Distribution settings reference

When you use the CloudFront console to create a new distribution or update an existing distribution, you specify the following values.

For more information about creating or updating a distribution by using the CloudFront console, see Create a distribution or Update a distribution.

Origin settings

When you use the CloudFront console to create or update a distribution, you provide information about one or more locations, known as origins, where you store the original versions of your web content. CloudFront gets your web content from your origins and serves it to viewers via a worldwide network of edge servers.

For the current maximum number of origins that you can create for a distribution, or to request a higher quota, see General quotas on distributions.

If you want to delete an origin, you must first edit or delete the cache behaviors that are associated with that origin.

Important

If you delete an origin, confirm that files that were previously served by that origin are available in another origin and that your cache behaviors are now routing requests for those files to the new origin.

When you create or update a distribution, you specify the following values for each origin.

Topics

• Origin domain
• Protocol (custom origins only)
• Origin path
• Name
• Origin access (Amazon S3 origins only)
• Add custom header
• Enable Origin Shield
• Connection attempts
• Connection timeout
• Response timeout (custom origins only)
• Keep-alive timeout (custom origins only)
• Response and keep-alive timeout quotas

Origin domain

The origin domain is the DNS domain name of the resource where CloudFront will get objects for your origin, such as an Amazon S3 bucket or HTTP server. For example:

• Amazon S3 bucket – amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com

  Note

  If you recently created the S3 bucket, the CloudFront distribution might return HTTP 307 Temporary Redirect responses for up to 24 hours. It can take up to 24 hours for the S3 bucket name to propagate to all AWS Regions. When the propagation is complete, the distribution automatically stops sending these redirect responses; you don't need to take any action. For more information, see Why am I getting an HTTP 307 Temporary Redirect response from Amazon S3? and Temporary Request Redirection.

• Amazon S3 bucket configured as a website – amzn-s3-demo-bucket.s3-website.us-west-2.amazonaws.com

• MediaStore container – examplemediastore.data.mediastore.us-west-1.amazonaws.com

• MediaPackage endpoint – examplemediapackage.mediapackage.us-west-1.amazonaws.com

• Amazon EC2 instance – ec2-203-0-113-25.compute-1.amazonaws.com

• Elastic Load Balancing load balancer – example-load-balancer-1234567890.us-west-2.elb.amazonaws.com

• Your own web server – www.example.com

Choose the domain name in the Origin domain field, or type the name. Resources from opt-in Regions must be entered manually. The domain name is not case-sensitive. Your origin domain must have a publicly resolvable DNS name that routes requests from clients to targets over the internet.

If you configure CloudFront to connect to your origin over HTTPS, one of the domain names in the certificate must match the domain name that you specify for Origin Domain Name. If no domain name matches, CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer. For more information, see Domain names in the CloudFront distribution and in the certificate and SSL/TLS negotiation failure between CloudFront and a custom origin server.

Note

If you are using an origin request policy that forwards the viewer host header to the origin, the origin must respond with a certificate that matches the viewer host header. For more information, see Add CloudFront request headers.

If your origin is an Amazon S3 bucket, note the following:

• If the bucket is configured as a website, enter the Amazon S3 static website hosting endpoint for your bucket; don’t select the bucket name from the list in the Origin domain field. The static website hosting endpoint appears in the Amazon S3 console, on the Properties page under Static website hosting. For more information, see Use an Amazon S3 bucket that's configured as a website endpoint.

• If you configured Amazon S3 Transfer Acceleration for your bucket, do not specify the s3-accelerate endpoint for Origin domain.

• If you're using a bucket from a different AWS account and if the bucket is not configured as a website, enter the name, using the following format:

  bucket-name.s3.region.amazonaws.com

  If your bucket reside in a US Region, and you want Amazon S3 to route requests to a facility in northern Virginia, use the following format:

  bucket-name.s3.us-east-1.amazonaws.com

• The files must be publicly readable unless you secure your content in Amazon S3 by using a CloudFront origin access control. For more information about access control, see Restrict access to an Amazon Simple Storage Service origin.

Important

If the origin is an Amazon S3 bucket, the bucket name must conform to DNS naming requirements. For more information, go to Bucket restrictions and limitations in the Amazon Simple Storage Service User Guide.

When you change the value of Origin domain for an origin, CloudFront immediately begins replicating the change to CloudFront edge locations. Until the distribution configuration is updated in a given edge location, CloudFront continues to forward requests to the previous origin. As soon as the distribution configuration is updated in that edge location, CloudFront begins to forward requests to the new origin.

Changing the origin does not require CloudFront to repopulate edge caches with objects from the new origin. As long as the viewer requests in your application have not changed, CloudFront continues to serve objects that are already in an edge cache until the TTL on each object expires or until seldom-requested objects are evicted.

Protocol (custom origins only)

Note

This applies only to custom origins.

The protocol policy that you want CloudFront to use when fetching objects from your origin.

Choose one of the following values:

• HTTP only: CloudFront uses only HTTP to access the origin.

  Important

  HTTP only is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 doesn’t support HTTPS connections for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.

• HTTPS only: CloudFront uses only HTTPS to access the origin.

• Match viewer: CloudFront communicates with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.

  Important

  For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL/TLS certificate on your origin server must match the domain name that you specify for Origin domain. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see Requirements for using SSL/TLS certificates with CloudFront.

Topics

• HTTP port
• HTTPS port
• Minimum origin SSL protocol

HTTP port

Note

This applies only to custom origins.

(Optional) You can specify the HTTP port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 80.

Important

Port 80 is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 only supports port 80 for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.

HTTPS port

Note

This applies only to custom origins.

(Optional) You can specify the HTTPS port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 443. When Protocol is set to HTTP only, you cannot specify a value for HTTPS port.

Minimum origin SSL protocol

Note

This applies only to custom origins.

Choose the minimum TLS/SSL protocol that CloudFront can use when it establishes an HTTPS connection to your origin. Lower TLS protocols are less secure, so we recommend that you choose the latest TLS protocol that your origin supports. When Protocol is set to HTTP only, you cannot specify a value for Minimum origin SSL protocol.

If you use the CloudFront API to set the TLS/SSL protocol for CloudFront to use, you cannot set a minimum protocol. Instead, you specify all of the TLS/SSL protocols that CloudFront can use with your origin. For more information, see OriginSslProtocols in the Amazon CloudFront API Reference.

Origin path

If you want CloudFront to request your content from a directory in your origin, enter the directory path, beginning with a slash (/). CloudFront appends the directory path to the value of Origin domain, for example, cf-origin.example.com/production/images. Do not add a slash (/) at the end of the path.

For example, suppose you’ve specified the following values for your distribution:

• Origin domain – An Amazon S3 bucket named amzn-s3-demo-bucket

• Origin path – /production

• Alternate domain names (CNAME) – example.com

When a user enters example.com/index.html in a browser, CloudFront sends a request to Amazon S3 for amzn-s3-demo-bucket/production/index.html.

When a user enters example.com/acme/index.html in a browser, CloudFront sends a request to Amazon S3 for amzn-s3-demo-bucket/production/acme/index.html.

Name

A name is a string that uniquely identifies this origin in this distribution. If you create cache behaviors in addition to the default cache behavior, you use the name that you specify here to identify the origin that you want CloudFront to route a request to when the request matches the path pattern for that cache behavior.

Origin access (Amazon S3 origins only)

Note

This applies only to Amazon S3 bucket origins (those that are not using the S3 static website endpoint).

Choose Origin access control settings (recommended) if you want to make it possible to restrict access to an Amazon S3 bucket origin to only specific CloudFront distributions.

Choose Public if the Amazon S3 bucket origin is publicly accessible.

For more information, see Restrict access to an Amazon Simple Storage Service origin.

For information about how to require users to access objects on a custom origin by using only CloudFront URLs, see Restrict access to files on custom origins.

Add custom header

If you want CloudFront to add custom headers whenever it sends a request to your origin, specify the header name and its value. For more information, see Add custom headers to origin requests.

For the current maximum number of custom headers that you can add, the maximum length of a custom header name and value, and the maximum total length of all header names and values, see Quotas.

Enable Origin Shield

Choose Yes to enable CloudFront Origin Shield. For more information about Origin Shield, see Using Amazon CloudFront Origin Shield.

Connection attempts

You can set the number of times that CloudFront attempts to connect to the origin. You can specify 1, 2, or 3 as the number of attempts. The default number (if you don’t specify otherwise) is 3.

Use this setting together with Connection timeout to specify how long CloudFront waits before attempting to connect to the secondary origin or returning an error response to the viewer. By default, CloudFront waits as long as 30 seconds (3 attempts of 10 seconds each) before attempting to connect to the secondary origin or returning an error response. You can reduce this time by specifying fewer attempts, a shorter connection timeout, or both.

If the specified number of connection attempts fail, CloudFront does one of the following:

• If the origin is part of an origin group, CloudFront attempts to connect to the secondary origin. If the specified number of connection attempts to the secondary origin fail, then CloudFront returns an error response to the viewer.

• If the origin is not part of an origin group, CloudFront returns an error response to the viewer.

For a custom origin (including an Amazon S3 bucket that’s configured with static website hosting), this setting also specifies the number of times that CloudFront attempts to get a response from the origin. For more information, see Response timeout (custom origins only).

Connection timeout

The connection timeout is the number of seconds that CloudFront waits when trying to establish a connection to the origin. You can specify a number of seconds between 1 and 10 (inclusive). The default timeout (if you don’t specify otherwise) is 10 seconds.

Use this setting together with Connection attempts to specify how long CloudFront waits before attempting to connect to the secondary origin or before returning an error response to the viewer. By default, CloudFront waits as long as 30 seconds (3 attempts of 10 seconds each) before attempting to connect to the secondary origin or returning an error response. You can reduce this time by specifying fewer attempts, a shorter connection timeout, or both.

If CloudFront doesn’t establish a connection to the origin within the specified number of seconds, CloudFront does one of the following:

• If the specified number of Connection attempts is more than 1, CloudFront tries again to establish a connection. CloudFront tries up to 3 times, as determined by the value of Connection attempts.

• If all the connection attempts fail and the origin is part of an origin group, CloudFront attempts to connect to the secondary origin. If the specified number of connection attempts to the secondary origin fail, then CloudFront returns an error response to the viewer.

• If all the connection attempts fail and the origin is not part of an origin group, CloudFront returns an error response to the viewer.

Response timeout (custom origins only)

The origin response timeout, also known as the origin read timeout or origin request timeout, applies to both of the following values:

• How long (in seconds) CloudFront waits for a response after forwarding a request to the origin.

• How long (in seconds) CloudFront waits after receiving a packet of a response from the origin and before receiving the next packet.

Tip

If you want to increase the timeout value because viewers are experiencing HTTP 504 status code errors, consider exploring other ways to eliminate those errors before changing the timeout value. See the troubleshooting suggestions in HTTP 504 status code (Gateway Timeout).

CloudFront behavior depends on the HTTP method in the viewer request:

• GET and HEAD requests – If the origin doesn’t respond or stops responding within the duration of the response timeout, CloudFront drops the connection. CloudFront tries again to connect according to the value of Connection attempts.

• DELETE, OPTIONS, PATCH, PUT, and POST requests – If the origin doesn’t respond for the duration of the read timeout, CloudFront drops the connection and doesn’t try again to contact the origin. The client can resubmit the request if necessary.

Keep-alive timeout (custom origins only)

The keep-alive timeout is how long (in seconds) CloudFront tries to maintain a connection to your custom origin after it gets the last packet of a response. Maintaining a persistent connection saves the time that is required to re-establish the TCP connection and perform another TLS handshake for subsequent requests. Increasing the keep-alive timeout helps improve the request-per-connection metric for distributions.

Note

For the Keep-alive timeout value to have an effect, your origin must be configured to allow persistent connections.

Response and keep-alive timeout quotas

Note

This applies only to custom origins.

• For response timeout, the default is 30 seconds.

• For keep-alive timeout, the default is 5 seconds.

• For either quota, you can specify a value from 1 to 60 seconds. To request an increase, create a case in the AWS Support Center Console/.

After you request a timeout increase for your AWS account, update your distribution origins so that they have the response timeout and keep-alive timeout values that you want. A quota increase for your account doesn't automatically update your origins. For example, if you're using a Lambda@Edge function to set a keep-alive timeout of 90 seconds, your origin must already have a keep-alive timeout of 90 seconds or more. Otherwise, your Lambda@Edge function might fail to execute.

For more information about distribution quotas, see General quotas on distributions.

Cache behavior settings

By setting the cache behavior, you can configure a variety of CloudFront functionality for a given URL path pattern for files on your website. For example, one cache behavior might apply to all .jpg files in the images directory on a web server that you're using as an origin server for CloudFront. The functionality that you can configure for each cache behavior includes:

• The path pattern

• If you have configured multiple origins for your CloudFront distribution, the origin to which you want CloudFront to forward your requests

• Whether to forward query strings to your origin

• Whether accessing the specified files requires signed URLs

• Whether to require users to use HTTPS to access those files

• The minimum amount of time that those files stay in the CloudFront cache regardless of the value of any Cache-Control headers that your origin adds to the files

When you create a new distribution, you specify settings for the default cache behavior, which automatically forwards all requests to the origin that you specify when you create the distribution. After you create a distribution, you can create additional cache behaviors that define how CloudFront responds when it receives a request for objects that match a path pattern, for example, *.jpg. If you create additional cache behaviors, the default cache behavior is always the last to be processed. Other cache behaviors are processed in the order in which they're listed in the CloudFront console or, if you're using the CloudFront API, the order in which they're listed in the DistributionConfig element for the distribution. For more information, see Path pattern.

When you create a cache behavior, you specify the one origin from which you want CloudFront to get objects. As a result, if you want CloudFront to distribute objects from all of your origins, you must have at least as many cache behaviors (including the default cache behavior) as you have origins. For example, if you have two origins and only the default cache behavior, the default cache behavior causes CloudFront to get objects from one of the origins, but the other origin is never used.

For the current maximum number of cache behaviors that you can add to a distribution, or to request a higher quota (formerly known as limit), see General quotas on distributions.

Topics

• Path pattern
• Origin or origin group
• Viewer protocol policy
• Allowed HTTP methods
• Field-level encryption config
• Cached HTTP methods
• Cache based on selected request headers
• Allowlist headers
• Object caching
• Minimum TTL
• Maximum TTL
• Default TTL
• Forward cookies
• Allowlist cookies
• Query string forwarding and caching
• Query string allowlist
• Smooth Streaming
• Restrict viewer access (use signed URLs or signed cookies)
• Trusted signers
• AWS account numbers
• Compress objects automatically
• CloudFront event
• Lambda function ARN
• Include body

Path pattern

A path pattern (for example, images/*.jpg) specifies to which requests you want this cache behavior to apply. When CloudFront receives an end-user request, the requested path is compared with path patterns in the order in which cache behaviors are listed in the distribution. The first match determines which cache behavior is applied to that request. For example, suppose you have three cache behaviors with the following three path patterns, in this order:

• images/*.jpg

• images/*

• *.gif

Note

You can optionally include a slash (/) at the beginning of the path pattern, for example, /images/*.jpg. CloudFront behavior is the same with or without the leading /. If you don't specify the / at the beginning of the path, this character is automatically implied; CloudFront treats the path the same with or without the leading /. For example, CloudFront treats /*product.jpg the same as *product.jpg

A request for the file images/sample.gif doesn't satisfy the first path pattern, so the associated cache behaviors are not applied to the request. The file does satisfy the second path pattern, so the cache behaviors associated with the second path pattern are applied even though the request also matches the third path pattern.

Note

When you create a new distribution, the value of Path Pattern for the default cache behavior is set to * (all files) and cannot be changed. This value causes CloudFront to forward all requests for your objects to the origin that you specified in the Origin domain field. If the request for an object does not match the path pattern for any of the other cache behaviors, CloudFront applies the behavior that you specify in the default cache behavior.

Important

Define path patterns and their sequence carefully or you may give users undesired access to your content. For example, suppose a request matches the path pattern for two cache behaviors. The first cache behavior does not require signed URLs and the second cache behavior does require signed URLs. Users are able to access the objects without using a signed URL because CloudFront processes the cache behavior associated with the first match.

If you're working with a MediaPackage channel, you must include specific path patterns for the cache behavior that you define for the endpoint type for your origin. For example, for a DASH endpoint, you type *.mpd for Path Pattern. For more information and specific instructions, see Serve live video formatted with AWS Elemental MediaPackage.

The path you specify applies to requests for all files in the specified directory and in subdirectories below the specified directory. CloudFront does not consider query strings or cookies when evaluating the path pattern. For example, if an images directory contains product1 and product2 subdirectories, the path pattern images/*.jpg applies to requests for any .jpg file in the images, images/product1, and images/product2 directories. If you want to apply a different cache behavior to the files in the images/product1 directory than the files in the images and images/product2 directories, create a separate cache behavior for images/product1 and move that cache behavior to a position above (before) the cache behavior for the images directory.

You can use the following wildcard characters in your path pattern:

• * matches 0 or more characters.

• ? matches exactly 1 character.

The following examples show how the wildcard characters work:

Path pattern	Files that match the path pattern
*.jpg	All .jpg files.
images/*.jpg	All .jpg files in the images directory and in subdirectories under the images directory.
a*.jpg	All .jpg files for which the file name begins with a, for example, apple.jpg and appalachian_trail_2012_05_21.jpg. All .jpg files for which the file path begins with a, for example, abra/cadabra/magic.jpg.
a??.jpg	All .jpg files for which the file name begins with a and is followed by exactly two other characters, for example, ant.jpg and abe.jpg.
*.doc*	All files for which the file name extension begins with .doc, for example, .doc, .docx, and .docm files. You can't use the path pattern *.doc? in this case, because that path pattern wouldn't apply to requests for .doc files; the ? wildcard character replaces exactly one character.

The maximum length of a path pattern is 255 characters. The value can contain any of the following characters:

• A-Z, a-z

  Path patterns are case-sensitive, so the path pattern *.jpg doesn't apply to the file LOGO.JPG

• 0-9

• _ - . * $ / ~ " ' @ : +

• &, passed and returned as &

Path normalization

CloudFront normalizes URI paths consistent with RFC 3986 and then matches the path with the correct cache behavior. Once the cache behavior is matched, CloudFront sends the raw URI path to the origin. If they don't match, requests are instead matched to your default cache behavior.

Some characters are normalized and removed from the path, such as multiple slashes (//) or periods (..). This can alter the URL that CloudFront uses to match the intended cache behavior.

Example

You specify the /a/b* and /a* paths for your cache behavior.

• A viewer sending the /a/b?c=1 path will match the /a/b* cache behavior.

• A viewer sending the /a/b/..?c=1 path will match the /a* cache behavior.

To work around the paths being normalized, you can update your request paths or the path pattern for the cache behavior.

Origin or origin group

This setting applies only when you create or update a cache behavior for an existing distribution.

Enter the value of an existing origin or origin group. This identifies the origin or origin group to which you want CloudFront to route requests when a request (such as https://example.com/logo.jpg) matches the path pattern for a cache behavior (such as *.jpg) or for the default cache behavior (*).

Viewer protocol policy

Choose the protocol policy that you want viewers to use to access your content in CloudFront edge locations:

• HTTP and HTTPS: Viewers can use both protocols.

• Redirect HTTP to HTTPS: Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests.

• HTTPS Only: Viewers can only access your content if they're using HTTPS.

For more information, see Require HTTPS for communication between viewers and CloudFront.

Allowed HTTP methods

Specify the HTTP methods that you want CloudFront to process and forward to your origin:

• GET, HEAD: You can use CloudFront only to get objects from your origin or to get object headers.

• GET, HEAD, OPTIONS: You can use CloudFront only to get objects from your origin, get object headers, or retrieve a list of the options that your origin server supports.

• GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE: You can use CloudFront to get, add, update, and delete objects, and to get object headers. In addition, you can perform other POST operations such as submitting data from a web form.

  Note

  CloudFront caches responses to GET and HEAD requests and, optionally, OPTIONS requests. Responses to OPTIONS requests are cached separately from responses to GET and HEAD requests (the OPTIONS method is included in the cache key for OPTIONS requests). CloudFront does not cache responses to requests that use other methods.

Important

If you choose GET, HEAD, OPTIONS or GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE, you might need to restrict access to your Amazon S3 bucket or to your custom origin to prevent users from performing operations that you don't want them to perform. The following examples explain how to restrict access:

• If you're using Amazon S3 as an origin for your distribution: Create a CloudFront origin access control to restrict access to your Amazon S3 content, and give permissions to the origin access control. For example, if you configure CloudFront to accept and forward these methods only because you want to use PUT, you must still configure Amazon S3 bucket policies to handle DELETE requests appropriately. For more information, see Restrict access to an Amazon Simple Storage Service origin.

• If you're using a custom origin: Configure your origin server to handle all methods. For example, if you configure CloudFront to accept and forward these methods only because you want to use POST, you must still configure your origin server to handle DELETE requests appropriately.

Field-level encryption config

If you want to enforce field-level encryption on specific data fields, in the dropdown list, choose a field-level encryption configuration.

For more information, see Use field-level encryption to help protect sensitive data.

Cached HTTP methods

Specify whether you want CloudFront to cache the response from your origin when a viewer submits an OPTIONS request. CloudFront always caches the response to GET and HEAD requests.

Cache based on selected request headers

Specify whether you want CloudFront to cache objects based on the values of specified headers:

• None (improves caching) – CloudFront doesn't cache your objects based on header values.

• Allowlist – CloudFront caches your objects based only on the values of the specified headers. Use Allowlist Headers to choose the headers that you want CloudFront to base caching on.

• All – CloudFront doesn't cache the objects that are associated with this cache behavior. Instead, CloudFront sends every request to the origin. (Not recommended for Amazon S3 origins.)

Regardless of the option that you choose, CloudFront forwards certain headers to your origin and takes specific actions based on the headers that you forward. For more information about how CloudFront handles header forwarding, see HTTP request headers and CloudFront behavior (custom and Amazon S3 origins).

For more information about how to configure caching in CloudFront by using request headers, see Cache content based on request headers.

Allowlist headers

These settings apply only when you choose Allowlist for Cache Based on Selected Request Headers.

Specify the headers that you want CloudFront to consider when caching your objects. Select headers from the list of available headers and choose Add. To forward a custom header, enter the name of the header in the field, and choose Add Custom.

For the current maximum number of headers that you can allowlist for each cache behavior, or to request a higher quota (formerly known as limit), see Quotas on headers.

Object caching

If your origin server is adding a Cache-Control header to your objects to control how long the objects stay in the CloudFront cache and if you don't want to change the Cache-Control value, choose Use Origin Cache Headers.

To specify a minimum and maximum time that your objects stay in the CloudFront cache regardless of Cache-Control headers, and a default time that your objects stay in the CloudFront cache when the Cache-Control header is missing from an object, choose Customize. Then specify values in the Minimum TTL, Default TTL, and Maximum TTL fields.

For more information, see Manage how long content stays in the cache (expiration).

Minimum TTL

Specify the minimum amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to determine whether the object has been updated.

For more information, see Manage how long content stays in the cache (expiration).

Maximum TTL

Specify the maximum amount of time, in seconds, that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. The value that you specify for Maximum TTL applies only when your origin adds HTTP headers such as Cache-Control max-age, Cache-Control s-maxage, or Expires to objects. For more information, see Manage how long content stays in the cache (expiration).

To specify a value for Maximum TTL, you must choose the Customize option for the Object Caching setting.

The default value for Maximum TTL is 31536000 seconds (one year). If you change the value of Minimum TTL or Default TTL to more than 31536000 seconds, then the default value of Maximum TTL changes to the value of Default TTL.

Default TTL

Specify the default amount of time, in seconds, that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated. The value that you specify for Default TTL applies only when your origin does not add HTTP headers such as Cache-Control max-age, Cache-Control s-maxage, or Expires to objects. For more information, see Manage how long content stays in the cache (expiration).

To specify a value for Default TTL, you must choose the Customize option for the Object Caching setting.

The default value for Default TTL is 86400 seconds (one day). If you change the value of Minimum TTL to more than 86400 seconds, then the default value of Default TTL changes to the value of Minimum TTL.

Forward cookies

Note

For Amazon S3 origins, this option applies to only buckets that are configured as a website endpoint.

Specify whether you want CloudFront to forward cookies to your origin server and, if so, which ones. If you choose to forward only selected cookies (an allowlist of cookies), enter the cookie names in the Allowlist Cookies field. If you choose All, CloudFront forwards all cookies regardless of how many your application uses.

Amazon S3 doesn't process cookies, and forwarding cookies to the origin reduces cache ability. For cache behaviors that are forwarding requests to an Amazon S3 origin, choose None for Forward Cookies.

For more information about forwarding cookies to the origin, go to Cache content based on cookies.

Allowlist cookies

Note

For Amazon S3 origins, this option applies to only buckets that are configured as a website endpoint.

If you chose Allowlist in the Forward Cookies list, then in the Allowlist Cookies field, enter the names of cookies that you want CloudFront to forward to your origin server for this cache behavior. Enter each cookie name on a new line.

You can specify the following wildcards to specify cookie names:

• * matches 0 or more characters in the cookie name

• ? matches exactly one character in the cookie name

For example, suppose viewer requests for an object include a cookie named:

userid_member-number

Where each of your users has a unique value for member-number. You want CloudFront to cache a separate version of the object for each member. You could accomplish this by forwarding all cookies to your origin, but viewer requests include some cookies that you don't want CloudFront to cache. Alternatively, you could specify the following value as a cookie name, which causes CloudFront to forward to the origin all of the cookies that begin with userid_:

userid_*

For the current maximum number of cookie names that you can allowlist for each cache behavior, or to request a higher quota (formerly known as limit), see Quotas on cookies (legacy cache settings).

Query string forwarding and caching

CloudFront can cache different versions of your content based on the values of query string parameters. Choose one of the following options:

None (Improves Caching)

Choose this option if your origin returns the same version of an object regardless of the values of query string parameters. This increases the likelihood that CloudFront can serve a request from the cache, which improves performance and reduces the load on your origin.

Forward all, cache based on allowlist

Choose this option if your origin server returns different versions of your objects based on one or more query string parameters. Then specify the parameters that you want CloudFront to use as a basis for caching in the Query string allowlist field.

Forward all, cache based on all

Choose this option if your origin server returns different versions of your objects for all query string parameters.

For more information about caching based on query string parameters, including how to improve performance, see Cache content based on query string parameters.

Query string allowlist

This setting applies only when you choose Forward all, cache based on allowlist for Query string forwarding and caching. You can specify the query string parameters that you want CloudFront to use as a basis for caching.

Smooth Streaming

Choose Yes if you want to distribute media files in the Microsoft Smooth Streaming format and you do not have an IIS server.

Choose No if you have a Microsoft IIS server that you want to use as an origin to distribute media files in the Microsoft Smooth Streaming format, or if you are not distributing Smooth Streaming media files.

Note

If you specify Yes, you can still distribute other content using this cache behavior if that content matches the value of Path Pattern.

For more information, see Configure video on demand for Microsoft Smooth Streaming.

Restrict viewer access (use signed URLs or signed cookies)

If you want requests for objects that match the PathPattern for this cache behavior to use public URLs, choose No.

If you want requests for objects that match the PathPattern for this cache behavior to use signed URLs, choose Yes. Then specify the AWS accounts that you want to use to create signed URLs; these accounts are known as trusted signers.

For more information about trusted signers, see Specify signers that can create signed URLs and signed cookies.

Trusted signers

This setting applies only when you choose Yes for Restrict Viewer Access (Use Signed URLs or Signed Cookies.

Choose which AWS accounts you want to use as trusted signers for this cache behavior:

• Self: Use the account with which you're currently signed into the AWS Management Console as a trusted signer. If you're currently signed in as an IAM user, the associated AWS account is added as a trusted signer.

• Specify Accounts: Enter account numbers for trusted signers in the AWS Account Numbers field.

To create signed URLs, an AWS account must have at least one active CloudFront key pair.

Important

If you're updating a distribution that you're already using to distribute content, add trusted signers only when you're ready to start generating signed URLs for your objects. After you add trusted signers to a distribution, users must use signed URLs to access the objects that match the PathPattern for this cache behavior.

AWS account numbers

This setting applies only when you choose Specify Accounts for Trusted Signers.

If you want to create signed URLs using AWS accounts in addition to or instead of the current account, enter one AWS account number per line in this field. Note the following:

• The accounts that you specify must have at least one active CloudFront key pair. For more information, see Create key pairs for your signers.

• You can't create CloudFront key pairs for IAM users, so you can't use IAM users as trusted signers.

• For information about how to get the AWS account number for an account, see View AWS account identifiers in the AWS account Management Reference Guide.

• If you enter the account number for the current account, CloudFront automatically checks the Self check box and removes the account number from the AWS Account Numbers list.

Compress objects automatically

If you want CloudFront to automatically compress files of certain types when viewers support compressed content, choose Yes. When CloudFront compresses your content, downloads are faster because the files are smaller, and your web pages render faster for your users. For more information, see Serve compressed files.

CloudFront event

This setting applies to Lambda Function Associations.

You can choose to run a Lambda function when one or more of the following CloudFront events occur:

• When CloudFront receives a request from a viewer (viewer request)

• Before CloudFront forwards a request to the origin (origin request)

• When CloudFront receives a response from the origin (origin response)

• Before CloudFront returns the response to the viewer (viewer response)

For more information, see Choose the event to trigger the function.

Lambda function ARN

This setting applies to Lambda Function Associations.

Specify the Amazon Resource Name (ARN) of the Lambda function that you want to add a trigger for. To learn how to get the ARN for a function, see step 1 of the procedure Adding Triggers by Using the CloudFront Console.

Include body

This setting applies to Lambda Function Associations.

For more information, see Include body.

Distribution settings

The following values apply to the entire distribution.

Topics

• Price class
• AWS WAF web ACL
• Alternate domain names (CNAMEs)
• SSL certificate
• Custom SSL client support
• Security policy (minimum SSL/TLS version)
• Supported HTTP versions
• Default root object
• Logging
• Bucket for logs
• Log prefix
• Cookie logging
• Enable IPv6
• Comment
• Distribution state

Price class

Choose the price class that corresponds with the maximum price that you want to pay for CloudFront service. By default, CloudFront serves your objects from edge locations in all CloudFront Regions.

For more information about price classes and about how your choice of price class affects CloudFront performance for your distribution, see CloudFront pricing.

AWS WAF web ACL

You can protect your CloudFront distribution with AWS WAF, a web application firewall that allows you to secure your web applications and APIs to block requests before they reach your servers. You can Enable AWS WAF for distributions when creating or editing a CloudFront distribution.

Optionally, you can later configure additional security protections for other threats specific to your application in the AWS WAF console at https://console.aws.amazon.com/wafv2/.

For more information about AWS WAF, see the AWS WAF Developer Guide.

Alternate domain names (CNAMEs)

Optional. Specify one or more domain names that you want to use for URLs for your objects instead of the domain name that CloudFront assigns when you create your distribution. You must own the domain name, or have authorization to use it, which you verify by adding an SSL/TLS certificate.

For example, if you want the URL for the object:

/images/image.jpg

To look like this:

https://www.example.com/images/image.jpg

Instead of like this:

https://d111111abcdef8.cloudfront.net/images/image.jpg

Add a CNAME for www.example.com.

Important

If you add a CNAME for www.example.com to your distribution, you also must do the following:

• Create (or update) a CNAME record with your DNS service to route queries for www.example.com to d111111abcdef8.cloudfront.net.

• Add a certificate to CloudFront from a trusted certificate authority (CA) that covers the domain name (CNAME) that you add to your distribution, to validate your authorization to use the domain name.

You must have permission to create a CNAME record with the DNS service provider for the domain. Typically, this means that you own the domain, or that you're developing an application for the domain owner.

For the current maximum number of alternate domain names that you can add to a distribution, or to request a higher quota (formerly known as limit), see General quotas on distributions.

For more information about alternate domain names, see Use custom URLs by adding alternate domain names (CNAMEs). For more information about CloudFront URLs, see Customize the URL format for files in CloudFront.

SSL certificate

If you specified an alternate domain name to use with your distribution, choose Custom SSL Certificate, and then, to validate your authorization to use the alternate domain name, choose a certificate that covers it. If you want viewers to use HTTPS to access your objects, choose the settings that support that.

Note

Before you can specify a custom SSL certificate, you must specify a valid alternate domain name. For more information, see Requirements for using alternate domain names and Use alternate domain names and HTTPS.

• Default CloudFront Certificate (*.cloudfront.net) – Choose this option if you want to use the CloudFront domain name in the URLs for your objects, such as https://d111111abcdef8.cloudfront.net/image1.jpg.

• Custom SSL Certificate – Choose this option if you want to use your own domain name in the URLs for your objects as an alternate domain name, such as https://example.com/image1.jpg. Then choose a certificate to use that covers the alternate domain name. The list of certificates can include any of the following:

  • Certificates provided by AWS Certificate Manager

  • Certificates that you purchased from a third-party certificate authority and uploaded to ACM

  • Certificates that you purchased from a third-party certificate authority and uploaded to the IAM certificate store

  If you choose this setting, we recommend that you use only an alternate domain name in your object URLs (https://example.com/logo.jpg). If you use your CloudFront distribution domain name (https://d111111abcdef8.cloudfront.net/logo.jpg) and a client uses an older viewer that doesn't support SNI, how the viewer responds depends on the value that you choose for Clients Supported:

  • All Clients: The viewer displays a warning because the CloudFront domain name doesn't match the domain name in your SSL/TLS certificate.

  • Only Clients that Support Server Name Indication (SNI): CloudFront drops the connection with the viewer without returning the object.

Custom SSL client support

Applies only when you choose Custom SSL Certificate (example.com) for SSL Certificate. If you specified one or more alternate domain names and a custom SSL certificate for the distribution, choose how you want CloudFront to serve HTTPS requests:

• Clients that Support Server Name Indication (SNI) - (Recommended) – With this setting, virtually all modern web browsers and clients can connect to the distribution, because they support SNI. However, some viewers might use older web browsers or clients that don’t support SNI, which means they can’t connect to the distribution.

  To apply this setting using the CloudFront API, specify sni-only in the SSLSupportMethod field. In AWS CloudFormation, the field is named SslSupportMethod (note the different capitalization).

• Legacy Clients Support – With this setting, older web browsers and clients that don’t support SNI can connect to the distribution. However, this setting incurs additional monthly charges. For the exact price, go to the Amazon CloudFront Pricing page, and search the page for Dedicated IP custom SSL.

  To apply this setting using the CloudFront API, specify vip in the SSLSupportMethod field. In AWS CloudFormation, the field is named SslSupportMethod (note the different capitalization).

For more information, see Choose how CloudFront serves HTTPS requests.

Security policy (minimum SSL/TLS version)

Specify the security policy that you want CloudFront to use for HTTPS connections with viewers (clients). A security policy determines two settings:

• The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.

• The ciphers that CloudFront can use to encrypt the content that it returns to viewers.

For more information about the security policies, including the protocols and ciphers that each one includes, see Supported protocols and ciphers between viewers and CloudFront.

The security policies that are available depend on the values that you specify for SSL Certificate and Custom SSL Client Support (known as CloudFrontDefaultCertificate and SSLSupportMethod in the CloudFront API):

• When SSL Certificate is Default CloudFront Certificate (*.cloudfront.net) (when CloudFrontDefaultCertificate is true in the API), CloudFront automatically sets the security policy to TLSv1.

• When SSL Certificate is Custom SSL Certificate (example.com) and Custom SSL Client Support is Clients that Support Server Name Indication (SNI) - (Recommended) (when CloudFrontDefaultCertificate is false and SSLSupportMethod is sni-only in the API), you can choose from the following security policies:

  • TLSv1.2_2021

  • TLSv1.2_2019

  • TLSv1.2_2018

  • TLSv1.1_2016

  • TLSv1_2016

  • TLSv1

• When SSL Certificate is Custom SSL Certificate (example.com) and Custom SSL Client Support is Legacy Clients Support (when CloudFrontDefaultCertificate is false and SSLSupportMethod is vip in the API), you can choose from the following security policies:

  • TLSv1

  • SSLv3

  In this configuration, the TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, and TLSv1_2016 security policies aren’t available in the CloudFront console or API. If you want to use one of these security policies, you have the following options:

  • Evaluate whether your distribution needs Legacy Clients Support with dedicated IP addresses. If your viewers support server name indication (SNI), we recommend that you update your distribution’s Custom SSL Client Support setting to Clients that Support Server Name Indication (SNI) (set SSLSupportMethod to sni-only in the API). This enables you to use any of the available TLS security policies, and it can also reduce your CloudFront charges.

  • If you must keep Legacy Clients Support with dedicated IP addresses, you can request one of the other TLS security policies (TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) by creating a case in the AWS Support Center.

    Note

    Before you contact AWS Support to request this change, consider the following:

    • When you add one of these security policies (TLSv1.2_2021, TLSv1.2_2019, TLSv1.2_2018, TLSv1.1_2016, or TLSv1_2016) to a Legacy Clients Support distribution, the security policy is applied to all non-SNI viewer requests for all Legacy Clients Support distributions in your AWS account. However, when viewers send SNI requests to a distribution with Legacy Clients Support, the security policy of that distribution applies. To make sure that your desired security policy is applied to all viewer requests sent to all Legacy Clients Support distributions in your AWS account, add the desired security policy to each distribution individually.

    • By definition, the new security policy doesn’t support the same ciphers and protocols as the old one. For example, if you chose to upgrade a distribution’s security policy from TLSv1 to TLSv1.1_2016, that distribution will no longer support the DES-CBC3-SHA cipher. For more information about the ciphers and protocols that each security policy supports, see Supported protocols and ciphers between viewers and CloudFront.

Supported HTTP versions

Choose the HTTP versions that you want your distribution to support when viewers communicate with CloudFront.

For viewers and CloudFront to use HTTP/2, viewers must support TLSv1.2 or later, and Server Name Indication (SNI). CloudFront does not offer native support for gRPC over HTTP/2.

For viewers and CloudFront to use HTTP/3, viewers must support TLSv1.3 and Server Name Indication (SNI). CloudFront supports HTTP/3 connection migration to allow the viewer to switch networks without losing connection. For more information about connection migration, see Connection Migration at RFC 9000.

Note

For more information about supported TLSv1.3 ciphers, see Supported protocols and ciphers between viewers and CloudFront.

Default root object

Optional. The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL of your distribution (https://www.example.com/) instead of an object in your distribution (https://www.example.com/product-description.html). Specifying a default root object avoids exposing the contents of your distribution.

The maximum length of the name is 255 characters. The name can contain any of the following characters:

• A-Z, a-z

• 0-9

• _ - . * $ / ~ " '

• &, passed and returned as &

When you specify the default root object, enter only the object name, for example, index.html. Do not add a / before the object name.

For more information, see Specify a default root object.

Logging

Whether you want CloudFront to log information about each request for an object and store the log files in an Amazon S3 bucket. You can enable or disable logging at any time. There is no extra charge if you enable logging, but you accrue the usual Amazon S3 charges for storing and accessing the files in an Amazon S3 bucket. You can delete the logs at any time. For more information about CloudFront access logs, see Configure and use standard logs (access logs).

Bucket for logs

If you chose On for Logging, the Amazon S3 bucket that you want CloudFront to store access logs in, for example, myLogs-amzn-s3-demo-bucket.s3.amazonaws.com.

Important

Don't choose an Amazon S3 bucket in the following AWS Regions. CloudFront doesn't deliver standard logs to buckets in these Regions:

• Africa (Cape Town)

• Asia Pacific (Hong Kong)

• Asia Pacific (Hyderabad)

• Asia Pacific (Jakarta)

• Asia Pacific (Melbourne)

• Canada West (Calgary)

• Europe (Milan)

• Europe (Spain)

• Europe (Zurich)

• Israel (Tel Aviv)

• Middle East (Bahrain)

• Middle East (UAE)

If you enable logging, CloudFront records information about each end-user request for an object and stores the files in the specified Amazon S3 bucket. You can enable or disable logging at any time. For more information about CloudFront access logs, see Configure and use standard logs (access logs).

Note

You must have the permissions required to get and update Amazon S3 bucket ACLs, and the S3 ACL for the bucket must grant you FULL_CONTROL. This allows CloudFront to give the awslogsdelivery account permission to save log files in the bucket. For more information, see Permissions required to configure standard logging and to access log files.

Log prefix

Optional. If you chose On for Logging, specify the string, if any, that you want CloudFront to prefix to the access log file names for this distribution, for example, exampleprefix/. The trailing slash ( / ) is optional but recommended to simplify browsing your log files. For more information about CloudFront access logs, see Configure and use standard logs (access logs).

Cookie logging

If you want CloudFront to include cookies in access logs, choose On. If you choose to include cookies in logs, CloudFront logs all cookies regardless of how you configure the cache behaviors for this distribution: forward all cookies, forward no cookies, or forward a specified list of cookies to the origin.

Amazon S3 doesn't process cookies, so unless your distribution also includes an Amazon EC2 or other custom origin, we recommend that you choose Off for the value of Cookie Logging.

For more information about cookies, go to Cache content based on cookies.

Enable IPv6

IPv6 is a new version of the IP protocol. It's the eventual replacement for IPv4 and uses a larger address space. CloudFront always responds to IPv4 requests. If you want CloudFront to respond to requests from IPv4 IP addresses (such as 192.0.2.44) and requests from IPv6 addresses (such as 2001:0db8:85a3::8a2e:0370:7334), select Enable IPv6.

In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the IpAddress parameter to restrict the IP addresses that can access your content, do not enable IPv6. If you want to restrict access to some content by IP address and not restrict access to other content (or restrict access but not by IP address), you can create two distributions. For information about creating signed URLs by using a custom policy, see Create a signed URL using a custom policy. For information about creating signed cookies by using a custom policy, see Set signed cookies using a custom policy.

If you're using a Route 53 alias resource record set to route traffic to your CloudFront distribution, you need to create a second alias resource record set when both of the following are true:

• You enable IPv6 for the distribution

• You're using alternate domain names in the URLs for your objects

For more information, see Routing traffic to an Amazon CloudFront distribution by using your domain name in the Amazon Route 53 Developer Guide.

If you created a CNAME resource record set, either with Route 53 or with another DNS service, you don't need to make any changes. A CNAME record routes traffic to your distribution regardless of the IP address format of the viewer request.

If you enable IPv6 and CloudFront access logs, the c-ip column includes values in IPv4 and IPv6 format. For more information, see Configure and use standard logs (access logs).

Note

To maintain high customer availability, CloudFront responds to viewer requests by using IPv4 if our data suggests that IPv4 will provide a better user experience. To find out what percentage of requests CloudFront is serving over IPv6, enable CloudFront logging for your distribution and parse the c-ip column, which contains the IP address of the viewer that made the request. This percentage should grow over time, but it will remain a minority of traffic as IPv6 is not yet supported by all viewer networks globally. Some viewer networks have excellent IPv6 support, but others don't support IPv6 at all. (A viewer network is analogous to your home internet or wireless carrier.)

For more information about our support for IPv6, see the CloudFront FAQ. For information about enabling access logs, see the fields Logging, Bucket for logs, and Log prefix.

Comment

Optional. When you create a distribution, you can include a comment of up to 128 characters. You can update the comment at any time.

Distribution state

Indicates whether you want the distribution to be enabled or disabled once it's deployed:

• Enabled means that as soon as the distribution is fully deployed you can deploy links that use the distribution's domain name and users can retrieve content. Whenever a distribution is enabled, CloudFront accepts and handles any end-user requests for content that use the domain name associated with that distribution.

  When you create, modify, or delete a CloudFront distribution, it takes time for your changes to propagate to the CloudFront database. An immediate request for information about a distribution might not show the change. Propagation usually completes within minutes, but a high system load or network partition might increase this time.

• Disabled means that even though the distribution might be deployed and ready to use, users can't use it. Whenever a distribution is disabled, CloudFront doesn't accept any end-user requests that use the domain name associated with that distribution. Until you switch the distribution from disabled to enabled (by updating the distribution's configuration), no one can use it.

You can toggle a distribution between disabled and enabled as often as you want. Follow the process for updating a distribution's configuration. For more information, see Update a distribution.

Custom error pages and error caching

You can have CloudFront return an object to the viewer (for example, an HTML file) when your Amazon S3 or custom origin returns an HTTP 4xx or 5xx status code to CloudFront. You can also specify how long an error response from your origin or a custom error page is cached in CloudFront edge caches. For more information, see Create a custom error page for specific HTTP status codes.

Note

The following values aren't included in the Create Distribution wizard, so you can configure custom error pages only when you update a distribution.

Topics

• HTTP error code
• Response page path
• HTTP response code
• Error caching minimum TTL (seconds)

HTTP error code

The HTTP status code for which you want CloudFront to return a custom error page. You can configure CloudFront to return custom error pages for none, some, or all of the HTTP status codes that CloudFront caches.

Response page path

The path to the custom error page (for example, /4xx-errors/403-forbidden.html) that you want CloudFront to return to a viewer when your origin returns the HTTP status code that you specified for Error Code (for example, 403). If you want to store your objects and your custom error pages in different locations, your distribution must include a cache behavior for which the following is true:

• The value of Path Pattern matches the path to your custom error messages. For example, suppose you saved custom error pages for 4xx errors in an Amazon S3 bucket in a directory named /4xx-errors. Your distribution must include a cache behavior for which the path pattern routes requests for your custom error pages to that location, for example, /4xx-errors/*.

• The value of Origin specifies the value of Origin ID for the origin that contains your custom error pages.

HTTP response code

The HTTP status code that you want CloudFront to return to the viewer along with the custom error page.

Error caching minimum TTL (seconds)

The minimum amount of time that you want CloudFront to cache error responses from your origin server.

Geographic restrictions

If you need to prevent users in selected countries from accessing your content, you can configure your CloudFront distribution with an Allowlist or a Block list. There is no additional charge for configuring geographic restrictions. For more information, see Restrict the geographic distribution of your content.