Amazon CloudFront Key Features

Protection against network and application layer attacks
Amazon CloudFront, AWS Shield, AWS Web Application Firewall (WAF), and Amazon Route 53 work seamlessly together to create a flexible, layered security perimeter against multiple types of attacks including network and application layer DDoS attacks. All of these services co-reside at the AWS edge and provide a scalable, reliable, and high-performance security perimeter for applications and content. With CloudFront as the “front door” to an application and infrastructure, the primary attack surface is moved away from critical content, data, code and infrastructure. 

Learn more about AWS Best Practices for DDoS Resiliency.

With Amazon CloudFront, content, APIs or applications can be delivered over HTTPS using the latest version Transport Layer Security (TLSv1.3) to encrypt and secure communication between viewer clients and CloudFront. AWS Certificate Manager (ACM) can be used to easily create a custom SSL certificate and deploy to an CloudFront distribution for free. ACM automatically handles certificate renewal, eliminating the overhead and costs of a manual renewal process. Additionally, CloudFront provides a number of TLS optimizations and advanced capabilities such as full/half bridge HTTPS connections, OCSP stapling, Session Tickets, Perfect Forward Secrecy, TLS Protocol Enforcements and Field-Level Encryption.

With Amazon CloudFront, access is restricted to content through a number of capabilities. With Signed URLs and Signed Cookies, Token Authentication is supported to restrict access to only authenticated viewers. Through geo-restriction capability, users can be prevented in specific geographic locations from accessing content that is distributed through CloudFront. With Origin Access Identity (OAI) feature, access can be restricted to an Amazon S3 bucket, making it only accessible from CloudFront. 

Learn more.

CloudFront infrastructure (excluding CloudFront embedded POPs) and processes are all compliant with PCI-DSS Level 1, HIPAA, and ISO 9001, ISO/IEC 27001:2013, 27017:2015, 27018:2019, SOC (1, 2 and 3), FedRAMP Moderate and more to ensure secure delivery for sensitive data.

CloudFront offers fast change propagation and invalidations, within a matter of minutes. Typically, changes are propagated to the edge in a matter of a few minutes, and invalidation times are under two minutes

Amazon CloudFront provides developers with a full-featured API to create, configure and maintain CloudFront distributions. In addition, developers have access to a number of tools such as AWS CloudFormation, CodeDeploy, CodeCommit and AWS SDKs to configure and deploy their workloads with Amazon CloudFront.

Your CloudFront distribution can be configured with multiple behaviors which govern how CloudFront will process your request and what features will be applied. Customize CloudFront behaviors, such as: how CloudFront caches, how CloudFront communicates with your origin, what headers and metadata are forwarded to your origin, create content variants with flexible cache-key manipulation, select compression modes, what headers are added to your HTTP responses, and more. With built-in device detection, CloudFront can detect the device type (Desktop, Tablet, Smart TV, or Mobile device) and pass that information in the form of new HTTP Headers to your application to easily adapt content variants or other responses. Amazon CloudFront can also detect the country-level location of the requesting user for further customization of the response.

CloudFront offers personalized pricing options including pay-as-you-go, the CloudFront Security Savings Bundle, and custom pricing. Pay-as-you-go pricing is simple with no upfront fees. If you are looking for a discount, the CloudFront Security Savings Bundle that helps you save up to 30% on your CloudFront bill in exchange for a monthly spend commitment for a 1-year term. The savings bundle also includes free AWS WAF usage up to 10% of the monthly committed spend. For customers who are willing to make certain minimum traffic commitments (typically 10 TB/month or higher), we also offer additional discounts with private committed pricing.

Learn more about Amazon CloudFront pricing

If AWS origins such as Amazon S3, Amazon EC2 or Elastic Load Balancing are used, there is no charge incurred for data transferred from origins to CloudFront Edge locations (this type of data transfer is known as origin fetch). To learn more about all Amazon CloudFront features, and how to configure them, please refer to the Amazon CloudFront Developer Guide.

Not all origins are alike and some may involve processes such as just-in-time packaging that are more computationally expensive per GB than fetching content out of storage. CloudFront provides regional edge caches at no additional cost to decrease the operational burden on origins and lower operating costs. Further reduction in origin-related costs are available using Origin Shield to minimize the number of origin fetches. Origin Shield provides centralized caching to optimize cache-hit ratios and collapse requests across regions resulting in as few as one origin request per object.

Learn more