging distribution's configuration.

After you create and update a staging distribution, you can use a continuous deployment policy to incrementally move traffic to the staging distribution. This workflow enables you to test changes to a distribution's configuration before moving all of your domain's production traffic to the new configuration.

This is the response object from the CreateContinuousDeploymentPolicy operation.

Container for the parameters to the CreateDistribution operation. Creates a CloudFront distribution.

The returned result of the corresponding request.

Container for the parameters to the CreateDistributionWithTags operation. Create a new distribution with tags. This API operation requires the following IAM permissions:

• CreateDistribution

• TagResource

The returned result of the corresponding request.

Container for the parameters to the CreateFieldLevelEncryptionConfig operation. Create a new field-level encryption configuration.

This is the response object from the CreateFieldLevelEncryptionConfig operation.

Container for the parameters to the CreateFieldLevelEncryptionProfile operation. Create a field-level encryption profile.

This is the response object from the CreateFieldLevelEncryptionProfile operation.

Container for the parameters to the CreateFunction operation. Creates a CloudFront function.

To create a function, you provide the function code and some configuration information about the function. The response contains an Amazon Resource Name (ARN) that uniquely identifies the function.

When you create a function, it's in the DEVELOPMENT stage. In this stage, you can test the function with TestFunction, and update it with UpdateFunction.

When you're ready to use your function with a CloudFront distribution, use PublishFunction to copy the function from the DEVELOPMENT stage to LIVE. When it's live, you can attach the function to a distribution's cache behavior, using the function's ARN.

This is the response object from the CreateFunction operation.

Container for the parameters to the CreateInvalidation operation. Create a new invalidation. For more information, see Invalidating files in the Amazon CloudFront Developer Guide.

The returned result of the corresponding request.

Container for the parameters to the CreateKeyGroup operation. Creates a key group that you can use with CloudFront signed URLs and signed cookies.

To create a key group, you must specify at least one public key for the key group. After you create a key group, you can reference it from one or more cache behaviors. When you reference a key group in a cache behavior, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with a private key whose corresponding public key is in the key group. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see Serving private content in the Amazon CloudFront Developer Guide.

This is the response object from the CreateKeyGroup operation.

Container for the parameters to the CreateKeyValueStore operation. Specifies the key value store resource to add to your account. In your account, the key value store names must be unique. You can also import key value store data in JSON format from an S3 bucket by providing a valid ImportSource that you own.

This is the response object from the CreateKeyValueStore operation.

Container for the parameters to the CreateMonitoringSubscription operation. Enables additional CloudWatch metrics for the specified CloudFront distribution. The additional metrics incur an additional cost.

For more information, see Viewing additional CloudFront distribution metrics in the Amazon CloudFront Developer Guide.

This is the response object from the CreateMonitoringSubscription operation.

Container for the parameters to the CreateOriginAccessControl operation. Creates a new origin access control in CloudFront. After you create an origin access control, you can add it to an origin in a CloudFront distribution so that CloudFront sends authenticated (signed) requests to the origin.

This makes it possible to block public access to the origin, allowing viewers (users) to access the origin's content only through CloudFront.

For more information about using a CloudFront origin access control, see Restricting access to an Amazon Web Services origin in the Amazon CloudFront Developer Guide.

This is the response object from the CreateOriginAccessControl operation.

Container for the parameters to the CreateOriginRequestPolicy operation. Creates an origin request policy.

After you create an origin request policy, you can attach it to one or more cache behaviors. When it's attached to a cache behavior, the origin request policy determines the values that CloudFront includes in requests that it sends to the origin. Each request that CloudFront sends to the origin includes the following:

• The request body and the URL path (without the domain name) from the viewer request.

• The headers that CloudFront automatically includes in every origin request, including Host, User-Agent, and X-Amz-Cf-Id.

• All HTTP headers, cookies, and URL query strings that are specified in the cache policy or the origin request policy. These can include items from the viewer request and, in the case of headers, additional ones that are added by CloudFront.

CloudFront sends a request when it can't find a valid object in its cache that matches the request. If you want to send values to the origin and also include them in the cache key, use CachePolicy.

For more information about origin request policies, see Controlling origin requests in the Amazon CloudFront Developer Guide.

This is the response object from the CreateOriginRequestPolicy operation.

Container for the parameters to the CreatePublicKey operation. Uploads a public key to CloudFront that you can use with signed URLs and signed cookies, or with field-level encryption.

This is the response object from the CreatePublicKey operation.

Container for the parameters to the CreateRealtimeLogConfig operation. Creates a real-time log configuration.

After you create a real-time log configuration, you can attach it to one or more cache behaviors to send real-time log data to the specified Amazon Kinesis data stream.

For more information about real-time log configurations, see Real-time logs in the Amazon CloudFront Developer Guide.

This is the response object from the CreateRealtimeLogConfig operation.

Container for the parameters to the CreateResponseHeadersPolicy operation. Creates a response headers policy.

A response headers policy contains information about a set of HTTP headers. To create a response headers policy, you provide some metadata about the policy and a set of configurations that specify the headers.

After you create a response headers policy, you can use its ID to attach it to one or more cache behaviors in a CloudFront distribution. When it's attached to a cache behavior, the response headers policy affects the HTTP headers that CloudFront includes in HTTP responses to requests that match the cache behavior. CloudFront adds or removes response headers according to the configuration of the response headers policy.

For more information, see Adding or removing HTTP headers in CloudFront responses in the Amazon CloudFront Developer Guide.

This is the response object from the CreateResponseHeadersPolicy operation.

Container for the parameters to the CreateStreamingDistribution operation. This API is deprecated. Amazon CloudFront is deprecating real-time messaging protocol (RTMP) distributions on December 31, 2020. For more information, read the announcement on the Amazon CloudFront discussion forum.

The returned result of the corresponding request.

Container for the parameters to the CreateStreamingDistributionWithTags operation. This API is deprecated. Amazon CloudFront is deprecating real-time messaging protocol (RTMP) distributions on December 31, 2020. For more information, read the announcement on the Amazon CloudFront discussion forum.

The returned result of the corresponding request.

Container for the parameters to the CreateVpcOrigin operation. Create an Amazon CloudFront VPC origin.

This is the response object from the CreateVpcOrigin operation.

A complex type that controls:

• Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages before returning the response to the viewer.

• How long CloudFront caches HTTP status codes in the 4xx and 5xx range.

For more information about custom error pages, see Customizing Error Responses in the Amazon CloudFront Developer Guide.

A complex type that controls:

• Whether CloudFront replaces HTTP status codes in the 4xx and 5xx range with custom error messages before returning the response to the viewer.

• How long CloudFront caches HTTP status codes in the 4xx and 5xx range.

For more information about custom error pages, see Customizing Error Responses in the Amazon CloudFront Developer Guide.

A complex type that contains the list of Custom Headers for each origin.

A custom origin. A custom origin is any origin that is not an Amazon S3 bucket, with one exception. An Amazon S3 bucket that is configured with static website hostingis a custom origin.

A complex type that describes the default cache behavior if you don't specify a CacheBehavior element or if request URLs don't match any of the values of PathPattern in CacheBehavior elements. You must create exactly one default cache behavior.

Container for the parameters to the DeleteAnycastIpList operation. Deletes an Anycast static IP list.

This is the response object from the DeleteAnycastIpList operation.

Container for the parameters to the DeleteCachePolicy operation. Deletes a cache policy.

You cannot delete a cache policy if it's attached to a cache behavior. First update your distributions to remove the cache policy from all cache behaviors, then delete the cache policy.

To delete a cache policy, you must provide the policy's identifier and version. To get these values, you can use ListCachePolicies or GetCachePolicy.

This is the response object from the DeleteCachePolicy operation.

Container for the parameters to the DeleteCloudFrontOriginAccessIdentity operation. Delete an origin access identity.

This is the response object from the DeleteCloudFrontOriginAccessIdentity operation.

Container for the parameters to the DeleteContinuousDeploymentPolicy operation. Deletes a continuous deployment policy.

You cannot delete a continuous deployment policy that's attached to a primary distribution. First update your distribution to remove the continuous deployment policy, then you can delete the policy.

This is the response object from the DeleteContinuousDeploymentPolicy operation.

Container for the parameters to the DeleteDistribution operation. Delete a distribution.

This is the response object from the DeleteDistribution operation.

Container for the parameters to the DeleteFieldLevelEncryptionConfig operation. Remove a field-level encryption configuration.

This is the response object from the DeleteFieldLevelEncryptionConfig operation.

Container for the parameters to the DeleteFieldLevelEncryptionProfile operation. Remove a field-level encryption profile.

This is the response object from the DeleteFieldLevelEncryptionProfile operation.

Container for the parameters to the DeleteFunction operation. Deletes a CloudFront function.

You cannot delete a function if it's associated with a cache behavior. First, update your distributions to remove the function association from all cache behaviors, then delete the function.

To delete a function, you must provide the function's name and version (ETag value). To get these values, you can use ListFunctions and DescribeFunction.

This is the response object from the DeleteFunction operation.

Container for the parameters to the DeleteKeyGroup operation. Deletes a key group.

You cannot delete a key group that is referenced in a cache behavior. First update your distributions to remove the key group from all cache behaviors, then delete the key group.

To delete a key group, you must provide the key group's identifier and version. To get these values, use ListKeyGroups followed by GetKeyGroup or GetKeyGroupConfig.

This is the response object from the DeleteKeyGroup operation.

Container for the parameters to the DeleteKeyValueStore operation. Specifies the key value store to delete.

This is the response object from the DeleteKeyValueStore operation.

Container for the parameters to the DeleteMonitoringSubscription operation. Disables additional CloudWatch metrics for the specified CloudFront distribution.

This is the response object from the DeleteMonitoringSubscription operation.

Container for the parameters to the DeleteOriginAccessControl operation. Deletes a CloudFront origin access control.

You cannot delete an origin access control if it's in use. First, update all distributions to remove the origin access control from all origins, then delete the origin access control.

This is the response object from the DeleteOriginAccessControl operation.

Container for the parameters to the DeleteOriginRequestPolicy operation. Deletes an origin request policy.

You cannot delete an origin request policy if it's attached to any cache behaviors. First update your distributions to remove the origin request policy from all cache behaviors, then delete the origin request policy.

To delete an origin request policy, you must provide the policy's identifier and version. To get the identifier, you can use ListOriginRequestPolicies or GetOriginRequestPolicy.

This is the response object from the DeleteOriginRequestPolicy operation.

Container for the parameters to the DeletePublicKey operation. Remove a public key you previously added to CloudFront.

This is the response object from the DeletePublicKey operation.

Container for the parameters to the DeleteRealtimeLogConfig operation. Deletes a real-time log configuration.

You cannot delete a real-time log configuration if it's attached to a cache behavior. First update your distributions to remove the real-time log configuration from all cache behaviors, then delete the real-time log configuration.

To delete a real-time log configuration, you can provide the configuration's name or its Amazon Resource Name (ARN). You must provide at least one. If you provide both, CloudFront uses the name to identify the real-time log configuration to delete.

This is the response object from the DeleteRealtimeLogConfig operation.

Container for the parameters to the DeleteResponseHeadersPolicy operation. Deletes a response headers policy.

You cannot delete a response headers policy if it's attached to a cache behavior. First update your distributions to remove the response headers policy from all cache behaviors, then delete the response headers policy.

To delete a response headers policy, you must provide the policy's identifier and version. To get these values, you can use ListResponseHeadersPolicies or GetResponseHeadersPolicy.

This is the response object from the DeleteResponseHeadersPolicy operation.

Container for the parameters to the DeleteStreamingDistribution operation. Delete a streaming distribution. To delete an RTMP distribution using the CloudFront API, perform the following steps.

To delete an RTMP distribution using the CloudFront API:

1. Disable the RTMP distribution.

2. Submit a GET Streaming Distribution Config request to get the current configuration and the Etag header for the distribution.

3. Update the XML document that was returned in the response to your GET Streaming Distribution Config request to change the value of Enabled to false.

4. Submit a PUT Streaming Distribution Config request to update the configuration for your distribution. In the request body, include the XML document that you updated in Step 3. Then set the value of the HTTP If-Match header to the value of the ETag header that CloudFront returned when you submitted the GET Streaming Distribution Config request in Step 2.

5. Review the response to the PUT Streaming Distribution Config request to confirm that the distribution was successfully disabled.

6. Submit a GET Streaming Distribution Config request to confirm that your changes have propagated. When propagation is complete, the value of Status is Deployed.

7. Submit a DELETE Streaming Distribution request. Set the value of the HTTP If-Match header to the value of the ETag header that CloudFront returned when you submitted the GET Streaming Distribution Config request in Step 2.

8. Review the response to your DELETE Streaming Distribution request to confirm that the distribution was successfully deleted.

For information about deleting a distribution using the CloudFront console, see Deleting a Distribution in the Amazon CloudFront Developer Guide.

This is the response object from the DeleteStreamingDistribution operation.

Container for the parameters to the DeleteVpcOrigin operation. Delete an Amazon CloudFront VPC origin.

This is the response object from the DeleteVpcOrigin operation.

Container for the parameters to the DescribeFunction operation. Gets configuration information and metadata about a CloudFront function, but not the function's code. To get a function's code, use GetFunction.

To get configuration information and metadata about a function, you must provide the function's name and stage. To get these values, you can use ListFunctions.

This is the response object from the DescribeFunction operation.

Container for the parameters to the DescribeKeyValueStore operation. Specifies the key value store and its configuration.

This is the response object from the DescribeKeyValueStore operation.

A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

The caller reference you attempted to create the distribution with is associated with another distribution.

A distribution configuration.

A distribution Configuration and a list of tags to be associated with the distribution.

A list of distribution IDs.

A distribution list.

The specified CloudFront distribution is not disabled. You must disable the distribution before you can delete it.

A summary of the information about a CloudFront distribution.

Complex data type for field-level encryption profiles that includes all of the encryption entities.

Complex data type for field-level encryption profiles that includes the encryption key and field pattern specifications.

Contains information about the Amazon Kinesis data stream where you are sending real-time log data in a real-time log configuration.

The entity already exists. You must provide a unique entity.

The entity limit has been exceeded.

The entity was not found.

The entity size limit was exceeded.

A complex data type that includes the profile configurations and other options specified for field-level encryption.

A complex data type that includes the profile configurations specified for field-level encryption.

The specified configuration for field-level encryption already exists.

The specified configuration for field-level encryption is in use.

List of field-level encryption configurations.

A complex data type for field-level encryption profiles.

The specified profile for field-level encryption already exists.

A complex data type of profiles for the field-level encryption.

The specified profile for field-level encryption is in use.

List of field-level encryption profiles.

The maximum size of a profile for field-level encryption was exceeded.

The field-level encryption profile summary.

A summary of a field-level encryption item.

A complex data type that includes the field patterns to match for field-level encryption.

This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.

If you want to include values in the cache key, use a cache policy. For more information, see Creating cache policies in the Amazon CloudFront Developer Guide.

If you want to send values to the origin but not include them in the cache key, use an origin request policy. For more information, see Creating origin request policies in the Amazon CloudFront Developer Guide.

A complex type that specifies how CloudFront handles query strings, cookies, and HTTP headers.

A function with the same name already exists in this Amazon Web Services account. To create a function, you must provide a unique name. To update an existing function, use UpdateFunction.

A CloudFront function that is associated with a cache behavior in a CloudFront distribution.

A list of CloudFront functions that are associated with a cache behavior in a CloudFront distribution. Your functions must be published to the LIVE stage to associate them with a cache behavior.

Contains configuration information about a CloudFront function.

Cannot delete the function because it's attached to one or more cache behaviors.

A list of CloudFront functions.

Contains metadata about a CloudFront function.

The function is too large. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Contains configuration information and metadata about a CloudFront function.

A complex type that controls the countries in which your content is distributed. CloudFront determines the location of your users using MaxMind GeoIP databases.

Container for the parameters to the GetAnycastIpList operation. Gets an Anycast static IP list.

This is the response object from the GetAnycastIpList operation.

Container for the parameters to the GetCachePolicyConfig operation. Gets a cache policy configuration.

To get a cache policy configuration, you must provide the policy's identifier. If the cache policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the cache policy is not attached to a cache behavior, you can get the identifier using ListCachePolicies.

This is the response object from the GetCachePolicyConfig operation.

Container for the parameters to the GetCachePolicy operation. Gets a cache policy, including the following metadata:

• The policy's identifier.

• The date and time when the policy was last modified.

To get a cache policy, you must provide the policy's identifier. If the cache policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the cache policy is not attached to a cache behavior, you can get the identifier using ListCachePolicies.

This is the response object from the GetCachePolicy operation.

Container for the parameters to the GetCloudFrontOriginAccessIdentityConfig operation. Get the configuration information about an origin access identity.

The returned result of the corresponding request.

Container for the parameters to the GetCloudFrontOriginAccessIdentity operation. Get the information about an origin access identity.

The returned result of the corresponding request.

Container for the parameters to the GetContinuousDeploymentPolicyConfig operation. Gets configuration information about a continuous deployment policy.

This is the response object from the GetContinuousDeploymentPolicyConfig operation.

Container for the parameters to the GetContinuousDeploymentPolicy operation. Gets a continuous deployment policy, including metadata (the policy's identifier and the date and time when the policy was last modified).

This is the response object from the GetContinuousDeploymentPolicy operation.

Container for the parameters to the GetDistributionConfig operation. Get the configuration information about a distribution.

The returned result of the corresponding request.

Container for the parameters to the GetDistribution operation. Get the information about a distribution.

The returned result of the corresponding request.

Container for the parameters to the GetFieldLevelEncryptionConfig operation. Get the field-level encryption configuration information.

This is the response object from the GetFieldLevelEncryptionConfig operation.

Container for the parameters to the GetFieldLevelEncryptionProfileConfig operation. Get the field-level encryption profile configuration information.

This is the response object from the GetFieldLevelEncryptionProfileConfig operation.

Container for the parameters to the GetFieldLevelEncryptionProfile operation. Get the field-level encryption profile information.

This is the response object from the GetFieldLevelEncryptionProfile operation.

Container for the parameters to the GetFieldLevelEncryption operation. Get the field-level encryption configuration information.

This is the response object from the GetFieldLevelEncryption operation.

Container for the parameters to the GetFunction operation. Gets the code of a CloudFront function. To get configuration information and metadata about a function, use DescribeFunction.

To get a function's code, you must provide the function's name and stage. To get these values, you can use ListFunctions.

This is the response object from the GetFunction operation.

Container for the parameters to the GetInvalidation operation. Get the information about an invalidation.

The returned result of the corresponding request.

Container for the parameters to the GetKeyGroupConfig operation. Gets a key group configuration.

To get a key group configuration, you must provide the key group's identifier. If the key group is referenced in a distribution's cache behavior, you can get the key group's identifier using ListDistributions or GetDistribution. If the key group is not referenced in a cache behavior, you can get the identifier using ListKeyGroups.

This is the response object from the GetKeyGroupConfig operation.

Container for the parameters to the GetKeyGroup operation. Gets a key group, including the date and time when the key group was last modified.

To get a key group, you must provide the key group's identifier. If the key group is referenced in a distribution's cache behavior, you can get the key group's identifier using ListDistributions or GetDistribution. If the key group is not referenced in a cache behavior, you can get the identifier using ListKeyGroups.

This is the response object from the GetKeyGroup operation.

Container for the parameters to the GetMonitoringSubscription operation. Gets information about whether additional CloudWatch metrics are enabled for the specified CloudFront distribution.

This is the response object from the GetMonitoringSubscription operation.

Container for the parameters to the GetOriginAccessControlConfig operation. Gets a CloudFront origin access control configuration.

This is the response object from the GetOriginAccessControlConfig operation.

Container for the parameters to the GetOriginAccessControl operation. Gets a CloudFront origin access control, including its unique identifier.

This is the response object from the GetOriginAccessControl operation.

Container for the parameters to the GetOriginRequestPolicyConfig operation. Gets an origin request policy configuration.

To get an origin request policy configuration, you must provide the policy's identifier. If the origin request policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the origin request policy is not attached to a cache behavior, you can get the identifier using ListOriginRequestPolicies.

This is the response object from the GetOriginRequestPolicyConfig operation.

Container for the parameters to the GetOriginRequestPolicy operation. Gets an origin request policy, including the following metadata:

• The policy's identifier.

• The date and time when the policy was last modified.

To get an origin request policy, you must provide the policy's identifier. If the origin request policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the origin request policy is not attached to a cache behavior, you can get the identifier using ListOriginRequestPolicies.

This is the response object from the GetOriginRequestPolicy operation.

Container for the parameters to the GetPublicKeyConfig operation. Gets a public key configuration.

This is the response object from the GetPublicKeyConfig operation.

Container for the parameters to the GetPublicKey operation. Gets a public key.

This is the response object from the GetPublicKey operation.

Container for the parameters to the GetRealtimeLogConfig operation. Gets a real-time log configuration.

To get a real-time log configuration, you can provide the configuration's name or its Amazon Resource Name (ARN). You must provide at least one. If you provide both, CloudFront uses the name to identify the real-time log configuration to get.

This is the response object from the GetRealtimeLogConfig operation.

Container for the parameters to the GetResponseHeadersPolicyConfig operation. Gets a response headers policy configuration.

To get a response headers policy configuration, you must provide the policy's identifier. If the response headers policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the response headers policy is not attached to a cache behavior, you can get the identifier using ListResponseHeadersPolicies.

This is the response object from the GetResponseHeadersPolicyConfig operation.

Container for the parameters to the GetResponseHeadersPolicy operation. Gets a response headers policy, including metadata (the policy's identifier and the date and time when the policy was last modified).

To get a response headers policy, you must provide the policy's identifier. If the response headers policy is attached to a distribution's cache behavior, you can get the policy's identifier using ListDistributions or GetDistribution. If the response headers policy is not attached to a cache behavior, you can get the identifier using ListResponseHeadersPolicies.

This is the response object from the GetResponseHeadersPolicy operation.

Container for the parameters to the GetStreamingDistributionConfig operation. Get the configuration information about a streaming distribution.

The returned result of the corresponding request.

Container for the parameters to the GetStreamingDistribution operation. Gets information about a specified RTMP distribution, including the distribution configuration.

The returned result of the corresponding request.

Container for the parameters to the GetVpcOrigin operation. Get the details of an Amazon CloudFront VPC origin.

This is the response object from the GetVpcOrigin operation.

Amazon CloudFront supports gRPC, an open-source remote procedure call (RPC) framework built on HTTP/2. gRPC offers bi-directional streaming and binary protocol that buffers payloads, making it suitable for applications that require low latency communications.

To enable your distribution to handle gRPC requests, you must include HTTP/2 as one of the supported HTTP versions and allow HTTP methods, including POST.

For more information, see Using gRPC with CloudFront distributions in the Amazon CloudFront Developer Guide.

Contains a list of HTTP header names.

Deletion is not allowed for this entity.

The specified configuration for field-level encryption can't be associated with the specified cache behavior.

An origin cannot contain both an origin access control (OAC) and an origin access identity (OAI).

The update contains modifications that are not allowed.

The import source for the key value store.

The value of Quantity and the size of Items don't match.

An argument is invalid.

An invalidation.

An invalidation batch.

The InvalidationList complex type describes the list of invalidation objects. For more information about invalidation, see Invalidating Objects (Web Distributions Only) in the Amazon CloudFront Developer Guide.

A summary of an invalidation request.

The default root object file name is too big or contains an invalid character.

An origin access control is associated with an origin whose domain name is not supported.

An invalid error code was specified.

Your request contains forward cookies option which doesn't match with the expectation for the whitelisted list of cookie names. Either list of cookie names has been specified when not allowed or list of cookie names is missing when expected.

A CloudFront function association is invalid.

The specified geo restriction parameter is not valid.

The headers specified are not valid for an Amazon S3 origin.

The If-Match version is missing or not valid.

The specified Lambda@Edge function association is invalid.

The location code specified is not valid.

The minimum protocol version specified is not valid.

The origin access control is not valid.

The origin access identity is not valid or doesn't exist.

The Amazon S3 origin server specified does not refer to a valid Amazon S3 bucket.

The keep alive timeout specified for the origin is not valid.

The read timeout specified for the origin is not valid.

You cannot specify SSLv3 as the minimum protocol version if you only want to support only clients that support Server Name Indication (SNI).

The query string parameters specified are not valid.

The relative path is too big, is not URL-encoded, or does not begin with a slash (/).

This operation requires the HTTPS protocol. Ensure that you specify the HTTPS protocol in your request, or omit the RequiredProtocols element from your distribution configuration.

A response code is not valid.

The tagging specified is not valid.

The TTL order specified is not valid.

A viewer certificate specified is not valid.

A web ACL ID specified is not valid. To specify a web ACL created using the latest version of WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.

A key group.

A key group contains a list of public keys that you can use with CloudFront signed URLs and signed cookies.

A key group with this name already exists. You must provide a unique name. To modify an existing key group, use UpdateKeyGroup.

A key group configuration.

A key group contains a list of public keys that you can use with CloudFront signed URLs and signed cookies.

A list of key groups.

Contains information about a key group.

A list of CloudFront key pair identifiers.

The key value store. Use this to separate data from function code, allowing you to update data without having to publish a new version of a function. The key value store holds keys and their corresponding values.

The key value store association.

The key value store associations.

The key value store list.

A list of identifiers for the public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies.

Contains information about the Amazon Kinesis data stream where you are sending real-time log data.

A complex type that contains a Lambda@Edge function association.

A complex type that specifies a list of Lambda@Edge functions associations for a cache behavior.

If you want to invoke one or more Lambda@Edge functions triggered by requests that match the PathPattern of the cache behavior, specify the applicable values for Quantity and Items. Note that there can be up to 4 LambdaFunctionAssociation items in this list (one for each possible value of EventType) and each EventType can be associated with only one function.

If you don't want to invoke any Lambda@Edge functions for the requests that match PathPattern, specify 0 for Quantity and omit Items.

Container for the parameters to the ListAnycastIpLists operation. Lists your Anycast static IP lists.

This is the response object from the ListAnycastIpLists operation.

Container for the parameters to the ListCachePolicies operation. Gets a list of cache policies.

You can optionally apply a filter to return only the managed policies created by Amazon Web Services, or only the custom policies created in your Amazon Web Services account.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListCachePolicies operation.

Container for the parameters to the ListCloudFrontOriginAccessIdentities operation. Lists origin access identities.

The returned result of the corresponding request.

Container for the parameters to the ListConflictingAliases operation. Gets a list of aliases (also called CNAMEs or alternate domain names) that conflict or overlap with the provided alias, and the associated CloudFront distributions and Amazon Web Services accounts for each conflicting alias. In the returned list, the distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don't own.

Use this operation to find aliases that are in use in CloudFront that conflict or overlap with the provided alias. For example, if you provide www.example.com as input, the returned list can include www.example.com and the overlapping wildcard alternate domain name (*.example.com), if they exist. If you provide *.example.com as input, the returned list can include *.example.com and any alternate domain names covered by that wildcard (for example, www.example.com, test.example.com, dev.example.com, and so on), if they exist.

To list conflicting aliases, you provide the alias to search and the ID of a distribution in your account that has an attached SSL/TLS certificate that includes the provided alias. For more information, including how to set up the distribution and certificate, see Moving an alternate domain name to a different distribution in the Amazon CloudFront Developer Guide.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListConflictingAliases operation.

Container for the parameters to the ListContinuousDeploymentPolicies operation. Gets a list of the continuous deployment policies in your Amazon Web Services account.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListContinuousDeploymentPolicies operation.

Container for the parameters to the ListDistributionsByAnycastIpListId operation. Lists the distributions in your account that are associated with the specified AnycastIpListId.

This is the response object from the ListDistributionsByAnycastIpListId operation.

Container for the parameters to the ListDistributionsByCachePolicyId operation. Gets a list of distribution IDs for distributions that have a cache behavior that's associated with the specified cache policy.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListDistributionsByCachePolicyId operation.

Container for the parameters to the ListDistributionsByKeyGroup operation. Gets a list of distribution IDs for distributions that have a cache behavior that references the specified key group.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListDistributionsByKeyGroup operation.

Container for the parameters to the ListDistributionsByOriginRequestPolicyId operation. Gets a list of distribution IDs for distributions that have a cache behavior that's associated with the specified origin request policy.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListDistributionsByOriginRequestPolicyId operation.

Container for the parameters to the ListDistributionsByRealtimeLogConfig operation. Gets a list of distributions that have a cache behavior that's associated with the specified real-time log configuration.

You can specify the real-time log configuration by its name or its Amazon Resource Name (ARN). You must provide at least one. If you provide both, CloudFront uses the name to identify the real-time log configuration to list distributions for.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListDistributionsByRealtimeLogConfig operation.

Container for the parameters to the ListDistributionsByResponseHeadersPolicyId operation. Gets a list of distribution IDs for distributions that have a cache behavior that's associated with the specified response headers policy.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListDistributionsByResponseHeadersPolicyId operation.

Container for the parameters to the ListDistributionsByVpcOriginId operation. List CloudFront distributions by their VPC origin ID.

This is the response object from the ListDistributionsByVpcOriginId operation.

Container for the parameters to the ListDistributionsByWebACLId operation. List the distributions that are associated with a specified WAF web ACL.

The response to a request to list the distributions that are associated with a specified WAF web ACL.

Container for the parameters to the ListDistributions operation. List CloudFront distributions.

The returned result of the corresponding request.

Container for the parameters to the ListFieldLevelEncryptionConfigs operation. List all field-level encryption configurations that have been created in CloudFront for this account.

This is the response object from the ListFieldLevelEncryptionConfigs operation.

Container for the parameters to the ListFieldLevelEncryptionProfiles operation. Request a list of field-level encryption profiles that have been created in CloudFront for this account.

This is the response object from the ListFieldLevelEncryptionProfiles operation.

Container for the parameters to the ListFunctions operation. Gets a list of all CloudFront functions in your Amazon Web Services account.

You can optionally apply a filter to return only the functions that are in the specified stage, either DEVELOPMENT or LIVE.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListFunctions operation.

Container for the parameters to the ListInvalidations operation. Lists invalidation batches.

The returned result of the corresponding request.

Container for the parameters to the ListKeyGroups operation. Gets a list of key groups.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListKeyGroups operation.

Container for the parameters to the ListKeyValueStores operation. Specifies the key value stores to list.

This is the response object from the ListKeyValueStores operation.

Container for the parameters to the ListOriginAccessControls operation. Gets the list of CloudFront origin access controls (OACs) in this Amazon Web Services account.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send another request that specifies the NextMarker value from the current response as the Marker value in the next request.

This is the response object from the ListOriginAccessControls operation.

Container for the parameters to the ListOriginRequestPolicies operation. Gets a list of origin request policies.

You can optionally apply a filter to return only the managed policies created by Amazon Web Services, or only the custom policies created in your Amazon Web Services account.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListOriginRequestPolicies operation.

Container for the parameters to the ListPublicKeys operation. List all public keys that have been added to CloudFront for this account.

This is the response object from the ListPublicKeys operation.

Container for the parameters to the ListRealtimeLogConfigs operation. Gets a list of real-time log configurations.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListRealtimeLogConfigs operation.

Container for the parameters to the ListResponseHeadersPolicies operation. Gets a list of response headers policies.

You can optionally apply a filter to get only the managed policies created by Amazon Web Services, or only the custom policies created in your Amazon Web Services account.

You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.

This is the response object from the ListResponseHeadersPolicies operation.

Container for the parameters to the ListStreamingDistributions operation. List streaming distributions.

The returned result of the corresponding request.

Container for the parameters to the ListTagsForResource operation. List tags for a CloudFront resource. For more information, see Tagging a distribution in the Amazon CloudFront Developer Guide.

The returned result of the corresponding request.

Container for the parameters to the ListVpcOrigins operation. List the CloudFront VPC origins in your account.

This is the response object from the ListVpcOrigins operation.

A complex type that specifies whether access logs are written for the distribution.

If you already enabled standard logging (legacy) and you want to enable standard logging (v2) to send your access logs to Amazon S3, we recommend that you specify a different Amazon S3 bucket or use a separate path in the same bucket (for example, use a log prefix or partitioning). This helps you keep track of which log files are associated with which logging subscription and prevents log files from overwriting each other. For more information, see Standard logging (access logs) in the Amazon CloudFront Developer Guide.

This operation requires a body. Ensure that the body is present and the Content-Type header is set.

A monitoring subscription. This structure contains information about whether additional CloudWatch metrics are enabled for a given CloudFront distribution.

A monitoring subscription already exists for the specified distribution.

The cache policy does not exist.

The specified origin access identity does not exist.

The continuous deployment policy doesn't exist.

The specified distribution does not exist.

The specified configuration for field-level encryption doesn't exist.

The specified profile for field-level encryption doesn't exist.

The function does not exist.

The specified invalidation does not exist.

A monitoring subscription does not exist for the specified distribution.

The origin access control does not exist.

No origin exists with the specified Origin Id.

The origin request policy does not exist.

The specified public key doesn't exist.

The real-time log configuration does not exist.

A resource that was specified is not valid.

The response headers policy does not exist.

The specified streaming distribution does not exist.

An origin.

An origin is the location where content is stored, and from which CloudFront gets content to serve to viewers. To specify an origin:

• Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting.

• Use CustomOriginConfig to specify all other kinds of origins, including:

  • An Amazon S3 bucket that is configured with static website hosting

  • An Elastic Load Balancing load balancer

  • An Elemental MediaPackage endpoint

  • An Elemental MediaStore container

  • Any other HTTP server, running on an Amazon EC2 instance or any other kind of host

For the current maximum number of origins that you can specify per distribution, see General Quotas on Web Distributions in the Amazon CloudFront Developer Guide (quotas were formerly referred to as limits).

A CloudFront origin access control, including its unique identifier.

An origin access control with the specified parameters already exists.

A CloudFront origin access control configuration.

Cannot delete the origin access control because it's in use by one or more distributions.

A list of CloudFront origin access controls.

A CloudFront origin access control.

A complex type that contains HeaderName and HeaderValue elements, if any, for this distribution.

An origin group includes two origins (a primary origin and a secondary origin to failover to) and a failover criteria that you specify. You create an origin group to support origin failover in CloudFront. When you create or update a distribution, you can specify the origin group instead of a single origin, and CloudFront will failover from the primary origin to the secondary origin under the failover conditions that you've chosen.

Optionally, you can choose selection criteria for your origin group to specify how your origins are selected when your distribution routes viewer requests.

A complex data type that includes information about the failover criteria for an origin group, including the status codes for which CloudFront will failover from the primary origin to the second origin.

An origin in an origin group.

A complex data type for the origins included in an origin group.

A complex data type for the origin groups specified for a distribution.

An origin request policy.

When it's attached to a cache behavior, the origin request policy determines the values that CloudFront includes in requests that it sends to the origin. Each request that CloudFront sends to the origin includes the following:

• The request body and the URL path (without the domain name) from the viewer request.

• The headers that CloudFront automatically includes in every origin request, including Host, User-Agent, and X-Amz-Cf-Id.

• All HTTP headers, cookies, and URL query strings that are specified in the cache policy or the origin request policy. These can include items from the viewer request and, in the case of headers, additional ones that are added by CloudFront.

CloudFront sends a request when it can't find an object in its cache that matches the request. If you want to send values to the origin and also include them in the cache key, use CachePolicy.

An origin request policy with this name already exists. You must provide a unique name. To modify an existing origin request policy, use UpdateOriginRequestPolicy.

An origin request policy configuration.

This configuration determines the values that CloudFront includes in requests that it sends to the origin. Each request that CloudFront sends to the origin includes the following:

• The request body and the URL path (without the domain name) from the viewer request.

• The headers that CloudFront automatically includes in every origin request, including Host, User-Agent, and X-Amz-Cf-Id.

• All HTTP headers, cookies, and URL query strings that are specified in the cache policy or the origin request policy. These can include items from the viewer request and, in the case of headers, additional ones that are added by CloudFront.

CloudFront sends a request when it can't find an object in its cache that matches the request. If you want to send values to the origin and also include them in the cache key, use CachePolicy.

An object that determines whether any cookies in viewer requests (and if so, which cookies) are included in requests that CloudFront sends to the origin.

An object that determines whether any HTTP headers (and if so, which headers) are included in requests that CloudFront sends to the origin.

Cannot delete the origin request policy because it is attached to one or more cache behaviors.

A list of origin request policies.

An object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in requests that CloudFront sends to the origin.

Contains an origin request policy.

Contains information about the origins for this distribution.

CloudFront Origin Shield.

Using Origin Shield can help reduce the load on your origin. For more information, see Using Origin Shield in the Amazon CloudFront Developer Guide.

A complex type that contains information about the SSL/TLS protocols that CloudFront can use when establishing an HTTPS connection with your origin.

This object determines the values that CloudFront includes in the cache key. These values can include HTTP headers, cookies, and URL query strings. CloudFront uses the cache key to find an object in its cache that it can return to the viewer.

The headers, cookies, and query strings that are included in the cache key are also included in requests that CloudFront sends to the origin. CloudFront sends a request when it can't find an object in its cache that matches the request's cache key. If you want to send values to the origin but not include them in the cache key, use OriginRequestPolicy.

A complex type that contains information about the objects that you want to invalidate. For more information, see Specifying the Objects to Invalidate in the Amazon CloudFront Developer Guide.

The precondition in one or more of the request fields evaluated to false.

A public key that you can use with signed URLs and signed cookies, or with field-level encryption.

The specified public key already exists.

Configuration information about a public key that you can use with signed URLs and signed cookies, or with field-level encryption.

The specified public key is in use.

A list of public keys that you can use with signed URLs and signed cookies, or with field-level encryption.

Contains information about a public key.

Container for the parameters to the PublishFunction operation. Publishes a CloudFront function by copying the function code from the DEVELOPMENT stage to LIVE. This automatically updates all cache behaviors that are using this function to use the newly published copy in the LIVE stage.

When a function is published to the LIVE stage, you can attach the function to a distribution's cache behavior, using the function's Amazon Resource Name (ARN).

To publish a function, you must provide the function's name and version (ETag value). To get these values, you can use ListFunctions and DescribeFunction.

This is the response object from the PublishFunction operation.

Query argument-profile mapping for field-level encryption.

Configuration for query argument-profile mapping for field-level encryption.

No profile specified for the field-level encryption query argument.

Query argument-profile mapping for field-level encryption.

This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.

If you want to include query strings in the cache key, use QueryStringsConfig in a cache policy. See CachePolicy.

If you want to send query strings to the origin but not include them in the cache key, use QueryStringsConfig in an origin request policy. See OriginRequestPolicy.

A complex type that contains information about the query string parameters that you want CloudFront to use for caching for a cache behavior.

Contains a list of query string names.

A real-time log configuration.

A real-time log configuration with this name already exists. You must provide a unique name. To modify an existing real-time log configuration, use UpdateRealtimeLogConfig.

Cannot delete the real-time log configuration because it is attached to one or more cache behaviors.

The specified real-time log configuration belongs to a different Amazon Web Services account.

A list of real-time log configurations.

A subscription configuration for additional CloudWatch metrics.

Cannot delete this resource because it is in use.

A response headers policy.

A response headers policy contains information about a set of HTTP response headers.

After you create a response headers policy, you can use its ID to attach it to one or more cache behaviors in a CloudFront distribution. When it's attached to a cache behavior, the response headers policy affects the HTTP headers that CloudFront includes in HTTP responses to requests that match the cache behavior. CloudFront adds or removes response headers according to the configuration of the response headers policy.

For more information, see Adding or removing HTTP headers in CloudFront responses in the Amazon CloudFront Developer Guide.

A list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header.

For more information about the Access-Control-Allow-Headers HTTP response header, see Access-Control-Allow-Headers in the MDN Web Docs.

A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header.

For more information about the Access-Control-Allow-Methods HTTP response header, see Access-Control-Allow-Methods in the MDN Web Docs.

A list of origins (domain names) that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header.

For more information about the Access-Control-Allow-Origin HTTP response header, see Access-Control-Allow-Origin in the MDN Web Docs.

A list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header.

For more information about the Access-Control-Expose-Headers HTTP response header, see Access-Control-Expose-Headers in the MDN Web Docs.

A response headers policy with this name already exists. You must provide a unique name. To modify an existing response headers policy, use UpdateResponseHeadersPolicy.

A response headers policy configuration.

A response headers policy configuration contains metadata about the response headers policy, and configurations for sets of HTTP response headers.

The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header.

For more information about the Content-Security-Policy HTTP response header, see Content-Security-Policy in the MDN Web Docs.

Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff.

For more information about the X-Content-Type-Options HTTP response header, see X-Content-Type-Options in the MDN Web Docs.

A configuration for a set of HTTP response headers that are used for cross-origin resource sharing (CORS). CloudFront adds these headers to HTTP responses that it sends for CORS requests that match a cache behavior associated with this response headers policy.

For more information about CORS, see Cross-Origin Resource Sharing (CORS) in the MDN Web Docs.

An HTTP response header name and its value. CloudFront includes this header in HTTP responses that it sends for requests that match a cache behavior that's associated with this response headers policy.

A list of HTTP response header names and their values. CloudFront includes these headers in HTTP responses that it sends for requests that match a cache behavior that's associated with this response headers policy.

Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header's value.

For more information about the X-Frame-Options HTTP response header, see X-Frame-Options in the MDN Web Docs.

Cannot delete the response headers policy because it is attached to one or more cache behaviors in a CloudFront distribution.

A list of response headers policies.

Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header's value.

For more information about the Referrer-Policy HTTP response header, see Referrer-Policy in the MDN Web Docs.

The name of an HTTP header that CloudFront removes from HTTP responses to requests that match the cache behavior that this response headers policy is attached to.

A list of HTTP header names that CloudFront removes from HTTP responses to requests that match the cache behavior that this response headers policy is attached to.

A configuration for a set of security-related HTTP response headers. CloudFront adds these headers to HTTP responses that it sends for requests that match a cache behavior associated with this response headers policy.

A configuration for enabling the Server-Timing header in HTTP responses sent from CloudFront. CloudFront adds this header to HTTP responses that it sends in response to requests that match a cache behavior that's associated with this response headers policy.

You can use the Server-Timing header to view metrics that can help you gain insights about the behavior and performance of CloudFront. For example, you can see which cache layer served a cache hit, or the first byte latency from the origin when there was a cache miss. You can use the metrics in the Server-Timing header to troubleshoot issues or test the efficiency of your CloudFront configuration. For more information, see Server-Timing header in the Amazon CloudFront Developer Guide.

Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header's value.

For more information about the Strict-Transport-Security HTTP response header, see Strict-Transport-Security in the MDN Web Docs.

Contains a response headers policy.

Determines whether CloudFront includes the X-XSS-Protection HTTP response header and the header's value.

For more information about the X-XSS-Protection HTTP response header, see X-XSS-Protection in the MDN Web Docs.

A complex type that identifies ways in which you want to restrict distribution of your content.

A complex type that contains information about the Amazon S3 bucket from which you want CloudFront to get your media files for distribution.

A complex type that contains information about the Amazon S3 origin. If the origin is a custom origin or an S3 bucket that is configured as a website endpoint, use the CustomOriginConfig element instead.

Session stickiness provides the ability to define multiple requests from a single viewer as a single session. This prevents the potentially inconsistent experience of sending some of a given user's requests to your staging distribution, while others are sent to your primary distribution. Define the session duration using TTL values.

A list of Amazon Web Services accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.

The CloudFront domain name of the staging distribution.

A continuous deployment policy for this staging distribution already exists.

A complex data type for the status codes that you specify that, when returned by a primary origin, trigger CloudFront to failover to a second origin.

A streaming distribution tells CloudFront where you want RTMP content to be delivered from, and the details about how to track and manage content delivery.

The caller reference you attempted to create the streaming distribution with is associated with another distribution

The RTMP distribution's configuration information.

A streaming distribution Configuration and a list of tags to be associated with the streaming distribution.

A streaming distribution list.

The specified CloudFront distribution is not disabled. You must disable the distribution before you can delete it.

A summary of the information for a CloudFront streaming distribution.

A complex type that controls whether access logs are written for this streaming distribution.

A complex type that contains Tag key and Tag value.

A complex type that contains zero or more Tag elements.

Container for the parameters to the TagResource operation. Add tags to a CloudFront resource. For more information, see Tagging a distribution in the Amazon CloudFront Developer Guide.

This is the response object from the TagResource operation.

A complex type that contains zero or more Tag elements.

The CloudFront function failed.

Container for the parameters to the TestFunction operation. Tests a CloudFront function.

To test a function, you provide an event object that represents an HTTP request or response that your CloudFront distribution could receive in production. CloudFront runs the function, passing it the event object that you provided, and returns the function's result (the modified event object) in the response. The response also contains function logs and error messages, if any exist. For more information about testing functions, see Testing functions in the Amazon CloudFront Developer Guide.

To test a function, you provide the function's name and version (ETag value) along with the event object. To get the function's name and version, you can use ListFunctions and DescribeFunction.

This is the response object from the TestFunction operation.

Contains the result of testing a CloudFront function with TestFunction.

The length of the Content-Security-Policy header value in the response headers policy exceeds the maximum.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You cannot create more cache behaviors for the distribution.

You have reached the maximum number of cache policies for this Amazon Web Services account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You cannot create anymore custom SSL/TLS certificates.

Processing your request would cause you to exceed the maximum number of origin access identities allowed.

You have reached the maximum number of continuous deployment policies for this Amazon Web Services account.

Your request contains more cookie names in the whitelist than are allowed per cache behavior.

The number of cookies in the cache policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The number of cookies in the origin request policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The number of custom headers in the response headers policy exceeds the maximum.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains more CNAMEs than are allowed per distribution.

The maximum number of distributions have been associated with the specified cache policy. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The maximum number of distributions have been associated with the specified configuration for field-level encryption.

The number of distributions that reference this key group is more than the maximum allowed. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The maximum number of distributions have been associated with the specified origin access control.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The maximum number of distributions have been associated with the specified origin request policy. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The maximum number of distributions have been associated with the specified response headers policy.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Processing your request would cause you to exceed the maximum number of distributions allowed.

You have reached the maximum number of distributions that are associated with a CloudFront function. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Processing your request would cause the maximum number of distributions with Lambda@Edge function associations per owner to be exceeded.

The maximum number of distributions have been associated with the specified Lambda@Edge function.

The maximum number of configurations for field-level encryption have been created.

The maximum number of content type profiles for field-level encryption have been created.

The maximum number of encryption entities for field-level encryption have been created.

The maximum number of field patterns for field-level encryption have been created.

The maximum number of profiles for field-level encryption have been created.

The maximum number of query arg profiles for field-level encryption have been created.

You have reached the maximum number of CloudFront function associations for this distribution. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You have reached the maximum number of CloudFront functions for this Amazon Web Services account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The number of headers in the cache policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains too many headers in forwarded values.

The number of headers in the origin request policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You have exceeded the maximum number of allowable InProgress invalidation batch requests, or invalidation objects.

The number of key groups referenced by this distribution is more than the maximum allowed. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You have reached the maximum number of key groups for this Amazon Web Services account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains more Lambda@Edge function associations than are allowed per distribution.

The number of origin access controls in your Amazon Web Services account exceeds the maximum allowed.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains too many origin custom headers.

Processing your request would cause you to exceed the maximum number of origin groups allowed.

You have reached the maximum number of origin request policies for this Amazon Web Services account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You cannot create more origins for the distribution.

The maximum number of public keys for field-level encryption have been created. To create a new public key, delete one of the existing keys.

The number of public keys in this key group is more than the maximum allowed. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains too many query string parameters.

The number of query strings in the cache policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The number of query strings in the origin request policy exceeds the maximum. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You have reached the maximum number of real-time log configurations for this Amazon Web Services account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

The number of headers in RemoveHeadersConfig in the response headers policy exceeds the maximum.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

You have reached the maximum number of response headers policies for this Amazon Web Services account.

For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.

Your request contains more CNAMEs than are allowed per distribution.

Processing your request would cause you to exceed the maximum number of streaming distributions allowed.

Your request contains more trusted signers than are allowed per distribution.

The traffic configuration of your continuous deployment.

The specified key group does not exist.

A list of key groups whose public keys CloudFront can use to verify the signatures of signed URLs and signed cookies.

One or more of your trusted signers don't exist.

A list of Amazon Web Services accounts whose public keys CloudFront can use to verify the signatures of signed URLs and signed cookies.

This operation is not supported in this region.

Container for the parameters to the UntagResource operation. Remove tags from a CloudFront resource. For more information, see Tagging a distribution in the Amazon CloudFront Developer Guide.

This is the response object from the UntagResource operation.

Container for the parameters to the UpdateCachePolicy operation. Updates a cache policy configuration.

When you update a cache policy configuration, all the fields are updated with the values provided in the request. You cannot update some fields independent of others. To update a cache policy configuration:

1. Use GetCachePolicyConfig to get the current configuration.

2. Locally modify the fields in the cache policy configuration that you want to update.

3. Call UpdateCachePolicy by providing the entire cache policy configuration, including the fields that you modified and those that you didn't.

This is the response object from the UpdateCachePolicy operation.

Container for the parameters to the UpdateCloudFrontOriginAccessIdentity operation. Update an origin access identity.

The returned result of the corresponding request.

Container for the parameters to the UpdateContinuousDeploymentPolicy operation. Updates a continuous deployment policy. You can update a continuous deployment policy to enable or disable it, to change the percentage of traffic that it sends to the staging distribution, or to change the staging distribution that it sends traffic to.

When you update a continuous deployment policy configuration, all the fields are updated with the values that are provided in the request. You cannot update some fields independent of others. To update a continuous deployment policy configuration:

1. Use GetContinuousDeploymentPolicyConfig to get the current configuration.

2. Locally modify the fields in the continuous deployment policy configuration that you want to update.

3. Use UpdateContinuousDeploymentPolicy, providing the entire continuous deployment policy configuration, including the fields that you modified and those that you didn't.

This is the response object from the UpdateContinuousDeploymentPolicy operation.

Container for the parameters to the UpdateDistribution operation. Updates the configuration for a CloudFront distribution.

The update process includes getting the current distribution configuration, updating it to make your changes, and then submitting an UpdateDistribution request to make the updates.

To update a web distribution using the CloudFront API

1. Use GetDistributionConfig to get the current configuration, including the version identifier (ETag).

2. Update the distribution configuration that was returned in the response. Note the following important requirements and restrictions:

   • You must copy the ETag field value from the response. (You'll use it for the IfMatch parameter in your request.) Then, remove the ETag field from the distribution configuration.

   • You can't change the value of CallerReference.

3. Submit an UpdateDistribution request, providing the updated distribution configuration. The new configuration replaces the existing configuration. The values that you specify in an UpdateDistribution request are not merged into your existing configuration. Make sure to include all fields: the ones that you modified and also the ones that you didn't.

The returned result of the corresponding request.

Container for the parameters to the UpdateDistributionWithStagingConfig operation. Copies the staging distribution's configuration to its corresponding primary distribution. The primary distribution retains its Aliases (also known as alternate domain names or CNAMEs) and ContinuousDeploymentPolicyId value, but otherwise its configuration is overwritten to match the staging distribution.

You can use this operation in a continuous deployment workflow after you have tested configuration changes on the staging distribution. After using a continuous deployment policy to move a portion of your domain name's traffic to the staging distribution and verifying that it works as intended, you can use this operation to copy the staging distribution's configuration to the primary distribution. This action will disable the continuous deployment policy and move your domain's traffic back to the primary distribution.

This API operation requires the following IAM permissions:

• GetDistribution

• UpdateDistribution

This is the response object from the UpdateDistributionWithStagingConfig operation.

Container for the parameters to the UpdateFieldLevelEncryptionConfig operation. Update a field-level encryption configuration.

This is the response object from the UpdateFieldLevelEncryptionConfig operation.

Container for the parameters to the UpdateFieldLevelEncryptionProfile operation. Update a field-level encryption profile.

This is the response object from the UpdateFieldLevelEncryptionProfile operation.

Container for the parameters to the UpdateFunction operation. Updates a CloudFront function.

You can update a function's code or the comment that describes the function. You cannot update a function's name.

To update a function, you provide the function's name and version (ETag value) along with the updated function code. To get the name and version, you can use ListFunctions and DescribeFunction.

This is the response object from the UpdateFunction operation.

Container for the parameters to the UpdateKeyGroup operation. Updates a key group.

When you update a key group, all the fields are updated with the values provided in the request. You cannot update some fields independent of others. To update a key group:

1. Get the current key group with GetKeyGroup or GetKeyGroupConfig.

2. Locally modify the fields in the key group that you want to update. For example, add or remove public key IDs.

3. Call UpdateKeyGroup with the entire key group object, including the fields that you modified and those that you didn't.

This is the response object from the UpdateKeyGroup operation.

Container for the parameters to the UpdateKeyValueStore operation. Specifies the key value store to update.

This is the response object from the UpdateKeyValueStore operation.

Container for the parameters to the UpdateOriginAccessControl operation. Updates a CloudFront origin access control.

This is the response object from the UpdateOriginAccessControl operation.

Container for the parameters to the UpdateOriginRequestPolicy operation. Updates an origin request policy configuration.

When you update an origin request policy configuration, all the fields are updated with the values provided in the request. You cannot update some fields independent of others. To update an origin request policy configuration:

1. Use GetOriginRequestPolicyConfig to get the current configuration.

2. Locally modify the fields in the origin request policy configuration that you want to update.

3. Call UpdateOriginRequestPolicy by providing the entire origin request policy configuration, including the fields that you modified and those that you didn't.

This is the response object from the UpdateOriginRequestPolicy operation.

Container for the parameters to the UpdatePublicKey operation. Update public key information. Note that the only value you can change is the comment.

This is the response object from the UpdatePublicKey operation.

Container for the parameters to the UpdateRealtimeLogConfig operation. Updates a real-time log configuration.

When you update a real-time log configuration, all the parameters are updated with the values provided in the request. You cannot update some parameters independent of others. To update a real-time log configuration:

1. Call GetRealtimeLogConfig to get the current real-time log configuration.

2. Locally modify the parameters in the real-time log configuration that you want to update.

3. Call this API (UpdateRealtimeLogConfig) by providing the entire real-time log configuration, including the parameters that you modified and those that you didn't.

You cannot update a real-time log configuration's Name or ARN.

This is the response object from the UpdateRealtimeLogConfig operation.

Container for the parameters to the UpdateResponseHeadersPolicy operation. Updates a response headers policy.

When you update a response headers policy, the entire policy is replaced. You cannot update some policy fields independent of others. To update a response headers policy configuration:

1. Use GetResponseHeadersPolicyConfig to get the current policy's configuration.

2. Modify the fields in the response headers policy configuration that you want to update.

3. Call UpdateResponseHeadersPolicy, providing the entire response headers policy configuration, including the fields that you modified and those that you didn't.

This is the response object from the UpdateResponseHeadersPolicy operation.

Container for the parameters to the UpdateStreamingDistribution operation. Update a streaming distribution.

The returned result of the corresponding request.

Container for the parameters to the UpdateVpcOrigin operation. Update an Amazon CloudFront VPC origin in your account.

This is the response object from the UpdateVpcOrigin operation.

A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers.

If the distribution doesn't use Aliases (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net—set CloudFrontDefaultCertificate to true and leave all other fields empty.

If the distribution uses Aliases (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:

• Which viewers the distribution accepts HTTPS connections from: only viewers that support server name indication (SNI) (recommended), or all viewers including those that don't support SNI.

  • To accept HTTPS connections from only viewers that support SNI, set SSLSupportMethod to sni-only. This is recommended. Most browsers and clients support SNI.

  • To accept HTTPS connections from all viewers, including those that don't support SNI, set SSLSupportMethod to vip. This is not recommended, and results in additional monthly charges from CloudFront.

• The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for MinimumProtocolVersion. For more information, see Security Policy in the Amazon CloudFront Developer Guide.

• The location of the SSL/TLS certificate, Certificate Manager (ACM) (recommended) or Identity and Access Management (IAM). You specify the location by setting a value in one of the following fields (not both):

  • ACMCertificateArn

  • IAMCertificateId

All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use ViewerProtocolPolicy in the CacheBehavior or DefaultCacheBehavior. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use CustomOriginConfig.

For more information, see Using HTTPS with CloudFront and Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.

An Amazon CloudFront VPC origin.

An Amazon CloudFront VPC origin configuration.

An Amazon CloudFront VPC origin endpoint configuration.

A list of CloudFront VPC origins.

A summary of the CloudFront VPC origin.

Paginators for the CloudFront service

Paginator for the ListCloudFrontOriginAccessIdentities operation

Paginator for the ListDistributions operation

Paginator for the ListInvalidations operation

Paginator for the ListKeyValueStores operation

Paginator for the ListPublicKeys operation

Paginator for the ListStreamingDistributions operation