Amazon CloudFront
Developer Guide (API Version 2016-09-29)

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Getting Started with CloudFront

The example in this topic gives you a quick overview of how to use CloudFront to set up a basic configuration that:

  • Stores the original versions of your objects in one Amazon Simple Storage Service (Amazon S3) bucket

  • Distributes content such as text or graphics

  • Makes your objects accessible to everyone

  • Uses the CloudFront domain name in URLs for your objects (for example,

  • Keeps your objects in CloudFront edge locations for the default duration of 24 hours (the minimum duration is 0 seconds)

Most of these options are customizable. For example, you can store your content on your own web server instead of using an S3 bucket, and you can limit who has access to the content by using signed URLs or cookies. For information about how to customize your CloudFront distribution options, see Steps for Creating a Distribution (Overview).

You only have to complete a few basic steps to start delivering your content by using CloudFront. The first step is signing up. After that, you create a CloudFront distribution, and then use the CloudFront domain name in URLs in your web pages or applications to reference the content.


Before you begin, make sure that you've completed the steps in Setting Up Amazon CloudFront.

Step 1: Upload your content to Amazon S3 and grant object permissions

An Amazon S3 bucket is a container that can contain files (objects) or folders. CloudFront can distribute almost any type of file for you using an Amazon S3 bucket as the source, for example, text, images, and videos. You can create multiple buckets, and there is no limit to the amount of data that you can store on Amazon S3.

By default, your Amazon S3 bucket and all of the files in it are private—only the AWS account that created the bucket has permission to read or write the files in it. If you want to allow anyone to access the files in your Amazon S3 bucket using CloudFront URLs, you must grant public read permissions to the objects. (This is one of the most common mistakes when working with CloudFront and Amazon S3. You must explicitly grant privileges to each object in an Amazon S3 bucket.)


If you want to restrict who can download your content, you can use the CloudFront private content feature. For more information about distributing private content, see Serving Private Content with Signed URLs and Signed Cookies.

To upload your content to Amazon S3 and grant read permission to everyone

  1. Sign in to the AWS Management Console and open the Amazon S3 console at

  2. In the Amazon S3 console, choose Create Bucket.

  3. In the Create Bucket dialog, on the Name and region page, do the following:

    1. Enter a bucket name.


      For your bucket to work with CloudFront, the name must conform to DNS naming requirements. For more information, go to Bucket Restrictions and Limitations in the Amazon Simple Storage Service Developer Guide.

    2. Select an AWS Region for your bucket. By default, Amazon S3 creates buckets in the US East (N. Virginia) Region. We recommend that you choose a Region close to you to optimize latency and minimize costs, or you might choose another Region to address regulatory requirements.

  4. Choose Next.

  5. On the Configure options page, choose options for versioning, tagging, and other features.

  6. Choose Next.

  7. On the Set permissions page, clear the following checkbox:

    • Block all public access

    You must allow public read access to the bucket and files so that CloudFront URLs can serve content from the bucket. However, you can restrict access to specific content by using the CloudFront private content feature. For more information, see Serving Private Content with Signed URLs and Signed Cookies.

  8. Choose Next, and then choose Create bucket.

  9. Choose your bucket in the Buckets pane, and then choose Upload.

  10. On the Select files page, drag and drop your files to the bucket, or choose Add files, and choose the files that you want to upload.

  11. Choose Next.

  12. On the Set permissions page, grant public read privileges for each file that you upload to your Amazon S3 bucket.

    1. Choose Next to set permissions.

    2. In the Manage public permissions drop-down list, choose Grant public read access to this object(s).

    3. Choose Next.

  13. Set any properties that you want for the object, such as encryption or tagging, and then choose Next.

  14. Choose Upload.

    After the upload completes, you can navigate to the item by using its URL. In the case of the previous example, the URL would be:

    Use your Amazon S3 URL to verify that your content is publicly accessible, but remember that this is not the URL you'll use when you're ready to distribute your content with CloudFront.

Step 2: Create a CloudFront distribution

To create a CloudFront distribution

  1. Open the CloudFront console at

  2. Choose Create Distribution.

  3. On the Select a delivery method for your content page, in the Web section or the RTMP section, choose Get Started.

    • For most scenarios, you create a web distribution.

    • To create a distribution to stream media files using Adobe Media Server and the Adobe Real-Time Messaging Protocol (RTMP), you create an RTMP distribution. For more information, see Task List for Streaming Media Files Using RTMP.

  4. On the Create Distribution page, under Origin Settings, choose the Amazon S3 bucket that you created earlier. For Origin ID, Origin Path, Restrict Bucket Access, and Origin Custom Headers, accept the default values.

						Specify the Amazon S3 bucket.
  5. Under Default Cache Behavior Settings, accept the default values, and CloudFront will:

    • Forward all requests that use the CloudFront URL for your distribution (for example, to the Amazon S3 bucket that you specified in Step 4.

    • Allow end users to use either HTTP or HTTPS to access your objects.

    • Respond to requests for your objects.

    • Cache your objects at CloudFront edge locations for 24 hours.

    • Forward only the default request headers to your origin and not cache your objects based on the values in the headers.

    • Exclude cookies and query string parameters, if any, when forwarding requests for objects to your origin. (Amazon S3 doesn't process cookies and processes only a limited set of query string parameters.)

    • Not be configured to distribute media files in the Microsoft Smooth Streaming format.

    • Allow everyone to view your content.

    • Not automatically compress your content.

    For more information about cache behavior options, see Cache Behavior Settings.

							Define cache behavior.
  6. Under Distribution Settings, choose the values for your distribution:

    Price Class

    Select the price class that corresponds with the maximum price that you want to pay for CloudFront service. By default, CloudFront serves your objects from edge locations in all CloudFront regions.

    For more information about price classes and about how your choice of price class affects CloudFront performance for your distribution, go to Choosing the Price Class for a CloudFront Distribution. For information about CloudFront pricing, including how price classes map to CloudFront regions, go to Amazon CloudFront Pricing.


    If you want to use AWS WAF to allow or block HTTP and HTTPS requests based on criteria that you specify, choose the web ACL to associate with this distribution. For more information about AWS WAF, see the AWS WAF Developer Guide.

    Alternate Domain Names (CNAMEs) (Optional)

    Specify one or more domain names that you want to use for URLs for your objects instead of the domain name that CloudFront assigns when you create your distribution. For example, if you want the URL for the object:


    to look like this:

    instead of like this:

    you would create a CNAME for


    If you add a CNAME for to your distribution, you also need to create (or update) a CNAME record with your DNS service to route queries for to You must have permission to create a CNAME record with the DNS service provider for the domain. Typically, this means that you own the domain, but you may also be developing an application for the domain owner. For more information about CNAMEs, see Using Custom URLs for Files by Adding Alternate Domain Names (CNAMEs).

    For the current limit on the number of alternate domain names that you can add to a distribution or request a higher limit, see General Limits on Web Distributions.

    SSL Certificate

    Accept the default value, Default CloudFront Certificate.

    Default Root Object (Optional)

    The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL of your distribution ( instead of an object in your distribution ( Specifying a default root object avoids exposing the contents of your distribution.

    Logging (Optional)

    If you want CloudFront to log information about each request for an object and store the log files in an Amazon S3 bucket, select On, and specify the bucket and an optional prefix for the names of the log files. There is no extra charge to enable logging, but you accrue the usual Amazon S3 charges for storing and accessing the files. CloudFront doesn't delete the logs automatically, but you can delete them at any time.

    Cookie Logging

    In this example, we're using Amazon S3 as the origin for your objects, and Amazon S3 doesn't process cookies, so we recommend that you select Off for the value of Cookie Logging.

    Comment (Optional)

    Enter any comments that you want to save with the distribution.

    Distribution State

    Select Enabled if you want CloudFront to begin processing requests as soon as the distribution is created, or select Disabled if you do not want CloudFront to begin processing requests after the distribution is created.

    Distribution settings
  7. Choose Create Distribution.

  8. After CloudFront has created your distribution, the value of the Status column for your distribution will change from InProgress to Deployed. If you chose to enable the distribution, it will then be ready to process requests. This typically takes between 20 and 40 minutes.

    The domain name that CloudFront assigns to your distribution appears in the list of distributions. (It also appears on the General tab for a selected distribution.)

Step 3: Test your links

After you've created your distribution, CloudFront knows where your Amazon S3 origin server is, and you know the domain name associated with the distribution. You can create a link to your Amazon S3 bucket content with that domain name, and have CloudFront serve it.


You must wait until the status of your distribution changes to Deployed before testing your links.

To link to your objects

  1. Copy the following HTML into a new file:

    • Replace <domain name> with the domain name that CloudFront assigned to your distribution.

    • Replace <object name> with the name of a file in your Amazon S3 bucket.

    <html> <head>My CloudFront Test</head> <body> <p>My text content goes here.</p> <p><img src="http://domain name/object name" alt="my test image"/> </body> </html>

    For example, if your domain name was and your object was image.jpg, the URL for the link would be:

    If your object is in a folder within your bucket, include the folder in the URL. For example, if image.jpg is located in an images folder, then the URL would be:

  2. Save the text in a file that has a .html filename extension.

  3. Open your web page in a browser to ensure that you can see your content. If you cannot see the content, confirm that you have performed all of the steps correctly. You can also see the tips in Troubleshooting.

The browser returns your page with the embedded image file, served from the edge location that CloudFront determined was appropriate to serve the object.

For more information on using CloudFront, go to Amazon CloudFront Related Information.