...
Property | Required | Value | Justification | |
|---|---|---|---|---|
AllowedMethods | No | GET, HEAD | Controls which HTTP methods are processed and forwarded to S3. No other methods are required for our use case. | |
CachedMethods | No | N/A | Not applicable if managed cache policy is CachingDisabled. | |
CachePolicyId | Conditional | “ | CachingDisabled. Will open Jira ticket to explore choices for cache settings. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html | |
Compress | No | N/A | CloudFront doesn’t compress object when caching is disabled. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html | |
DefaultTTL | No | N/A | Deprecated | |
FieldLevelEncryptionId | No | N/A | For encrypting data uploaded through CloudFront. Not applicable. | |
ForwardedValues | Conditional | N/A | Deprecated | |
FunctionAssociations | No | N/A | Not applicable because no functions will be associated with the distribution. | |
LambdaFunctionAssociations | No | N/A | Not applicable because no Lambda functions will be associated with the distribution. | |
MaxTTL | No | N/A | Deprecated | |
MinTTL | No | N/A | Deprecated | |
OriginRequestPolicyId | No | {"Ref": "OriginRequestPolicy"} | "b689b0a8-53d0-40ab-baf2-68738e2966ac" | Need to be able to forward headers and query strings from the viewer request so we can override the response-content-disposition and response-content-type when creating the signed URL and pass other headers such as Range. By default no query strings or headers are forwarded. The chosen policy does not pass the host header, which allows CloudFront to use the S3 origin’s domain as the host in its request to the S3 origin. |
RealtimeLogConfigArn | No | N/A | Not applicable. Will be using standard log. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html | |
ResponseHeadersPolicyId | No | N/A | The managed response header policies are applicable to static websites, not our use case. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html | |
SmoothStreaming | No | N/A | This is for media files, so not applicable. | |
TargetOriginId | Yes | "${stack}data.sagebase.org" | The value of ID for the origin. | |
TrustedKeyGroups | No | {"Ref": "CloudFrontPublicKeyGroup"} | List of key groups that CloudFront can use to validate signed URLs or signed cookies. | |
TrustedSigners | No | N/A | Using TrustedKeyGroups, so not applicable. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html | |
ViewerProtocolPolicy | Yes | https-only | All signed URLs will use HTTPS. |
...
Property | Required | Value | Justification |
|---|---|---|---|
Description | No | "Origin Access Control for origin ${stack}data.sagebase.org" | Describes the origin access control. |
Name | Yes | "${stack}data-origin-access-control" | Identifies the origin access control. |
OriginAccessControlOriginType | Yes | s3 | The type of origin this access control is for. |
SigningBehavior | Yes | always | Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL. |
SigningProtocol | Yes | sigv4 | The only valid value is sigv4. |
...
...
Property
...
Required
...
Value
...
Justification
...
OriginRequestPolicyConfig
...
Yes
...
OriginRequestPolicyConfig Object
...
...
Property
...
Required
...
Value
...
Justification
...
Comment
...
No
...
"Origin Request Policy for origin ${stack}data.sagebase.org"
...
CookiesConfig
...
Yes
...
...
HeadersConfig
...
Yes
...
...
Name
...
Yes
...
"${stack}data-origin-request-policy"
...
QueryStringsConfig
...
Yes
...
...
...
Property
...
Required
...
Value
...
Justification
...
CookieBehavior
...
Yes
...
“none“
...
No cookies are needed to to be sent to the origin from the viewer.
...
Cookies
...
No
...
N/A
...
...
Property
...
Required
...
Value
...
Justification
...
HeaderBehavior
...
Yes
...
"none"
...
No headers are needed to to be sent to the origin from the viewer.
...
Headers
...
No
...
N/A
...
Property
Required
Value
Justification
QueryStringBehavior
Yes
"whitelist"
Only the specified query strings from viewer requests are included in requests that CloudFront sends to the origin.
QueryStrings
Yes
["response-content-disposition", "response-content-type"]
. |