First CloudFront
CDN.
Initial setup
The first CloudFront distribution starts with one origin and one default cache behaviour. Get those right and layer the rest later; trying to set every knob on day one produces config nobody can debug.
- Console or CLI. create-distribution call with
--origin-domain-nameper distribution; the defaults are sane for a starting point. - Propagation time. 5-15 minute global deploy per distribution; status moves from In Progress to Deployed before testing makes sense.
- Test the assigned domain.
d123abc.cloudfront.netcurl check per distribution; verify content serves through CloudFront before pointing custom domains at it. - IaC source per distribution. Terraform or CDK definition per distribution; click-ops produces distributions nobody can replicate.
Origin configuration
Origin configuration is where most security gaps land. Lock the path so CloudFront is the only way to reach the origin; otherwise users find your origin directly and bypass everything CloudFront provides.
- S3 origin. Origin Access Identity per bucket; restrict bucket policy to the OAI principal so CloudFront is the only path.
- ALB origin. CloudFront IP-range allowlist per ALB using AWS-managed prefix list
pl-3b927c52. - Custom origin. HTTPS-only protocol per origin for production; HTTP-only origins are debugging aids that should not survive into production.
- Named owner per origin. Responsible team per origin supports operational reviews and incident escalation.
Cache behaviours
Cache behaviours are the cache-correctness surface. Defaults are usually wrong for any non-trivial site; override per path so /api routes bypass cache and /static routes cache aggressively.
- Default cache behaviour. Catch-all per distribution; override per path pattern.
/api/*might bypass cache,/static/*might cache aggressively. - TTL settings. Minimum, default, maximum per behaviour; origin Cache-Control headers set the value, behaviour parameters bound it.
- Cache key. Query-string, cookie, header inclusion per behaviour; default ignores query strings, so be explicit when they matter.
- Response-header policy per behaviour. Security-header injection (CSP, HSTS, X-Frame-Options) at the CloudFront layer.
Custom domain and TLS
Custom domain and TLS are the public-face surface. ACM cert in us-east-1 (CloudFront's regional restriction), ALIAS in Route 53, verify the chain end-to-end, monitor renewal.
- ACM in us-east-1. CloudFront only reads ACM from us-east-1; validate via DNS rather than email for automation.
- Route 53 ALIAS. ALIAS record per domain pointing at the distribution; standard pattern for AWS-hosted DNS.
- Verify the chain.
openssl s_client -servernamecheck per domain confirms the chain is complete from public root to leaf. - Cert-renewal monitor per domain. Expiry alert catches forgotten renewals before customers see the warning.
Operating the distribution
Operating CloudFront is its own discipline. Cache hit rate, access logs to S3, invalidation cost, and per-distribution alarms together keep the distribution healthy at scale.
- Monitor cache hit rate. Hit-rate gauge per distribution; below 70% suggests aggressive cache-key inclusion or short TTLs.
- Access logs to S3. Access-log shipping per distribution; Athena queries reveal traffic patterns and abuse.
- Invalidation cost. $0.005 per path beyond the first 1,000 per month; use versioned filenames where possible to avoid invalidations.
- Alarm set per distribution. 5xx-rate and origin-latency alarms catch CloudFront-or-origin issues before customers notice.