Amazon CloudFront
Developer Guide (API Version 2016-09-29)

CloudFront Compliance

CloudFront is compliant with the PCI DSS and HIPAA standards.


CloudFront supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.

As a security best practice, we recommend that you don't cache credit card information in CloudFront edge caches. For example, you can configure your origin to include a Cache-Control:no-cache="field-name" header in responses that contain credit card information, such as the last four digits of a credit card number and the card owner's contact information.


AWS has expanded its HIPAA compliance program to include CloudFront as a HIPAA Eligible Service. If you have an executed Business Associate Agreement (BAA) with AWS, you can use CloudFront to deliver content containing protected health information (PHI). For more information, see HIPAA Compliance.

Logging CloudFront Usage Data for Auditing

If you run PCI or HIPAA-compliant workloads, based on the AWS Shared Responsibility Model, we recommend that you log your CloudFront usage data for the last 365 days for future auditing purposes. To log usage data, you can do the following: