AWS CloudFormation CloudFront CDN
Overview
Create production-ready CDN infrastructure using AWS CloudFormation templates. This skill covers CloudFront distributions, multiple origins (ALB, S3, API Gateway, Lambda@Edge, VPC Origins), CacheBehaviors, Functions, SecurityHeaders, and best practices for parameters, outputs, and cross-stack references.
When to Use
- Creating CloudFront distributions with CloudFormation
- Configuring origins (ALB, S3, Lambda@Edge, VPC Origins) with path patterns
- Implementing caching with CacheBehaviors and Cache Policies
- Configuring custom domains with ACM and SecurityHeaders
- Integrating WAF with CloudFront distributions
Instructions
Follow these steps to create CloudFront distributions with CloudFormation:
1. Define Distribution Parameters
Validate before deploying:
aws cloudformation validate-template --template-body file://template.yaml
cfn-lint template.yaml
Specify domain names, ACM certificates, price class, and origin settings:
Parameters:
DomainName:
Type: String
Default: cdn.example.com
Description: Custom domain name for CloudFront distribution
CertificateArn:
Type: AWS::ACM::Certificate::Arn
Description: ACM certificate ARN for HTTPS
PriceClass:
Type: String
Default: PriceClass_All
AllowedValues:
- PriceClass_All
- PriceClass_100
- PriceClass_200
Description: CloudFront price class
OriginDomainName:
Type: String
Description: Domain name of the origin (ALB or S3)
2. Configure Origins
Add S3 buckets, ALBs, API Gateway, or custom origins. For S3 origins, use OAI (legacy) or OAC (recommended):
Resources:
# S3 Bucket
StaticBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "static-assets-${AWS::AccountId}-${AWS::Region}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
# Origin Access Control (recommended)
OriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: !Sub "${AWS::StackName}-oac"
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
3. Set Up Default Cache Behavior
Configure viewer request/response policies and caching:
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt StaticBucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
S3OriginConfig:
OriginAccessIdentity: ""
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
Compress: true
CachePolicyId: !Ref CachePolicy
4. Add Additional Cache Behaviors
Create path-specific caching rules for different content types:
Resources:
ApiCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: !Sub "${AWS::StackName}-api-cache"
DefaultTTL: 300
MaxTTL: 600
MinTTL: 60
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- PathPattern: "/api/*"
TargetOriginId: ApiOrigin
CachePolicyId: !GetAtt ApiCachePolicy.Id
AllowedMethods:
- GET
- HEAD
- OPTIONS
- PUT
- POST
5. Configure Security Settings
Implement security headers and WAF integration:
Resources:
SecurityHeadersPolicy:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name: !Sub "${AWS::StackName}-security-headers"
SecurityHeadersConfig:
StrictTransportSecurity:
AccessControlMaxAgeSec: 31536000
IncludeSubdomains: true
Override: true
FrameOptions:
FrameOption: DENY
Override: true
WAFWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: !Sub "${AWS::StackName}-waf"
Scope: CLOUDFRONT
DefaultAction:
Allow: {}
6. Add CloudFront Functions
Configure functions for request/response manipulation:
Resources:
RewritePathFunction:
Type: AWS::CloudFront::Function
Properties:
Name: !Sub "${AWS::StackName}-rewrite-path"
FunctionCode: |
function handler(event) {
var request = event.request;
// Function code here
return request;
}
Runtime: cloudfront-js-1.0
AutoPublish: true
7. Configure Monitoring
Set up logging and access logs to S3:
Resources:
AccessLogsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cloudfront-logs-${AWS::AccountId}"
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Logging:
Bucket: !Ref AccessLogsBucket
Prefix: cloudfront-logs/
IncludeCookies: false
8. Create Outputs
Export distribution details for cross-stack references:
Outputs:
DistributionDomainName:
Description: CloudFront distribution domain name
Value: !GetAtt CloudFrontDistribution.DomainName
Export:
Name: !Sub "${AWS::StackName}-DistributionDomainName"
DistributionId:
Description: CloudFront distribution ID
Value: !Ref CloudFrontDistribution
Export:
Name: !Sub "${AWS::StackName}-DistributionId"
Best Practices
Security
- Always use HTTPS with minimum TLS 1.2
- Implement SecurityHeaders with HSTS, XSS protection
- Use WAF for protection against common attacks
- Configure appropriate Access-Control for CORS
- Limit origin access with OAI/OAC
- Use Signed URLs for private content
- Implement rate limiting
- Configure geo-restrictions if needed
Performance
- Use appropriate PriceClass to optimize costs
- Configure Cache TTL based on content type
- Enable compression (Gzip/Brotli)
- Use CloudFront Functions for lightweight operations
- Optimize header forwarding (do not forward unnecessary headers)
- Consider Origin Shield to reduce load on origins
- Use multiple origins with path patterns
Monitoring
- Enable CloudWatch metrics and alarms
- Configure real-time logs for troubleshooting
- Monitor cache hit ratio
- Configure alerts for error rate and latency
- Use CloudFront reports for traffic analysis
Deployment
- Use change sets before deployment
- Test templates with cfn-lint
- Organize stacks by lifecycle and ownership
- Implement blue/green deployments with weighted aliases
- Use StackSets for multi-region deployment
Template Structure
- Use AWS-specific parameter types (AWS::ACM::Certificate::Arn, AWS::S3::Bucket::RegionalDomainName)
- Implement parameter constraints (MinLength, MaxLength, AllowedValues, AllowedPattern)
- Use Conditions for environment-specific configuration
- Leverage Mappings for region-specific configuration
- Apply Metadata for parameter grouping and labels
- Use nested stacks for modularity
Cache Strategy
- Use Cache Policies for different content types
- Configure Origin Request Policies to control what's sent to origin
- Set appropriate TTL values:
- Static assets: 86400-31536000 seconds (1 day to 1 year)
- API responses: 60-600 seconds (1-10 minutes)
- Dynamic content: 0 seconds (no caching)
- Enable compression for text-based content
- Use versioned paths for cache busting
Constraints and Warnings
- ACM certificates: Must be in
us-east-1(N. Virginia) for CloudFront - Limits: Max 200 distributions per AWS account, 25 origins per distribution, 25 cache behaviors per distribution
- Deployment time: CloudFront distributions take up to 30 minutes to deploy; plan accordingly
- Certificate requirements: Max 100 alternate domain names per distribution; include default domain for SSL
- OAI deprecation: Prefer Origin Access Control (OAC) over Origin Access Identity (OAI) for S3 origins
- Lambda@Edge limits: 128MB memory, 30s timeout for viewer request/response; separate limits apply for origin requests
- Change sets: Always use change sets before deploying to preview resource changes and avoid accidental deletions
- Drift detection: CloudFormation does not detect drift for CloudFront distributions — manage all settings in templates
Examples
Minimal S3 Static Site Distribution
AWSTemplateFormatVersion: "2010-09-09"
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cdn-static-${AWS::AccountId}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
OriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: !Sub "${AWS::StackName}-oac"
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
DefaultRootObject: index.html
Origins:
- Id: S3Origin
DomainName: !GetAtt S3Bucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
Compress: true
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
PriceClass: PriceClass_All
HttpVersion: http2and3
Outputs:
DistributionDomainName:
Value: !GetAtt CloudFrontDistribution.DomainName
Multi-Origin with Cache Behaviors
Resources:
CachePolicyApi:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: !Sub "${AWS::StackName}-api"
DefaultTTL: 300
MaxTTL: 600
MinTTL: 60
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt StaticBucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
- Id: ApiOrigin
DomainName: !GetAtt ApiLoadBalancer.DNSName
CustomOriginConfig:
OriginProtocolPolicy: https-only
HTTPPort: 80
HTTPSPort: 443
CacheBehaviors:
- PathPattern: "/api/*"
TargetOriginId: ApiOrigin
CachePolicyId: !GetAtt CachePolicyApi.Id
ViewerProtocolPolicy: https-only
- PathPattern: "/static/*"
TargetOriginId: S3Origin
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
References
For detailed implementation guidance, see:
-
template-structure.md - Complete template structure, AWS-specific parameter types, parameter constraints, SSM parameter references, metadata for parameter grouping, transform for macros, conditions for environment-specific configuration, nested stacks, and cross-stack references with export/import patterns
-
origins.md - Origin configuration including S3 origins with OAI/OAC, ALB origins with security groups, API Gateway origins (REST and HTTP APIs), Lambda@Edge origins, VPC origins with Global Accelerator, custom origins, and multi-origin configurations with path patterns
-
caching.md - Cache policies (managed, custom, images, videos), origin request policies, response headers policies, cache behaviors configuration, forwarded values (query strings, headers, cookies), cache key configuration, and TTL configuration best practices
-
security.md - Security headers (CSP, HSTS, XSS protection), CORS configuration, WAF integration with managed and custom rules, origin access control (OAI vs OAC), signed URLs and signed cookies, geo-restrictions, HTTPS enforcement, TLS configuration, and field-level encryption
-
advanced-features.md - CloudFront Functions (viewer request, viewer response, origin request), Lambda@Edge for authentication and URL rewriting, geo-restrictions, price class optimization, compression (Gzip and Brotli), real-time logs to Kinesis and S3, custom error pages, function associations, and Origin Shield configuration
-
constraints.md - Resource limits (200 distributions max, 25 origins max, 25 cache behaviors max), DNS and certificate constraints (ACM in us-east-1, 300 alternate domain names), operational constraints (15 invalidations max, 30 min deployment), security constraints (HTTPS, CSP, WAF), and cost considerations (data transfer, regional pricing, Lambda@Edge costs)