CloudFront is a fully managed content delivery network that caches content in locations physically close to the users.


A CloudFront Distribution is collection of configurations that define the deployment.

Edge Location

Edge locations are the distributed points-of-presence that store content in a local cache and are closest to the users.

Regional Edge Cache

A Regional Edge Cache is a larger version of an Edge Location. Regional Edge Caches act as an intermediate caching layer between the Origin and the Edge Locations.

CloudFront only caches Downloadable content. It does not $2 caching.


Behaviours define which content is cached and also the caching parameters.

CloudFront Behaviours have the following characteristics.

  • CloudFront distributions are assigned a default (*) behaviour that matches everything.
  • Additional behaviours can be matched based on the content path such as stuff/*
  • Origins, Origin Groups, TTL, Protocol Policies, and access restrictions are configured via Behaviours.


An Origin is the source location of the content. An Origin can either be an S3 Origin or a Custom Origin.


The Time-to-Live value specifies how long content is cached before it is considered stale and needs to be refreshed.

The following points describe TTL.

  • If the latest version is already in the cache, the origin returns a 304 Not Modified status code.
  • If the latest version is not in the cache, the origin returns a 200 OK status code, and the latest version of the file.
  • The default TTL value is 24 hours and is applied to any object that does not have a per-object TTL set.
  • The default, minimun and maximum TTL values can be set in a cache policy.
  • The Cache-Control or Expires response header properties can be used to signal to the browser, how long to keep an object in it's local cache.
  • Cache-Control max-age and Cache-Control s-maxage define the validity in seconds.
  • Expires defines the date and time the validity expires.
  • When minimum and maximum TTL values are defined as well as the Cache-Control or Expires headers. The caching behaviour of CloudFront is as follows.
    • If Cache-Control or Expires are < the minimum TTL, the minimum TTL is used.
    • If Cache-Control or Expires are > the maximum TTL, the maximum TTL is used.
    • A detailed breakdown of this behaviour can be found in the docs here.
  • S3 origins can set the TTL values of an object via metadata.


Cache invalidations allow you to manually expire objects from CloudFront.

The following points describe Invalidations.

  • Invalidations are performed distribution wide at all edge locations.
  • String matching patterns are used to determine which object are invalidated.
  • Versioned filenames can be used to automatically invalidate cached objects.
  • There is no cost when invalidating files via versioned filenames.
  • Invalidating files with string matching does have and associated cost.

Certificate Manager

The AWS Certificate Manager (ACM) service, is a fully managed, Regionally resilient, service that enables the use of Digital Certificates for web based services. Digital Certificates allow for the use of Transport Layer Security (TLS) encryption over the HTTPS protocol.

ACM has the following characteristics.

  • Certificates can either be generated by ACM or imported from an external Certificate Authority (CA).
  • Certificates that are generated by ACM are automatically renewed.
  • Certificates that are imported MUST be renewed by the administrator.
  • ACM can only be used with supported services IE: CloudFront and ALBs.
  • Certificates can only be used for Services in the same region they are deployed into.
CloudFront operates out of the us-east-1 Region. ACM Certificates used by a CloudFront distribution must be deployed into the us-east-1 Region.

SSL/TLS Certificates

CloudFront distributions support SSL by default using the * wildcard certificate that matches all CloudFront distributions.

Altername domain names can be used by leverageing CNAMEs, however domain ownership must be verified using a matching certificate.

Certificates can be Generated by ACM or imported to ACM by an administrator.

There are 2x TLS connections invloved when using CloudFront. Viewer -> CloudFront and CloudFront -> Origin. Both must have valid public certificates. Self signed certificates are not supported.

Subject Name Indication

Subject Name Indication (SNI) is an extention to the TLS protocol which allows multiple website domains to be hosted on a single IP address.

SNI was added as an extension to TLS in 2003, however some older (ancient) browsers do not support SNI.

CloudFront hosting using SNI is free. If support for older browsers that do not support SNI is required, CloudFront charges a fee to provide a dedicated IP address.

CloudFront Architecture

The following diagram shows an example CloudFront architecture.


The following points describe the above diagram.

  • A CloudFront distribution is configured with multiple Behaviours.
  • The path based behaviour: stuff/* is attached to a Custom Origin.
  • The default behaviour: * is attached to an S3 Origin.
  • A user requesting content is directed to their closes Edge Location.
  • If the content is already cached at the Edge Location (a cache hit), it is served to the user.
  • If the content is not already cached at the Edge Location (a cache miss), the content is requested from the Regional Edge Cache. If the content is not already cached at the Regional Edge Cache, it is requested from the Origin.