AWS Services

Amazon CloudFront

Understand CloudFront as AWS content delivery, including distributions, origins, cache behaviors, TTLs, origin access control, TLS, and exam signals.

foundation6 min readUpdated 2026-06-02CloudCertificationReliabilityCost
Content Delivery NetworkDistributionOriginCache BehaviorEdge LocationOrigin Access ControlTTLInvalidation

After this, you will understand

CloudFront explains why global delivery is not only a Region choice: edge caching can move content closer without moving the whole application.

Plain version

CloudFront caches and delivers content from edge locations in front of origins such as S3, ALB, EC2, or custom HTTP servers.

Decision pressure

Learners put CloudFront in diagrams but cannot explain origins, cache behaviors, cache keys, TTLs, or origin protection.

Exam-ready model

Put CloudFront in front of static or cacheable content, tune cache behaviors, protect origins, and invalidate or version objects during deployments.

Think before readingWhat decides whether CloudFront reuses a cached response or asks the origin again?
The cache behavior, cache key, TTL settings, request attributes that are forwarded, and origin cache headers together decide cache reuse.

Reading in progress

This page is saved in your local study history so you can continue later.

Next: CloudFront vs Global Accelerator

Study path

Read these in order

Start with the mechanics, then move into the patterns that explain why the system is shaped this way.

  1. 1VPC Endpoints And PrivateLinkaws-services
  2. 2AWS Key Management Serviceaws-services

Concepts Covered

  • Content delivery networks
  • CloudFront distributions
  • Origins
  • Cache behaviors
  • Cache keys
  • TTLs
  • Origin access control
  • Signed URLs and cookies
  • TLS and custom domains
  • Invalidations

1. Plain-English Mental Model

Amazon CloudFront is AWS's content delivery network.

It sits in front of an origin and serves content from edge locations closer to users. The origin can be an S3 bucket, Application Load Balancer, EC2 instance, API endpoint, or another HTTP server.

The simple model is:

viewer -> CloudFront edge location -> origin only when needed

If CloudFront already has a fresh cached response for a request, it can serve it from the edge. If not, it asks the origin, stores the response according to cache rules, and returns it to the viewer.

CloudFront is not only "make S3 faster." It is a global request layer with caching, TLS, origin selection, edge security integrations, signed access, compression, and behavior rules.

2. Why This Service Exists

Global users are far away from most Regions.

If a user in Karachi fetches a JavaScript file from an S3 bucket in Northern Virginia, every cache miss travels a long way. If thousands of users request the same file, the origin sees repeated load for identical content.

CloudFront exists to reduce latency, reduce origin load, and provide a managed edge delivery layer. It is especially useful for static assets, media, downloads, public websites, APIs with cacheable responses, and origin protection.

For SAA-C03, CloudFront appears in questions about global low latency, static site delivery, S3 origin privacy, custom HTTPS domains, signed URLs, caching, stale content after deployment, and reducing load on an origin.

The exam often wants CloudFront when users are geographically distributed and content can be cached or delivered through edge locations.

3. The Naive Approach And Where It Breaks

The naive static delivery pattern is:

global users -> regional S3 bucket

This works, but distant users may see more latency and every uncached request hits the regional origin.

The naive dynamic app pattern is:

global users -> one regional ALB

This may be acceptable for internal or regional users, but global latency can become painful.

Another naive mistake is putting CloudFront in front of an origin and forwarding every header, cookie, and query string by default. That can destroy cache efficiency because CloudFront treats too many request variations as unique.

A final naive mistake is leaving the S3 origin public when the requirement says users should access content only through CloudFront.

4. Core Primitives

A distribution is the CloudFront configuration that viewers connect to.

An origin is the backend that CloudFront fetches from when it does not have a usable cached response. Origins can include S3 buckets, load balancers, EC2, MediaPackage, or custom HTTP origins.

A cache behavior defines how CloudFront handles requests that match a path pattern. Behaviors choose the origin, viewer protocol policy, allowed methods, cache policy, origin request policy, TTL behavior, compression, and access restrictions.

The cache key decides what request attributes make cached objects distinct. Headers, cookies, and query strings can be part of the cache key when configured.

Origin access control lets CloudFront access private S3 origins so the bucket does not need to be public.

Invalidations remove cached objects before they expire. Versioned file names often reduce invalidation needs.

5. Architecture Use Cases

Use CloudFront for static websites backed by S3. Pair it with Route 53, ACM, and OAC for a custom HTTPS domain with a private origin.

Use CloudFront in front of an ALB for global edge delivery, TLS, and caching of static or cacheable dynamic responses.

Use signed URLs or signed cookies when users should have temporary or restricted access to private content.

Use multiple origins and cache behaviors when /static/* should go to S3 and /api/* should go to an ALB or API endpoint.

Use origin failover when CloudFront should try a secondary origin after certain origin errors.

CloudFront is also commonly paired with AWS WAF for application-layer protection at the edge.

7. Security Model

Viewer security includes HTTPS policies, custom TLS certificates, signed URLs, signed cookies, and optional WAF integration.

Origin security depends on origin type. For S3 origins, use origin access control and a bucket policy that allows the CloudFront distribution to read objects. Keep Block Public Access on when direct public bucket access is not required.

For custom origins, require HTTPS between CloudFront and the origin when sensitive data moves over that path. Restrict origin access where possible so clients cannot bypass CloudFront.

IAM controls who can modify distributions. A bad CloudFront change can redirect traffic, weaken TLS, or expose private content.

Logs and metrics help detect abuse, errors, and cache behavior problems.

8. Reliability And Resilience

CloudFront edge locations can continue serving cached content even if the origin is slow or temporarily unavailable, depending on TTL and error caching behavior.

Origin failover can route to a secondary origin for selected error conditions. This is useful for static sites or architectures with replicated origins.

CloudFront itself is managed globally, but your origin can still be a single point of failure. A distribution in front of one unhealthy EC2 instance does not create full application resilience.

Use versioned assets to make deployments safer. If a new release references app.1234.js, old cached assets can coexist with new assets.

For dynamic APIs, understand that caching may serve stale content if cache behavior is wrong.

9. Performance And Scaling

CloudFront improves performance by serving cached content closer to viewers and reducing origin round trips.

Cache hit ratio matters. Forwarding unnecessary headers, cookies, or query strings increases cache fragmentation.

Compression reduces transfer size for text assets.

TTL settings balance freshness and performance. Longer TTLs improve caching but can delay updates. Short TTLs improve freshness but increase origin load.

CloudFront can help absorb traffic spikes for cacheable content. For uncacheable dynamic traffic, the origin still needs to scale.

10. Cost Model

CloudFront cost includes data transfer out, requests, invalidations beyond free allowances, field-level features, real-time logs, and edge compute if used.

CloudFront may reduce origin data transfer and request load, but it is not automatically cheaper for every workload.

Cache behavior affects cost. A poor cache key can cause unnecessary origin requests and origin scaling.

Invalidation strategy affects cost and deployment simplicity. Versioned assets can avoid frequent broad invalidations.

Price classes can limit edge locations used to reduce cost at the expense of global latency.

12. SAA-C03 Exam Signals

"Global low latency for static content" points to CloudFront.

"S3 static site with HTTPS custom domain" often points to CloudFront plus Route 53 and ACM.

"Prevent direct S3 bucket access" points to origin access control.

"Users receive stale content after deployment" points to invalidations, TTLs, or object versioning.

"Restrict access to private content temporarily" points to signed URLs or signed cookies.

"Cache based on path pattern or route different paths to different origins" points to cache behaviors.

"Protect web app at edge" may add AWS WAF with CloudFront.

13. Common Exam Traps

Do not use CloudFront when the requirement is only private connectivity inside a VPC. That points to VPC endpoints or private networking.

Do not leave an S3 origin public if the requirement is access only through CloudFront.

Do not forward all cookies and headers without need. It can ruin caching.

Do not confuse CloudFront with Route 53. Route 53 answers DNS; CloudFront serves requests.

Do not expect CloudFront to fix an unscalable uncached origin.

Do not forget cache invalidation or versioning during deployments.

Review Static Site With CloudFront And S3, Amazon S3, and Amazon Route 53.

Official AWS references:

What to study next

These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.

More Links

Additional references connected to this page.

Static Site With CloudFront And S3Use this as extra context before moving on.