Amazon CloudFront Construct Library

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so that content is delivered with the best possible performance.

Distribution API

The Distribution API replaces the CloudFrontWebDistribution API which is now deprecated. The Distribution API is optimized for the most common use cases of CloudFront distributions (e.g., single origin and behavior, few customizations) while still providing the ability for more advanced use cases. The API focuses on simplicity for the common use cases, and convenience methods for creating the behaviors and origins necessary for more complex use cases.

Creating a distribution

CloudFront distributions deliver your content from one or more origins; an origin is the location where you store the original version of your content. Origins can be created from S3 buckets or a custom origin (HTTP server). Constructs to define origins are in the aws-cdk-lib/aws-cloudfront-origins module.

Each distribution has a default behavior which applies to all requests to that distribution, and routes requests to a primary origin. Additional behaviors may be specified for an origin with a given URL path pattern. Behaviors allow routing with multiple origins, controlling which HTTP methods to support, whether to require users to use HTTPS, and what query strings or cookies to forward to your origin, among other settings.

From an S3 Bucket

An S3 bucket can be added as an origin. An S3 bucket origin can either be configured as a standard bucket or as a website endpoint (see AWS docs for Using an S3 Bucket).

# Creates a distribution from an S3 bucket with origin access control
my_bucket = s3.Bucket(self, "myBucket")
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3BucketOrigin.with_origin_access_control(my_bucket)
    )
)

See the README of the aws-cdk-lib/aws-cloudfront-origins module for more information on setting up S3 origins and origin access control (OAC).

ELBv2 Load Balancer

An Elastic Load Balancing (ELB) v2 load balancer may be used as an origin. In order for a load balancer to serve as an origin, it must be publicly accessible (internetFacing is true). Both Application and Network load balancers are supported.

# Creates a distribution from an ELBv2 load balancer
# vpc: ec2.Vpc

# Create an application load balancer in a VPC. 'internetFacing' must be 'true'
# for CloudFront to access the load balancer and use it as an origin.
lb = elbv2.ApplicationLoadBalancer(self, "LB",
    vpc=vpc,
    internet_facing=True
)
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.LoadBalancerV2Origin(lb))
)

From an HTTP endpoint

Origins can also be created from any other HTTP endpoint, given the domain name, and optionally, other origin properties.

# Creates a distribution from an HTTP endpoint
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com"))
)

Domain Names and Certificates

When you create a distribution, CloudFront assigns a domain name for the distribution, for example: d111111abcdef8.cloudfront.net; this value can be retrieved from distribution.distributionDomainName. CloudFront distributions use a default certificate (*.cloudfront.net) to support HTTPS by default. If you want to use your own domain name, such as www.example.com, you must associate a certificate with your distribution that contains your domain name, and provide one (or more) domain names from the certificate for the distribution.

The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections from SNI only and a minimum protocol version of TLSv1.2_2021 if the @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 feature flag is set, and TLSv1.2_2019 otherwise.

# To use your own domain name in a Distribution, you must associate a certificate
import aws_cdk.aws_certificatemanager as acm
import aws_cdk.aws_route53 as route53

# hosted_zone: route53.HostedZone

# my_bucket: s3.Bucket

my_certificate = acm.Certificate(self, "mySiteCert",
    domain_name="www.example.com",
    validation=acm.CertificateValidation.from_dns(hosted_zone)
)
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket)),
    domain_names=["www.example.com"],
    certificate=my_certificate
)

However, you can customize the minimum protocol version for the certificate while creating the distribution using minimumProtocolVersion property.

# Create a Distribution with a custom domain name and a minimum protocol version.
# my_bucket: s3.Bucket

cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.S3Origin(my_bucket)),
    domain_names=["www.example.com"],
    minimum_protocol_version=cloudfront.SecurityPolicyProtocol.TLS_V1_2016,
    ssl_support_method=cloudfront.SSLMethod.SNI
)

Moving an alternate domain name to a different distribution

When you try to add an alternate domain name to a distribution but the alternate domain name is already in use on a different distribution, you get a CNAMEAlreadyExists error (One or more of the CNAMEs you provided are already associated with a different resource).

In that case, you might want to move the existing alternate domain name from one distribution (the source distribution) to another (the target distribution). The following steps are an overview of the process. For more information, see Moving an alternate domain name to a different distribution.

  1. Deploy the stack with the target distribution. The certificate property must be specified but the domainNames should be absent.

  2. Move the alternate domain name by running CloudFront associate-alias command. For the example and preconditions, see the AWS documentation above.

  3. Specify the domainNames property with the alternative domain name, then deploy the stack again to resolve the drift at the alternative domain name.

Cross Region Certificates

This feature is currently experimental

You can enable the Stack property crossRegionReferences in order to access resources in a different stack and region. With this feature flag enabled it is possible to do something like creating a CloudFront distribution in us-east-2 and an ACM certificate in us-east-1.

import aws_cdk.aws_certificatemanager as acm
import aws_cdk.aws_route53 as route53

# app: App


stack1 = Stack(app, "Stack1",
    env=Environment(
        region="us-east-1"
    ),
    cross_region_references=True
)
cert = acm.Certificate(stack1, "Cert",
    domain_name="*.example.com",
    validation=acm.CertificateValidation.from_dns(route53.PublicHostedZone.from_hosted_zone_id(stack1, "Zone", "Z0329774B51CGXTDQV3X"))
)

stack2 = Stack(app, "Stack2",
    env=Environment(
        region="us-east-2"
    ),
    cross_region_references=True
)
cloudfront.Distribution(stack2, "Distribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.HttpOrigin("example.com")
    ),
    domain_names=["dev.example.com"],
    certificate=cert
)

Multiple Behaviors & Origins

Each distribution has a default behavior which applies to all requests to that distribution; additional behaviors may be specified for a given URL path pattern. Behaviors allow routing with multiple origins, controlling which HTTP methods to support, whether to require users to use HTTPS, and what query strings or cookies to forward to your origin, among others.

The properties of the default behavior can be adjusted as part of the distribution creation. The following example shows configuring the HTTP methods and viewer protocol policy of the cache.

# Create a Distribution with configured HTTP methods and viewer protocol policy of the cache.
# my_bucket: s3.Bucket

my_web_distribution = cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(my_bucket),
        allowed_methods=cloudfront.AllowedMethods.ALLOW_ALL,
        viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
    )
)

Additional behaviors can be specified at creation, or added after the initial creation. Each additional behavior is associated with an origin, and enable customization for a specific set of resources based on a URL path pattern. For example, we can add a behavior to myWebDistribution to override the default viewer protocol policy for all of the images.

# Add a behavior to a Distribution after initial creation.
# my_bucket: s3.Bucket
# my_web_distribution: cloudfront.Distribution

my_web_distribution.add_behavior("/images/*.jpg", origins.S3Origin(my_bucket),
    viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
)

These behaviors can also be specified at distribution creation time.

# Create a Distribution with additional behaviors at creation time.
# my_bucket: s3.Bucket

bucket_origin = origins.S3Origin(my_bucket)
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        allowed_methods=cloudfront.AllowedMethods.ALLOW_ALL,
        viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
    ),
    additional_behaviors={
        "/images/*.jpg": cloudfront.BehaviorOptions(
            origin=bucket_origin,
            viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS
        )
    }
)

Customizing Cache Keys and TTLs with Cache Policies

You can use a cache policy to improve your cache hit ratio by controlling the values (URL query strings, HTTP headers, and cookies) that are included in the cache key, and/or adjusting how long items remain in the cache via the time-to-live (TTL) settings. CloudFront provides some predefined cache policies, known as managed policies, for common use cases. You can use these managed policies, or you can create your own cache policy that’s specific to your needs. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-the-cache-key.html for more details.

# Using an existing cache policy for a Distribution
# bucket_origin: origins.S3Origin

cloudfront.Distribution(self, "myDistManagedPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        cache_policy=cloudfront.CachePolicy.CACHING_OPTIMIZED
    )
)
# Creating a custom cache policy for a Distribution -- all parameters optional
# bucket_origin: origins.S3Origin

my_cache_policy = cloudfront.CachePolicy(self, "myCachePolicy",
    cache_policy_name="MyPolicy",
    comment="A default policy",
    default_ttl=Duration.days(2),
    min_ttl=Duration.minutes(1),
    max_ttl=Duration.days(10),
    cookie_behavior=cloudfront.CacheCookieBehavior.all(),
    header_behavior=cloudfront.CacheHeaderBehavior.allow_list("X-CustomHeader"),
    query_string_behavior=cloudfront.CacheQueryStringBehavior.deny_list("username"),
    enable_accept_encoding_gzip=True,
    enable_accept_encoding_brotli=True
)
cloudfront.Distribution(self, "myDistCustomPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        cache_policy=my_cache_policy
    )
)

Customizing Origin Requests with Origin Request Policies

When CloudFront makes a request to an origin, the URL path, request body (if present), and a few standard headers are included. Other information from the viewer request, such as URL query strings, HTTP headers, and cookies, is not included in the origin request by default. You can use an origin request policy to control the information that’s included in an origin request. CloudFront provides some predefined origin request policies, known as managed policies, for common use cases. You can use these managed policies, or you can create your own origin request policy that’s specific to your needs. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/controlling-origin-requests.html for more details.

# Using an existing origin request policy for a Distribution
# bucket_origin: origins.S3Origin

cloudfront.Distribution(self, "myDistManagedPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        origin_request_policy=cloudfront.OriginRequestPolicy.CORS_S3_ORIGIN
    )
)
# Creating a custom origin request policy for a Distribution -- all parameters optional
# bucket_origin: origins.S3Origin

my_origin_request_policy = cloudfront.OriginRequestPolicy(self, "OriginRequestPolicy",
    origin_request_policy_name="MyPolicy",
    comment="A default policy",
    cookie_behavior=cloudfront.OriginRequestCookieBehavior.none(),
    header_behavior=cloudfront.OriginRequestHeaderBehavior.all("CloudFront-Is-Android-Viewer"),
    query_string_behavior=cloudfront.OriginRequestQueryStringBehavior.allow_list("username")
)

cloudfront.Distribution(self, "myDistCustomPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        origin_request_policy=my_origin_request_policy
    )
)

Customizing Response Headers with Response Headers Policies

You can configure CloudFront to add one or more HTTP headers to the responses that it sends to viewers (web browsers or other clients), without making any changes to the origin or writing any code. To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy. See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html

[!NOTE] If xssProtection reportUri is specified, then modeBlock cannot be set to true.

# Using an existing managed response headers policy
# bucket_origin: origins.S3Origin

cloudfront.Distribution(self, "myDistManagedPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        response_headers_policy=cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS
    )
)

# Creating a custom response headers policy -- all parameters optional
my_response_headers_policy = cloudfront.ResponseHeadersPolicy(self, "ResponseHeadersPolicy",
    response_headers_policy_name="MyPolicy",
    comment="A default policy",
    cors_behavior=cloudfront.ResponseHeadersCorsBehavior(
        access_control_allow_credentials=False,
        access_control_allow_headers=["X-Custom-Header-1", "X-Custom-Header-2"],
        access_control_allow_methods=["GET", "POST"],
        access_control_allow_origins=["*"],
        access_control_expose_headers=["X-Custom-Header-1", "X-Custom-Header-2"],
        access_control_max_age=Duration.seconds(600),
        origin_override=True
    ),
    custom_headers_behavior=cloudfront.ResponseCustomHeadersBehavior(
        custom_headers=[cloudfront.ResponseCustomHeader(header="X-Amz-Date", value="some-value", override=True), cloudfront.ResponseCustomHeader(header="X-Amz-Security-Token", value="some-value", override=False)
        ]
    ),
    security_headers_behavior=cloudfront.ResponseSecurityHeadersBehavior(
        content_security_policy=cloudfront.ResponseHeadersContentSecurityPolicy(content_security_policy="default-src https:;", override=True),
        content_type_options=cloudfront.ResponseHeadersContentTypeOptions(override=True),
        frame_options=cloudfront.ResponseHeadersFrameOptions(frame_option=cloudfront.HeadersFrameOption.DENY, override=True),
        referrer_policy=cloudfront.ResponseHeadersReferrerPolicy(referrer_policy=cloudfront.HeadersReferrerPolicy.NO_REFERRER, override=True),
        strict_transport_security=cloudfront.ResponseHeadersStrictTransportSecurity(access_control_max_age=Duration.seconds(600), include_subdomains=True, override=True),
        xss_protection=cloudfront.ResponseHeadersXSSProtection(protection=True, mode_block=False, report_uri="https://example.com/csp-report", override=True)
    ),
    remove_headers=["Server"],
    server_timing_sampling_rate=50
)
cloudfront.Distribution(self, "myDistCustomPolicy",
    default_behavior=cloudfront.BehaviorOptions(
        origin=bucket_origin,
        response_headers_policy=my_response_headers_policy
    )
)

Validating signed URLs or signed cookies with Trusted Key Groups

CloudFront Distribution supports validating signed URLs or signed cookies using key groups. When a cache behavior contains trusted key groups, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior.

# Validating signed URLs or signed cookies with Trusted Key Groups

# public key in PEM format
# public_key: str

pub_key = cloudfront.PublicKey(self, "MyPubKey",
    encoded_key=public_key
)

key_group = cloudfront.KeyGroup(self, "MyKeyGroup",
    items=[pub_key
    ]
)

cloudfront.Distribution(self, "Dist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.HttpOrigin("www.example.com"),
        trusted_key_groups=[key_group
        ]
    )
)

Lambda@Edge

Lambda@Edge is an extension of AWS Lambda, a compute service that lets you execute functions that customize the content that CloudFront delivers. You can author Node.js or Python functions in the US East (N. Virginia) region, and then execute them in AWS locations globally that are closer to the viewer, without provisioning or managing servers. Lambda@Edge functions are associated with a specific behavior and event type. Lambda@Edge can be used to rewrite URLs, alter responses based on headers or cookies, or authorize requests based on headers or authorization tokens.

The following shows a Lambda@Edge function added to the default behavior and triggered on every request:

# my_bucket: s3.Bucket
# A Lambda@Edge function added to default behavior of a Distribution
# and triggered on every request
my_func = cloudfront.experimental.EdgeFunction(self, "MyFunction",
    runtime=lambda_.Runtime.NODEJS_LATEST,
    handler="index.handler",
    code=lambda_.Code.from_asset(path.join(__dirname, "lambda-handler"))
)
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(my_bucket),
        edge_lambdas=[cloudfront.EdgeLambda(
            function_version=my_func.current_version,
            event_type=cloudfront.LambdaEdgeEventType.VIEWER_REQUEST
        )
        ]
    )
)

Note: Lambda@Edge functions must be created in the us-east-1 region, regardless of the region of the CloudFront distribution and stack. To make it easier to request functions for Lambda@Edge, the EdgeFunction construct can be used. The EdgeFunction construct will automatically request a function in us-east-1, regardless of the region of the current stack. EdgeFunction has the same interface as Function and can be created and used interchangeably. Please note that using EdgeFunction requires that the us-east-1 region has been bootstrapped. See https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html for more about bootstrapping regions.

If the stack is in us-east-1, a “normal” lambda.Function can be used instead of an EdgeFunction.

# Using a lambda Function instead of an EdgeFunction for stacks in `us-east-`.
my_func = lambda_.Function(self, "MyFunction",
    runtime=lambda_.Runtime.NODEJS_LATEST,
    handler="index.handler",
    code=lambda_.Code.from_asset(path.join(__dirname, "lambda-handler"))
)

If the stack is not in us-east-1, and you need references from different applications on the same account, you can also set a specific stack ID for each Lambda@Edge.

# Setting stackIds for EdgeFunctions that can be referenced from different applications
# on the same account.
my_func1 = cloudfront.experimental.EdgeFunction(self, "MyFunction1",
    runtime=lambda_.Runtime.NODEJS_LATEST,
    handler="index.handler",
    code=lambda_.Code.from_asset(path.join(__dirname, "lambda-handler1")),
    stack_id="edge-lambda-stack-id-1"
)

my_func2 = cloudfront.experimental.EdgeFunction(self, "MyFunction2",
    runtime=lambda_.Runtime.NODEJS_LATEST,
    handler="index.handler",
    code=lambda_.Code.from_asset(path.join(__dirname, "lambda-handler2")),
    stack_id="edge-lambda-stack-id-2"
)

Lambda@Edge functions can also be associated with additional behaviors, either at or after Distribution creation time.

# Associating a Lambda@Edge function with additional behaviors.

# my_func: cloudfront.experimental.EdgeFunction
# assigning at Distribution creation
# my_bucket: s3.Bucket

my_origin = origins.S3Origin(my_bucket)
my_distribution = cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=my_origin),
    additional_behaviors={
        "images/*": cloudfront.BehaviorOptions(
            origin=my_origin,
            edge_lambdas=[cloudfront.EdgeLambda(
                function_version=my_func.current_version,
                event_type=cloudfront.LambdaEdgeEventType.ORIGIN_REQUEST,
                include_body=True
            )
            ]
        )
    }
)

# assigning after creation
my_distribution.add_behavior("images/*", my_origin,
    edge_lambdas=[cloudfront.EdgeLambda(
        function_version=my_func.current_version,
        event_type=cloudfront.LambdaEdgeEventType.VIEWER_RESPONSE
    )
    ]
)

Adding an existing Lambda@Edge function created in a different stack to a CloudFront distribution.

# Adding an existing Lambda@Edge function created in a different stack
# to a CloudFront distribution.
# s3_bucket: s3.Bucket

function_version = lambda_.Version.from_version_arn(self, "Version", "arn:aws:lambda:us-east-1:123456789012:function:functionName:1")

cloudfront.Distribution(self, "distro",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(s3_bucket),
        edge_lambdas=[cloudfront.EdgeLambda(
            function_version=function_version,
            event_type=cloudfront.LambdaEdgeEventType.VIEWER_REQUEST
        )
        ]
    )
)

CloudFront Function

You can also deploy CloudFront functions and add them to a CloudFront distribution.

# s3_bucket: s3.Bucket
# Add a cloudfront Function to a Distribution
cf_function = cloudfront.Function(self, "Function",
    code=cloudfront.FunctionCode.from_inline("function handler(event) { return event.request }"),
    runtime=cloudfront.FunctionRuntime.JS_2_0
)
cloudfront.Distribution(self, "distro",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(s3_bucket),
        function_associations=[cloudfront.FunctionAssociation(
            function=cf_function,
            event_type=cloudfront.FunctionEventType.VIEWER_REQUEST
        )]
    )
)

It will auto-generate the name of the function and deploy it to the live stage.

Additionally, you can load the function’s code from a file using the FunctionCode.fromFile() method.

If you set autoPublish to false, the function will not be automatically published to the LIVE stage when it’s created.

cloudfront.Function(self, "Function",
    code=cloudfront.FunctionCode.from_inline("function handler(event) { return event.request }"),
    runtime=cloudfront.FunctionRuntime.JS_2_0,
    auto_publish=False
)

Key Value Store

A CloudFront Key Value Store can be created and optionally have data imported from a JSON file by default.

To create an empty Key Value Store:

store = cloudfront.KeyValueStore(self, "KeyValueStore")

To also include an initial set of values, the source property can be specified, either from a local file or an inline string. For the structure of this file, see Creating a file of key value pairs.

store_asset = cloudfront.KeyValueStore(self, "KeyValueStoreAsset",
    key_value_store_name="KeyValueStoreAsset",
    source=cloudfront.ImportSource.from_asset("path-to-data.json")
)

store_inline = cloudfront.KeyValueStore(self, "KeyValueStoreInline",
    key_value_store_name="KeyValueStoreInline",
    source=cloudfront.ImportSource.from_inline(JSON.stringify({
        "data": [{
            "key": "key1",
            "value": "value1"
        }, {
            "key": "key2",
            "value": "value2"
        }
        ]
    }))
)

The Key Value Store can then be associated to a function using the cloudfront-js-2.0 runtime or newer:

store = cloudfront.KeyValueStore(self, "KeyValueStore")
cloudfront.Function(self, "Function",
    code=cloudfront.FunctionCode.from_inline("function handler(event) { return event.request }"),
    # Note that JS_2_0 must be used for Key Value Store support
    runtime=cloudfront.FunctionRuntime.JS_2_0,
    key_value_store=store
)

Logging

You can configure CloudFront to create log files that contain detailed information about every user request that CloudFront receives. The logs can go to either an existing bucket, or a bucket will be created for you.

# Configure logging for Distributions

# Simplest form - creates a new bucket and logs to it.
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com")),
    enable_logging=True
)

# You can optionally log to a specific bucket, configure whether cookies are logged, and give the log files a prefix.
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com")),
    enable_logging=True,  # Optional, this is implied if logBucket is specified
    log_bucket=s3.Bucket(self, "LogBucket",
        object_ownership=s3.ObjectOwnership.OBJECT_WRITER
    ),
    log_file_prefix="distribution-access-logs/",
    log_includes_cookies=True
)

CloudFront Distribution Metrics

You can view operational metrics about your CloudFront distributions.

Default CloudFront Distribution Metrics

The following metrics are available by default for all CloudFront distributions:

  • Total requests: The total number of viewer requests received by CloudFront for all HTTP methods and for both HTTP and HTTPS requests.

  • Total bytes uploaded: The total number of bytes that viewers uploaded to your origin with CloudFront, using POST and PUT requests.

  • Total bytes downloaded: The total number of bytes downloaded by viewers for GET, HEAD, and OPTIONS requests.

  • Total error rate: The percentage of all viewer requests for which the response’s HTTP status code was 4xx or 5xx.

  • 4xx error rate: The percentage of all viewer requests for which the response’s HTTP status code was 4xx.

  • 5xx error rate: The percentage of all viewer requests for which the response’s HTTP status code was 5xx.

dist = cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com"))
)

# Retrieving default distribution metrics
requests_metric = dist.metric_requests()
bytes_uploaded_metric = dist.metric_bytes_uploaded()
bytes_downloaded_metric = dist.metric_bytes_downloaded()
total_error_rate_metric = dist.metric_total_error_rate()
http4xx_error_rate_metric = dist.metric4xx_error_rate()
http5xx_error_rate_metric = dist.metric5xx_error_rate()

Additional CloudFront Distribution Metrics

You can enable additional CloudFront distribution metrics, which include the following metrics:

  • 4xx and 5xx error rates: View 4xx and 5xx error rates by the specific HTTP status code, as a percentage of total requests.

  • Origin latency: See the total time spent from when CloudFront receives a request to when it provides a response to the network (not the viewer), for responses that are served from the origin, not the CloudFront cache.

  • Cache hit rate: View cache hits as a percentage of total cacheable requests, excluding errors.

dist = cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com")),
    publish_additional_metrics=True
)

# Retrieving additional distribution metrics
latency_metric = dist.metric_origin_latency()
cache_hit_rate_metric = dist.metric_cache_hit_rate()
http401_error_rate_metric = dist.metric401_error_rate()
http403_error_rate_metric = dist.metric403_error_rate()
http404_error_rate_metric = dist.metric404_error_rate()
http502_error_rate_metric = dist.metric502_error_rate()
http503_error_rate_metric = dist.metric503_error_rate()
http504_error_rate_metric = dist.metric504_error_rate()

HTTP Versions

You can configure CloudFront to use a particular version of the HTTP protocol. By default, newly created distributions use HTTP/2 but can be configured to use both HTTP/2 and HTTP/3 or just HTTP/3. For all supported HTTP versions, see the HttpVerson enum.

# Configure a distribution to use HTTP/2 and HTTP/3
cloudfront.Distribution(self, "myDist",
    default_behavior=cloudfront.BehaviorOptions(origin=origins.HttpOrigin("www.example.com")),
    http_version=cloudfront.HttpVersion.HTTP2_AND_3
)

Importing Distributions

Existing distributions can be imported as well; note that like most imported constructs, an imported distribution cannot be modified. However, it can be used as a reference for other higher-level constructs.

# Using a reference to an imported Distribution
distribution = cloudfront.Distribution.from_distribution_attributes(self, "ImportedDist",
    domain_name="d111111abcdef8.cloudfront.net",
    distribution_id="012345ABCDEF"
)

Permissions

Use the grant() method to allow actions on the distribution. grantCreateInvalidation() is a shorthand to allow CreateInvalidation.

# distribution: cloudfront.Distribution
# lambda_fn: lambda.Function

distribution.grant(lambda_fn, "cloudfront:ListInvalidations", "cloudfront:GetInvalidation")
distribution.grant_create_invalidation(lambda_fn)

Realtime Log Config

CloudFront supports realtime log delivery from your distribution to a Kinesis stream.

See Real-time logs in the CloudFront User Guide.

Example:

# Adding realtime logs config to a Cloudfront Distribution on default behavior.
import aws_cdk.aws_kinesis as kinesis

# stream: kinesis.Stream


real_time_config = cloudfront.RealtimeLogConfig(self, "realtimeLog",
    end_points=[
        cloudfront.Endpoint.from_kinesis_stream(stream)
    ],
    fields=["timestamp", "c-ip", "time-to-first-byte", "sc-status"
    ],
    realtime_log_config_name="my-delivery-stream",
    sampling_rate=100
)

cloudfront.Distribution(self, "myCdn",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.HttpOrigin("www.example.com"),
        realtime_log_config=real_time_config
    )
)

Migrating from the original CloudFrontWebDistribution to the newer Distribution construct

It’s possible to migrate a distribution from the original to the modern API. The changes necessary are the following:

The Distribution

Replace new CloudFrontWebDistribution with new Distribution. Some configuration properties have been changed:

Old API New API
originConfigs defaultBehavior; use additionalBehaviors if necessary
viewerCertificate certificate; use domainNames for aliases
errorConfigurations errorResponses
loggingConfig enableLogging; configure with logBucket logFilePrefix and logIncludesCookies
viewerProtocolPolicy removed; set on each behavior instead. default changed from REDIRECT_TO_HTTPS to ALLOW_ALL

After switching constructs, you need to maintain the same logical ID for the underlying CfnDistribution if you wish to avoid the deletion and recreation of your distribution. To do this, use escape hatches to override the logical ID created by the new Distribution construct with the logical ID created by the old construct.

Example:

# source_bucket: s3.Bucket


my_distribution = cloudfront.Distribution(self, "MyCfWebDistribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(source_bucket)
    )
)
cfn_distribution = my_distribution.node.default_child
cfn_distribution.override_logical_id("MyDistributionCFDistribution3H55TI9Q")

Behaviors

The modern API makes use of the CloudFront Origins module to easily configure your origin. Replace your origin configuration with the relevant CloudFront Origins class. For example, here’s a behavior with an S3 origin:

# source_bucket: s3.Bucket
# oai: cloudfront.OriginAccessIdentity


cloudfront.CloudFrontWebDistribution(self, "MyCfWebDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket,
            origin_access_identity=oai
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    )
    ]
)

Becomes:

# source_bucket: s3.Bucket


distribution = cloudfront.Distribution(self, "MyCfWebDistribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(source_bucket)
    )
)

In the original API all behaviors are defined in the originConfigs property. The new API is optimized for a single origin and behavior, so the default behavior and additional behaviors will be defined separately.

# source_bucket: s3.Bucket
# oai: cloudfront.OriginAccessIdentity


cloudfront.CloudFrontWebDistribution(self, "MyCfWebDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket,
            origin_access_identity=oai
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    ), cloudfront.SourceConfiguration(
        custom_origin_source=cloudfront.CustomOriginConfig(
            domain_name="MYALIAS"
        ),
        behaviors=[cloudfront.Behavior(path_pattern="/somewhere")]
    )
    ]
)

Becomes:

# source_bucket: s3.Bucket


distribution = cloudfront.Distribution(self, "MyCfWebDistribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(source_bucket)
    ),
    additional_behaviors={
        "/somewhere": cloudfront.BehaviorOptions(
            origin=origins.HttpOrigin("MYALIAS")
        )
    }
)

Certificates

If you are using an ACM certificate, you can pass the certificate directly to the certificate prop. Any aliases used before in the ViewerCertificate class should be passed in to the domainNames prop in the modern API.

import aws_cdk.aws_certificatemanager as acm
# certificate: acm.Certificate
# source_bucket: s3.Bucket


viewer_certificate = cloudfront.ViewerCertificate.from_acm_certificate(certificate,
    aliases=["MYALIAS"]
)

cloudfront.CloudFrontWebDistribution(self, "MyCfWebDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    )
    ],
    viewer_certificate=viewer_certificate
)

Becomes:

import aws_cdk.aws_certificatemanager as acm
# certificate: acm.Certificate
# source_bucket: s3.Bucket


distribution = cloudfront.Distribution(self, "MyCfWebDistribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(source_bucket)
    ),
    domain_names=["MYALIAS"],
    certificate=certificate
)

IAM certificates aren’t directly supported by the new API, but can be easily configured through escape hatches

# source_bucket: s3.Bucket

viewer_certificate = cloudfront.ViewerCertificate.from_iam_certificate("MYIAMROLEIDENTIFIER",
    aliases=["MYALIAS"]
)

cloudfront.CloudFrontWebDistribution(self, "MyCfWebDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    )
    ],
    viewer_certificate=viewer_certificate
)

Becomes:

# source_bucket: s3.Bucket

distribution = cloudfront.Distribution(self, "MyCfWebDistribution",
    default_behavior=cloudfront.BehaviorOptions(
        origin=origins.S3Origin(source_bucket)
    ),
    domain_names=["MYALIAS"]
)

cfn_distribution = distribution.node.default_child

cfn_distribution.add_property_override("ViewerCertificate.IamCertificateId", "MYIAMROLEIDENTIFIER")
cfn_distribution.add_property_override("ViewerCertificate.SslSupportMethod", "sni-only")

Other changes

A number of default settings have changed on the new API when creating a new distribution, behavior, and origin. After making the major changes needed for the migration, run cdk diff to see what settings have changed. If no changes are desired during migration, you will at the least be able to use escape hatches to override what the CDK synthesizes, if you can’t change the properties directly.

CloudFrontWebDistribution API

The CloudFrontWebDistribution construct is the original construct written for working with CloudFront distributions and has been marked as deprecated. Users are encouraged to use the newer Distribution instead, as it has a simpler interface and receives new features faster.

Example usage:

# Using a CloudFrontWebDistribution construct.

# source_bucket: s3.Bucket

distribution = cloudfront.CloudFrontWebDistribution(self, "MyDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    )
    ]
)

Viewer certificate

By default, CloudFront Web Distributions will answer HTTPS requests with CloudFront’s default certificate, only containing the distribution domainName (e.g. d111111abcdef8.cloudfront.net). You can customize the viewer certificate property to provide a custom certificate and/or list of domain name aliases to fit your needs.

See Using Alternate Domain Names and HTTPS in the CloudFront User Guide.

Default certificate

You can customize the default certificate aliases. This is intended to be used in combination with CNAME records in your DNS zone.

Example:

s3_bucket_source = s3.Bucket(self, "Bucket")

distribution = cloudfront.CloudFrontWebDistribution(self, "AnAmazingWebsiteProbably",
    origin_configs=[cloudfront.aws_cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.aws_cloudfront.S3OriginConfig(s3_bucket_source=s3_bucket_source),
        behaviors=[cloudfront.aws_cloudfront.Behavior(is_default_behavior=True)]
    )],
    viewer_certificate=cloudfront.ViewerCertificate.from_cloud_front_default_certificate("www.example.com")
)

ACM certificate

You can change the default certificate by one stored AWS Certificate Manager, or ACM. Those certificate can either be generated by AWS, or purchased by another CA imported into ACM.

For more information, see the aws-certificatemanager module documentation or Importing Certificates into AWS Certificate Manager in the AWS Certificate Manager User Guide.

Example:

s3_bucket_source = s3.Bucket(self, "Bucket")

certificate = certificatemanager.Certificate(self, "Certificate",
    domain_name="example.com",
    subject_alternative_names=["*.example.com"]
)

distribution = cloudfront.CloudFrontWebDistribution(self, "AnAmazingWebsiteProbably",
    origin_configs=[cloudfront.aws_cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.aws_cloudfront.S3OriginConfig(s3_bucket_source=s3_bucket_source),
        behaviors=[cloudfront.aws_cloudfront.Behavior(is_default_behavior=True)]
    )],
    viewer_certificate=cloudfront.ViewerCertificate.from_acm_certificate(certificate,
        aliases=["example.com", "www.example.com"],
        security_policy=cloudfront.SecurityPolicyProtocol.TLS_V1,  # default
        ssl_method=cloudfront.SSLMethod.SNI
    )
)

IAM certificate

You can also import a certificate into the IAM certificate store.

See Importing an SSL/TLS Certificate in the CloudFront User Guide.

Example:

s3_bucket_source = s3.Bucket(self, "Bucket")

distribution = cloudfront.CloudFrontWebDistribution(self, "AnAmazingWebsiteProbably",
    origin_configs=[cloudfront.aws_cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.aws_cloudfront.S3OriginConfig(s3_bucket_source=s3_bucket_source),
        behaviors=[cloudfront.aws_cloudfront.Behavior(is_default_behavior=True)]
    )],
    viewer_certificate=cloudfront.ViewerCertificate.from_iam_certificate("certificateId",
        aliases=["example.com"],
        security_policy=cloudfront.SecurityPolicyProtocol.SSL_V3,  # default
        ssl_method=cloudfront.SSLMethod.SNI
    )
)

Trusted Key Groups

CloudFront Web Distributions supports validating signed URLs or signed cookies using key groups. When a cache behavior contains trusted key groups, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior.

Example:

# Using trusted key groups for Cloudfront Web Distributions.
# source_bucket: s3.Bucket
# public_key: str

pub_key = cloudfront.PublicKey(self, "MyPubKey",
    encoded_key=public_key
)

key_group = cloudfront.KeyGroup(self, "MyKeyGroup",
    items=[pub_key
    ]
)

cloudfront.CloudFrontWebDistribution(self, "AnAmazingWebsiteProbably",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket
        ),
        behaviors=[cloudfront.Behavior(
            is_default_behavior=True,
            trusted_key_groups=[key_group
            ]
        )
        ]
    )
    ]
)

Restrictions

CloudFront supports adding restrictions to your distribution.

See Restricting the Geographic Distribution of Your Content in the CloudFront User Guide.

Example:

# Adding restrictions to a Cloudfront Web Distribution.
# source_bucket: s3.Bucket

cloudfront.CloudFrontWebDistribution(self, "MyDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=source_bucket
        ),
        behaviors=[cloudfront.Behavior(is_default_behavior=True)]
    )
    ],
    geo_restriction=cloudfront.GeoRestriction.allowlist("US", "GB")
)

Connection behaviors between CloudFront and your origin

CloudFront provides you even more control over the connection behaviors between CloudFront and your origin. You can now configure the number of connection attempts CloudFront will make to your origin and the origin connection timeout for each attempt.

See Origin Connection Attempts

See Origin Connection Timeout

Example usage:

# Configuring connection behaviors between Cloudfront and your origin
distribution = cloudfront.CloudFrontWebDistribution(self, "MyDistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        connection_attempts=3,
        connection_timeout=Duration.seconds(10),
        behaviors=[cloudfront.Behavior(
            is_default_behavior=True
        )
        ]
    )
    ]
)

Origin Fallback

In case the origin source is not available and answers with one of the specified status codes the failover origin source will be used.

# Configuring origin fallback options for the CloudFrontWebDistribution
cloudfront.CloudFrontWebDistribution(self, "ADistribution",
    origin_configs=[cloudfront.SourceConfiguration(
        s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=s3.Bucket.from_bucket_name(self, "aBucket", "myoriginbucket"),
            origin_path="/",
            origin_headers={
                "myHeader": "42"
            },
            origin_shield_region="us-west-2"
        ),
        failover_s3_origin_source=cloudfront.S3OriginConfig(
            s3_bucket_source=s3.Bucket.from_bucket_name(self, "aBucketFallback", "myoriginbucketfallback"),
            origin_path="/somewhere",
            origin_headers={
                "myHeader2": "21"
            },
            origin_shield_region="us-east-1"
        ),
        failover_criteria_status_codes=[cloudfront.FailoverStatusCode.INTERNAL_SERVER_ERROR],
        behaviors=[cloudfront.Behavior(
            is_default_behavior=True
        )
        ]
    )
    ]
)

KeyGroup & PublicKey API

You can create a key group to use with CloudFront signed URLs and signed cookies You can add public keys to use with CloudFront features such as signed URLs, signed cookies, and field-level encryption.

The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named private_key.pem.

openssl genrsa -out private_key.pem 2048

The resulting file contains both the public and the private key. The following example command extracts the public key from the file named private_key.pem and stores it in public_key.pem.

openssl rsa -pubout -in private_key.pem -out public_key.pem

Note: Don’t forget to copy/paste the contents of public_key.pem file including -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines into encodedKey parameter when creating a PublicKey.

Example:

# Create a key group to use with CloudFront signed URLs and signed cookies.
cloudfront.KeyGroup(self, "MyKeyGroup",
    items=[
        cloudfront.PublicKey(self, "MyPublicKey",
            encoded_key="..."
        )
    ]
)

See: