Custom origin with CloudFront

Unlike Amazon S3, which is a static object storage system, custom origins such as web servers can inspect incoming HTTP requests and decide to discard the request. You can allow only trusted CloudFront distribution to access your origin by adding a custom header with a secret value to the origin request in CloudFront, and setting up header inspection from the origin side. ALB has a rule that can be used for this header inspection purpose, if the origin web server is on AWS.

A screenshot showing how you add a secret header from the CloudFront console

Figure 2 — Adding a secret header from the CloudFront console

CloudFront publishes its IP address ranges along with other Amazon services, which enables you to allowlist CloudFront IP address ranges in your origin firewall, or add them into security groups. You may need more than one security group to allow all CloudFront IP ranges.

To find the IP address ranges that are associated with CloudFront edge servers, search ip-ranges.json for the following string: "service": "CLOUDFRONT". Or directly, you can view only the CloudFront IP ranges. Alternatively, when your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list that contains the IP address ranges of all of CloudFront's globally distributed origin-facing servers. With the prefix list, you don't need to read or maintain a list of IP address ranges yourself. The CloudFront managed prefix list is named com.amazonaws.global.cloudfront.origin-facing.

By using an IP allowed list and header inspection together, your custom origin allows only traffic from chosen CloudFront distributions to access your private content.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon S3 origins with CloudFront

Improving security by enabling security specific headers