1. Home
  2. Training Library
  3. Amazon Web Services
  4. Amazon Web Services Courses
  5. Data Security for SysOps Administrator Associate on AWS

CloudFront Security

Start course

Course Description

This course is focused on the details you need to know for the 20% of the SysOps Administrator – Associate for AWS exam that covers data security. You will learn to recognize and explain platform compliance for AWS, and be able to both recognize and implement secure procedures for optimum cloud deployment and maintenance, including understanding the shared responsibility security model, and knowing what that looks like in practice.

Course Objectives

  • Recognize and explain the AWS shared security responsibility model
  • Recognise and implement IAM users, policies and roles
  • Recognize and explain how AWS enables you to protect data and rest and in transit

Intended Audience

This course is for anyone preparing for the Solutions Architect–Associate for AWS certification exam. We assume you have some existing knowledge and familiarity with AWS, and are specifically looking to get ready to take the certification exam.


Basic knowledge of core AWS functionality. If you haven't already completed it, we recommend our Fundamentals of AWS Learning Path.

This Course Includes:

  • 7 Video Lectures
  • Everything you need to know about data security to prepare for the Solutions Architect–Associate for AWS certification exam

What You'll Learn

Lecture What you'll learn
Shared Responsibility Model What's managed by AWS vs. customers
Identity and Access Management How to use IAM to keep your data secure
Platform Compliance  Best practices for platform compliance
Data at Rest and in Transit How to secure your data at rest and in transit
Identity Federation Web identity federation
CloudFront Security How to secure Amazon CloudFront

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Let's have a quick look at Amazon CloudFront Security, while we're talking about security. By default, Amazon CloudFront will accept requests over both HTTP and HTTPS, so it's another layer of possible defense, combined with ELBs set with HTTPS enabled, and with encryption between your instances and your databases. Having that additional distribution that supports HTTPS is just another layer that you can add. You can configure Amazon CloudFront to require only HTTPS for requests, and disallow all HTTP requests. For HTTPS requests, Amazon CloudFront will also utilize HTTPS to retrieve your object from Amazon S3 origin storage, so that your object is encrypted whenever it's transmitted, basically.

CloudFront Access logs contain a comprehensive list of information about requests that are made for your content, which includes the object requested, the date and the time of the request, and the edge location serving the request. Most importantly, it includes the client IP address, the referrer, and the user agent. So to enable access logs, all you do is specify the name of the Amazon S3 bucket to store the logs in when you configure your Amazon CloudFront distribution.

Amazon S3 is providing the durability here, because that's our origin store, and working as that origin for Amazon CloudFront, it holds the original definitive copies of objects delivered by CloudFront. If you want more control over who has the ability to download content from Amazon CloudFront, you can enable the services private content feature. Restricting access to objects in CloudFront Edge Locations is one. You can configure CloudFront to require that users access your objects using either signed URLs or signed cookies. You then develop your application, either to create and distribute signed URLs to authenticated users, or to send set cookie headers that set signed cookies on the viewers for authenticated users.

To control access to the original copies of your object, so origin, we call it, in Amazon S3, Amazon CloudFront allows you to create one or more origin access identities, and associate these with your distributions. When an origin access identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3.

A quick summary of CloudFront Security. Only authenticated users can create, modify, or delete their own Amazon CloudFront distributions. Requests are signed with an HMAC-SHA1 signature that's calculated from the request and the user's private key. The control API is only accessible via SSL-encrypted endpoints. Durability is provided by Amazon S3 as the origin server for Amazon CloudFront. You can control who is able to download content from Amazon CloudFront using the private content feature. Private content is an optional feature that must be enabled when you set up your CloudFront distribution. Content delivered without this feature enabled will be publicly readable by anyone. There are two options for private content. First, control how the Amazon CloudFront edge locations access your objects in Amazon S3. Second, control how content is delivered from the Amazon CloudFront edge location to end users.

Okay, well done. We made it to the end of data security. Now let's talk about how we can make our systems even more available and more durable using recovery point objectors and recovery time objectors. See you in the next section.

About the Author
Andrew Larkin
Head of Content
Learning Paths

Andrew is fanatical about helping business teams gain the maximum ROI possible from adopting, using, and optimizing Public Cloud Services. Having built  70+ Cloud Academy courses, Andrew has helped over 50,000 students master cloud computing by sharing the skills and experiences he gained during 20+  years leading digital teams in code and consulting. Before joining Cloud Academy, Andrew worked for AWS and for AWS technology partners Ooyala and Adobe.