1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Certified Developer for AWS- Deployment and Security

Amazon CloudFront Security

Start course
1h 59m

In this course we learn to

Recognize and implement secure procedures for optimum cloud deployment and maintenance.
Demonstrate ability to implement the right architecture for development, testing, and staging environments. 

Shared Security model
Compliance and best practices
Identity and Access Management (IAM)
Protecting data at Rest / In Transit
Identity Federation
Threat Mitigation
Amazon CloudFront Security

Deployment Services

Demonstrate ability to implement the right architecture for development, testing, and staging environments.
Understand the core AWS services, uses, and basic architecture best practices
Amazon CodeDeploy
Amazon CodePipeLine
Amazon CodeCommit

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Let's have a quick look at Amazon CloudFront Security, while we're talking about security. By default, Amazon CloudFront will accept requests over both HTTP and HTTPS, so it's another layer of possible defense, combined with ELBs set with HTTPS enabled, and with encryption between your instances and your databases. Having that additional distribution that supports HTTPS is just another layer that you can add. You can configure Amazon CloudFront to require only HTTPS for requests, and disallow all HTTP requests. For HTTPS requests, Amazon CloudFront will also utilize HTTPS to retrieve your object from Amazon S3 origin storage, so that your object is encrypted whenever it's transmitted, basically.

CloudFront Access logs contain a comprehensive list of information about requests that are made for your content, which includes the object requested, the date and the time of the request, and the edge location serving the request. Most importantly, it includes the client IP address, the referrer, and the user agent. So to enable access logs, all you do is specify the name of the Amazon S3 bucket to store the logs in when you configure your Amazon CloudFront distribution.

Amazon S3 is providing the durability here, because that's our origin store, and working as that origin for Amazon CloudFront, it holds the original definitive copies of objects delivered by CloudFront. If you want more control over who has the ability to download content from Amazon CloudFront, you can enable the services private content feature. Restricting access to objects in CloudFront Edge Locations is one. You can configure CloudFront to require that users access your objects using either signed URLs or signed cookies. You then develop your application, either to create and distribute signed URLs to authenticated users, or to send set cookie headers that set signed cookies on the viewers for authenticated users.

To control access to the original copies of your object, so origin, we call it, in Amazon S3, Amazon CloudFront allows you to create one or more origin access identities, and associate these with your distributions. When an origin access identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3.

A quick summary of CloudFront Security. Only authenticated users can create, modify, or delete their own Amazon CloudFront distributions. Requests are signed with an HMAC-SHA1 signature that's calculated from the request and the user's private key. The control API is only accessible via SSL-encrypted endpoints. Durability is provided by Amazon S3 as the origin server for Amazon CloudFront. You can control who is able to download content from Amazon CloudFront using the private content feature. Private content is an optional feature that must be enabled when you set up your CloudFront distribution. Content delivered without this feature enabled will be publicly readable by anyone. There are two options for private content. First, control how the Amazon CloudFront edge locations access your objects in Amazon S3. Second, control how content is delivered from the Amazon CloudFront edge location to end users.

Okay, well done. We made it to the end of data security. Now let's talk about how we can make our systems even more available and more durable using recovery point objectors and recovery time objectors. See you in the next section.

About the Author
Andrew Larkin
Head of Content
Learning Paths

Andrew is fanatical about helping business teams gain the maximum ROI possible from adopting, using, and optimizing Public Cloud Services. Having built  70+ Cloud Academy courses, Andrew has helped over 50,000 students master cloud computing by sharing the skills and experiences he gained during 20+  years leading digital teams in code and consulting. Before joining Cloud Academy, Andrew worked for AWS and for AWS technology partners Ooyala and Adobe.