AWS Mobile
Developer Guide

Amazon CloudFront Security Considerations for Mobile Hub Users

When you enable the AWS Mobile Hub Hosting and Streaming feature, an Amazon CloudFront distribution is created in your account. The distribution caches the web assets you store within an associated Amazon S3 bucket throughout a global network of Amazon edge servers. This provides your customers with fast local access to the web assets.

This topic describes the key CloudFront security-related features that you might want to use for your distribution. For the same type of information regarding the source bucket, see s3-security.

Access management

Hosting and Streaming makes assets in a distribution publically available. While this is the normal security policy for Internet based resources, you should consider restricting access to the assets if this is not the case. The best practice for security is to follow a ?minimal permissions? model and restrict access to resources as much as possible. You may want to modify resource-based policies, such as the distribution policy or access control lists (ACLs), to grant access only to some users or groups of users.

To protect access to any AWS resources associated with a Hosting and Streaming web app, such as buckets and database tables, we recommend restricting access to only authenticated users. You can add this restriction to your Mobile Hub project by enabling the User Sign-in feature, with the sign-in required option.

For more information, see Authentication and Access Control for CloudFront in the Amazon CloudFront Developer Guide.

Requiring the HTTPS Protocol

CloudFront supports use of the HTTPS protocol to encrypt communications to and from a distribution. This highly recommended practice protects both the user and the service. CloudFront enables you to require HTTPS both between customers and your distribution endpoints, and CloudFront between your distribution's caches and the source bucket where your assets originate. Global redirection of HTTP traffic to HTTPS, use of HTTPS for custom domains and other options are also supported.

For more information, see Using HTTPS with CloudFront in the Amazon CloudFront Developer Guide.

Securing Private Content

CloudFront supports a range of methods for protecting private content in a distribution cache. These include the use of signed cookies and signed URLs to restrict access to authenticated, authorized users.

A best practice is to use techniques like these on both the connection between the user and the distribution endpoint and between the distribution and the content Amazon S3 source bucket.

For more information, see the Serving Private Content through CloudFront section in the Amazon CloudFront Developer Guide.

Distribution Access Logging

Distribution logging helps you learn more about your app users, helps you meet your organization's audit requirements, and helps you understand your CloudFront costs. Each access log record provides details about a single access request, such as the requester, distribution name, request time, request action, response status, and error code, if any. You can store logs in an Amazon S3 bucket. To help manage your costs, you can delete logs that you no longer need, or you can suspend logging.

For more information, see Access Logs for CloudFront in the Amazon CloudFront Developer Guide.