Amazon CloudFront - Developer Guide

[Pages:563]Amazon CloudFront

Developer Guide

Amazon CloudFront Developer Guide

Amazon CloudFront: Developer Guide

Copyright ? 2022 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

Amazon CloudFront Developer Guide

Table of Contents

What is Amazon CloudFront? ............................................................................................................... 1 How you set up CloudFront to deliver content ............................................................................... 1 Use cases .................................................................................................................................. 3 Accelerate static website content delivery ............................................................................. 3 Serve video on demand or live streaming video ..................................................................... 3 Encrypt specific fields throughout system processing .............................................................. 4 Customize at the edge ........................................................................................................ 4 Serve private content by using Lambda@Edge customizations ................................................. 4 How CloudFront delivers content ................................................................................................. 5 How CloudFront delivers content to your users ...................................................................... 5 How CloudFront works with regional edge caches .................................................................. 6 Locations and IP address ranges of CloudFront edge servers ............................................................ 8 Use the CloudFront managed prefix list ................................................................................ 8 Accessing CloudFront .................................................................................................................. 8 How to get started with Amazon CloudFront ................................................................................. 9 AWS Identity and Access Management .......................................................................................... 9 CloudFront pricing ...................................................................................................................... 9 Savings bundle ................................................................................................................ 11 Choosing the price class for a CloudFront distribution ........................................................... 14

Setting up ....................................................................................................................................... 16 Sign up for AWS ...................................................................................................................... 16 Access your account .................................................................................................................. 16 Access the console ............................................................................................................ 17 Access the API, AWS CLI, AWS Tools for Windows PowerShell, or the AWS SDKs ........................ 17 Create an IAM user ................................................................................................................... 17 Set up the AWS Command Line Interface or AWS Tools for Windows PowerShell .............................. 18 Download an AWS SDK ............................................................................................................. 19

Getting started ................................................................................................................................ 20 Getting started with a simple distribution ................................................................................... 20 Prerequisites .................................................................................................................... 20 Step 1: Upload your content to Amazon S3 and grant object permissions ................................ 21 Step 2: Create a CloudFront distribution .............................................................................. 22 Step 3: Access your content through CloudFront .................................................................. 22 Getting started with a secure static website ................................................................................ 23 Solution overview ............................................................................................................. 24 Deploying the solution ...................................................................................................... 24

Working with distributions ................................................................................................................ 28 Overview of distributions .......................................................................................................... 28 Actions you can use with distributions ................................................................................ 29 Required fields for creating and updating distributions .......................................................... 29 Creating, updating, and deleting distributions .............................................................................. 31 Steps for creating a distribution ......................................................................................... 31 Creating a distribution ...................................................................................................... 32 Values that you specify ..................................................................................................... 33 Values that are displayed .................................................................................................. 55 Testing a distribution ........................................................................................................ 56 Updating a distribution ..................................................................................................... 57 Tagging a distribution ....................................................................................................... 58 Deleting a distribution ...................................................................................................... 59 Using various origins ................................................................................................................ 60 Using an Amazon S3 bucket .............................................................................................. 60 Using a MediaStore container or a MediaPackage channel ..................................................... 63 Using an Application Load Balancer .................................................................................... 64 Using a Lambda function URL ............................................................................................ 64

iii

Amazon CloudFront Developer Guide

Using Amazon EC2 (or another custom origin) ..................................................................... 65 Using CloudFront origin groups .......................................................................................... 65 Using custom URLs ................................................................................................................... 66 Adding an alternate domain name ..................................................................................... 66 Moving an alternate domain name to a different distribution ................................................. 68 Removing an alternate domain name ................................................................................. 72 Using wildcards in alternate domain names ......................................................................... 73 Requirements for using alternate domain names .................................................................. 73 Restrictions on using alternate domain names ..................................................................... 74 Using WebSockets .................................................................................................................... 75 How the WebSocket protocol works ................................................................................... 76 WebSocket requirements ................................................................................................... 76 Working with policies ....................................................................................................................... 77 Controlling the cache key .......................................................................................................... 77 Creating cache policies ...................................................................................................... 78 Understanding cache policies ............................................................................................. 81 Using the managed cache policies ...................................................................................... 85 Understanding the cache key ............................................................................................. 87 Controlling origin requests ........................................................................................................ 89 Creating origin request policies .......................................................................................... 90 Understanding origin request policies ................................................................................. 93 Using the managed origin request policies .......................................................................... 95 Adding the CloudFront HTTP headers ......................................................................................... 96 Headers for determining the viewer's device type ................................................................. 97 Headers for determining the viewer's location ...................................................................... 97 Other CloudFront headers ................................................................................................. 98 Adding response headers .......................................................................................................... 98 Creating response headers policies ..................................................................................... 99 Using the managed response headers policies .................................................................... 103 Understanding response headers policies ........................................................................... 107 Adding, removing, or replacing content ............................................................................................. 113 Adding and accessing content .................................................................................................. 113 Updating existing content ....................................................................................................... 113 Updating existing files using versioned file names .............................................................. 114 Updating existing content using the same file names .......................................................... 114 Removing content so CloudFront won't distribute it .................................................................... 115 Customizing file URLs ............................................................................................................. 115 Using your own domain name () .................................................................... 115 Using a trailing slash (/) in URLs ...................................................................................... 116 Creating signed URLs for restricted content ....................................................................... 116 Specifying a default root object ............................................................................................... 116 How to specify a default root object ................................................................................. 116 How default root object works ......................................................................................... 117 How CloudFront works if you don't define a root object ...................................................... 118 Invalidating files ..................................................................................................................... 118 Choosing between invalidating files and using versioned file names ...................................... 119 Determining which files to invalidate ................................................................................ 120 Specifying the files to invalidate ...................................................................................... 120 Invalidating files using the console ................................................................................... 122 Invalidating files using the CloudFront API ......................................................................... 124 Concurrent invalidation request maximum ......................................................................... 124 Paying for file invalidation ............................................................................................... 125 Serving compressed files ......................................................................................................... 125 Configuring CloudFront to compress objects ...................................................................... 125 How CloudFront compression works ................................................................................. 126 Notes about CloudFront compression ................................................................................ 126 File types that CloudFront compresses .............................................................................. 127

iv

Amazon CloudFront Developer Guide

ETag header conversion .................................................................................................. 129 Generating custom error responses ........................................................................................... 129

Configuring error response behavior ................................................................................. 130 Creating a custom error page for specific HTTP status codes ................................................ 131 Storing objects and custom error pages in different locations ............................................... 132 Changing response codes returned by CloudFront ............................................................... 132 Controlling how long CloudFront caches errors .................................................................. 133 Configuring secure access and restricting access to content .................................................................. 134 Using HTTPS with CloudFront .................................................................................................. 134 Requiring HTTPS between viewers and CloudFront ............................................................. 135 Requiring HTTPS to a custom origin ................................................................................. 136 Requiring HTTPS to an Amazon S3 origin .......................................................................... 138 Supported protocols and ciphers between viewers and CloudFront ........................................ 139 Supported protocols and ciphers between CloudFront and the origin .................................... 143 Charges for HTTPS connections ........................................................................................ 144 Using alternate domain names and HTTPS ................................................................................ 144 Choosing how CloudFront serves HTTPS requests ............................................................... 145 Requirements for using SSL/TLS certificates with CloudFront ............................................... 147 Quotas on using SSL/TLS certificates with CloudFront (HTTPS between viewers and CloudFront only) ............................................................................................................ 150 Configuring alternate domain names and HTTPS ................................................................ 151 Determining the size of the public key in an SSL/TLS RSA certificate ..................................... 154 Increasing the quotas for SSL/TLS certificates .................................................................... 154 Rotating SSL/TLS certificates ........................................................................................... 155 Reverting from a custom SSL/TLS certificate to the default CloudFront certificate ................... 156 Switching from a custom SSL/TLS certificate with dedicated IP addresses to SNI ..................... 157 Restricting content with signed URLs and signed cookies ............................................................. 157 Overview of serving private content ................................................................................. 158 Task list for serving private content .................................................................................. 159 Specifying signers ........................................................................................................... 160 Choosing between signed URLs and signed cookies ............................................................. 166 Using signed URLs .......................................................................................................... 166 Using signed cookies ....................................................................................................... 180 Using Linux commands and OpenSSL for base64 encoding and encryption ............................. 194 Code examples for signed URLs ....................................................................................... 195 Restricting access to an Amazon S3 origin ................................................................................. 213 Creating a new origin access control ................................................................................. 214 Migrating from origin access identity (OAI) to origin access control (OAC) ............................... 219 Advanced settings for origin access control ........................................................................ 220 Using an origin access identity (legacy, not recommended) .................................................. 221 Restricting access to Application Load Balancers ......................................................................... 223 Configuring CloudFront to add a custom HTTP header to requests ........................................ 224 Configuring an Application Load Balancer to only forward requests that contain a specific header .......................................................................................................................... 226 (Optional) Improve the security of this solution .................................................................. 229 Using AWS WAF to control access to your content ...................................................................... 230 Geographically restricting content ............................................................................................ 231 Using CloudFront geographic restrictions ........................................................................... 231 Using a third-party geolocation service ............................................................................. 232 Using field-level encryption to help protect sensitive data ........................................................... 234 Overview of field-level encryption .................................................................................... 236 Setting up field-level encryption ...................................................................................... 237 Decrypting data fields at your origin ................................................................................. 240 Optimizing caching and availability .................................................................................................. 243 Caching with edge locations .................................................................................................... 243 Improving your cache hit ratio ................................................................................................. 243 Specifying how long CloudFront caches your objects ........................................................... 244

v

Amazon CloudFront Developer Guide

Using Origin Shield ......................................................................................................... 244 Caching based on query string parameters ........................................................................ 244 Caching based on cookie values ....................................................................................... 245 Caching based on request headers .................................................................................... 245 Remove Accept-Encoding header when compression is not needed .................................. 246 Serving media content by using HTTP ............................................................................... 246 Using Origin Shield ................................................................................................................. 246 Use cases for Origin Shield .............................................................................................. 247 Choosing the AWS Region for Origin Shield ....................................................................... 250 Enabling Origin Shield .................................................................................................... 251 Estimating Origin Shield costs .......................................................................................... 253 Origin Shield high availability .......................................................................................... 253 How Origin Shield interacts with other CloudFront features ................................................. 253 Increasing availability with origin failover .................................................................................. 254 Creating an origin group ................................................................................................. 255 Controlling origin timeouts and attempts .......................................................................... 256 Use origin failover with Lambda@Edge functions ............................................................... 257 Use custom error pages with origin failover ....................................................................... 257 Managing cache expiration ...................................................................................................... 258 Using headers to control cache duration for individual objects .............................................. 259 Specifying the amount of time that CloudFront caches objects ............................................. 259 Adding headers to your objects using the Amazon S3 console .............................................. 262 Caching and query string parameters ........................................................................................ 263 Console and API settings for query string forwarding and caching ........................................ 264 Optimizing caching ......................................................................................................... 264 Query string parameters and CloudFront standard logs (access logs) ..................................... 265 Caching content based on cookies ............................................................................................ 265 Caching content based on request headers ................................................................................ 267 Headers and distributions ? overview ................................................................................ 268 Selecting the headers to base caching on .......................................................................... 269 Configuring CloudFront to respect CORS settings ............................................................... 269 Configuring caching based on the device type .................................................................... 270 Configuring caching based on the language of the viewer .................................................... 270 Configuring caching based on the location of the viewer ..................................................... 270 Configuring caching based on the protocol of the request ................................................... 270 Configuring caching for compressed files ........................................................................... 270 How caching based on headers affects performance ........................................................... 271 How the case of headers and header values affects caching ................................................. 271 Headers that CloudFront returns to the viewer ................................................................... 271 Troubleshooting ............................................................................................................................. 272 Troubleshooting distribution issues ........................................................................................... 272 CloudFront returns an InvalidViewerCertificate error when I try to add an alternate domain name ............................................................................................................................ 272 I can't view the files in my distribution .............................................................................. 273 Error message: Certificate: is being used by CloudFront ................................. 274 Troubleshooting error responses from your origin ....................................................................... 275 HTTP 400 status code (Bad Request) ................................................................................ 275 HTTP 500 status code (Lambda execution error) ................................................................. 276 HTTP 502 status code (Bad Gateway) ................................................................................ 276 HTTP 502 status code (Lambda validation error) ................................................................ 278 HTTP 502 status code (DNS error) .................................................................................... 278 HTTP 503 status code (Lambda limit exceeded) .................................................................. 279 HTTP 503 status code (Service Unavailable) ....................................................................... 279 HTTP 504 status code (Gateway Timeout) ......................................................................... 280 Load testing CloudFront .......................................................................................................... 283 Request and response behavior ........................................................................................................ 284 Request and response behavior for Amazon S3 origins ................................................................ 284

vi

Amazon CloudFront Developer Guide

How CloudFront processes HTTP and HTTPS requests ......................................................... 284 How CloudFront processes and forwards requests to your Amazon S3 origin ........................... 284 How CloudFront processes responses from your Amazon S3 origin ........................................ 289 Request and response behavior for custom origins ...................................................................... 290 How CloudFront processes and forwards requests to your custom origin ................................ 291 How CloudFront processes responses from your custom origin ............................................. 300 Request and response behavior for origin groups ....................................................................... 303 Adding custom headers to origin requests ................................................................................. 304 Use cases for origin custom headers ................................................................................. 304 Configuring CloudFront to add custom headers to origin requests ......................................... 305 Custom headers that CloudFront can't add to origin requests ............................................... 305 Configuring CloudFront to forward the Authorization header .......................................... 306 How range GETs are processed ................................................................................................. 306 Use range requests to cache large objects ......................................................................... 307 How CloudFront processes HTTP 3xx status codes from your origin ............................................... 307 How CloudFront processes and caches HTTP 4xx and 5xx status codes from your origin .................... 308 How CloudFront processes errors when you have configured custom error pages ..................... 309 How CloudFront processes errors when you have not configured custom error pages ................ 310 HTTP 4xx and 5xx status codes that CloudFront caches ....................................................... 311 Video on demand (VOD) and live streaming video .............................................................................. 313 About streaming video: video on demand and live streaming ....................................................... 313 Delivering video on demand (VOD) ........................................................................................... 314 Configuring video on demand for Microsoft Smooth Streaming ............................................ 314 Delivering live streaming video ................................................................................................ 316 Serving video using AWS Elemental MediaStore as the origin ............................................... 316 Serving live video formatted with AWS Elemental MediaPackage .......................................... 317 Customizing with edge functions ...................................................................................................... 321 Choosing between CloudFront Functions and Lambda@Edge ....................................................... 321 Customizing with CloudFront Functions ..................................................................................... 323 Tutorial: Creating a simple function .................................................................................. 323 Writing function code (programming model) ...................................................................... 327 Managing functions ........................................................................................................ 352 Customizing with Lambda@Edge .............................................................................................. 364 Get started creating and using Lambda@Edge functions ..................................................... 365 Setting IAM permissions and roles .................................................................................... 375 Writing and creating functions ......................................................................................... 380 Adding triggers .............................................................................................................. 383 Testing and debugging .................................................................................................... 388 Deleting functions and replicas ........................................................................................ 393 Event structure ............................................................................................................... 393 Working with requests and responses ............................................................................... 404 Example functions .......................................................................................................... 408 Restrictions on edge functions ................................................................................................. 434 Restrictions on all edge functions ..................................................................................... 434 Restrictions on CloudFront Functions ................................................................................ 438 Restrictions on Lambda@Edge ......................................................................................... 439 Reports, metrics, and logs ............................................................................................................... 442 AWS billing and usage reports for CloudFront ............................................................................ 442 AWS billing report for CloudFront .................................................................................... 443 AWS usage report for CloudFront ..................................................................................... 443 Interpreting your AWS bill and the AWS usage report for CloudFront ..................................... 444 CloudFront console reports ...................................................................................................... 447 CloudFront cache statistics reports ................................................................................... 449 CloudFront popular objects report .................................................................................... 452 CloudFront top referrers report ........................................................................................ 456 CloudFront usage reports ................................................................................................ 458 CloudFront viewers reports .............................................................................................. 463

vii

Amazon CloudFront Developer Guide

Monitoring CloudFront metrics with Amazon CloudWatch ............................................................ 470 Viewing CloudFront and edge function metrics ................................................................... 471 Creating alarms .............................................................................................................. 476 Downloading metrics data ............................................................................................... 476 Getting metrics using the API .......................................................................................... 478

CloudFront and edge function logging ...................................................................................... 482 Logging requests ............................................................................................................ 482 Logging edge functions ................................................................................................... 483 Logging service activity ................................................................................................... 483 Using standard logs (access logs) ...................................................................................... 483 Real-time logs ................................................................................................................ 496 Edge function logs .......................................................................................................... 508 Capturing API requests with CloudTrail .............................................................................. 509

Tracking configuration changes with AWS Config ........................................................................ 514 Set up AWS Config with CloudFront .................................................................................. 514 View CloudFront configuration history .............................................................................. 515

Security ......................................................................................................................................... 516 Data protection ...................................................................................................................... 516 Encryption in transit ....................................................................................................... 517 Encryption at rest ........................................................................................................... 518 Restrict access to content ................................................................................................ 518 Identity and Access Management (IAM) ..................................................................................... 518 Authentication ............................................................................................................... 519 Access control ................................................................................................................ 520 Overview of managing access .......................................................................................... 520 Using IAM policies for CloudFront ..................................................................................... 525 CloudFront API permissions reference ............................................................................... 530 AWS managed policies .................................................................................................... 534 Logging and monitoring .......................................................................................................... 537 Compliance validation ............................................................................................................. 538 CloudFront compliance best practices ............................................................................... 538 Resilience .............................................................................................................................. 539 CloudFront origin failover ................................................................................................ 539 Infrastructure security ............................................................................................................. 539

Quotas .......................................................................................................................................... 541 General quotas ....................................................................................................................... 541 General quotas on distributions ................................................................................................ 541 General quotas on policies ....................................................................................................... 542 Quotas on CloudFront Functions .............................................................................................. 543 Quotas on Lambda@Edge ....................................................................................................... 544 Quotas on SSL certificates ....................................................................................................... 545 Quotas on invalidations ........................................................................................................... 545 Quotas on key groups ............................................................................................................. 545 Quotas on WebSocket connections ........................................................................................... 545 Quotas on field-level encryption .............................................................................................. 546 Quotas on cookies (legacy cache settings) ................................................................................. 546 Quotas on query strings (legacy cache settings) ......................................................................... 547 Quotas on headers ................................................................................................................. 547

Related information ........................................................................................................................ 548 Additional Amazon CloudFront documentation ........................................................................... 548 Getting support ...................................................................................................................... 548 CloudFront developer tools and SDKs ....................................................................................... 548 Tips from the Amazon Web Services blog .................................................................................. 549

Document history ........................................................................................................................... 550 AWS glossary ................................................................................................................................. 555

viii

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.