CloudFront-Stackset
The configuration for deploying CloudFront distributions across multiple AWS accounts and regions. It ensures consistent content delivery configurations globally, making it easier to manage and scale content distribution for multi-account environments.
Basic Configuration
Sets up a CloudFront distribution for fast content delivery with global reach. It includes origin settings, caching policies, and HTTP-to-HTTPS redirection to optimize performance and security for web applications.
Required resources
- Name
Distribution- Description
Configures a CloudFront distribution to deliver content through a global CDN, with an origin pointing to an ALB. The distribution includes Origin Shield for enhanced origin protection, and HTTP-to-HTTPS redirection. The cache behavior supports multiple HTTP methods, enables compression, and applies caching, origin request, and response header policies to optimize content delivery.
- Name
WebACLId- Description
(Optional) Associates a Web Application Firewall (WAF) with the Distribution to protect against common web exploits and add an extra layer of security to the application.
- Name
ViewerCertificate- Description
(Optional) Configures an ACM-managed SSL/TLS certificate for HTTPS support on the CloudFront Distribution, specifying the minimum protocol version (TLSv1) and SNI-only support to ensure secure content delivery.
Note that to add WebACLId and ViewerCertificate attribute, the resource WAF and ACM must be added, see here for more info.
Basic Configuration
Distribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Aliases:
- example.com
Origins:
- DomainName: !Ref ALB
Id: App-DNS
OriginShield:
Enabled: true
OriginShieldRegion: ap-southeast-1
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: http-only
Enabled: true
IPV6Enabled: true
DefaultCacheBehavior:
TargetOriginId: App-DNS
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] # customize allowed HTTP method here
Compress: true
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized policy
OriginRequestPolicyId: 216adef6-5c7f-47e4-b989-5492eafa07d3 # AllViewer policy
ResponseHeadersPolicyId: eaab4381-ed33-4a86-88ca-d9558dc6cd63 # CORS-with-preflight-and-SecurityHeadersPolicy policy
WAF and ACM Certificate
WebACLId: <WebACL-ARN>
ViewerCertificate:
AcmCertificateArn: <ACMCertificate-ARN>
MinimumProtocolVersion: TLSv1
SslSupportMethod: sni-only
WAF and ACM
This setup adds web security and HTTPS support. WAF filters traffic to protect against attacks, while ACM provides an SSL/TLS certificate for secure, encrypted connections.
Required resources
- Name
WAF- Description
Defines a WAF to protect the application from common web attacks. This WAF is configured for use with CloudFront (or can be set to REGIONAL for resources like ALB or API Gateway, etc) and allows all traffic by default.
- Name
ACM- Description
Configures an ACM for the specified domain (e.g., example.com), using DNS validation.
CLOUDFRONT scope only supports the resource WAF to be deployed in us-east-1 region.
For convenience, consider deploying both in us-east-1 region.
You may encounter CREATE_FAILED on basic configuration
that include the ViewerCertificate resource if the ACM DNS validation is not done after ACM
resource have been deployed. Consider validate the DNS on the domain console first.
WAF Configuration
WAF:
Type: AWS::WAFv2::WebACL
Properties:
DefaultAction:
Allow: {}
Scope: CLOUDFRONT # may put REGIONAL if WAF is for ALB, API Gateway, etc.
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: App-WAF
SampledRequestsEnabled: true
ACM Configuration
ACM:
Type: AWS::WAFv2::WebACL
Properties:
DomainName: example.com
ValidationOption: DNS