Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property

Required

Value

Justification

Aliases

No

N/A

For CNAMEs for static website, not applicable["data.${stack}.sagebase.org"]

RecordSet Object

Alias used so an SSL Certificate can be set to specify minimum TLS versions.

CacheBehaviors

No

N/A

Covered by default cache behavior

CNAMEs

No

N/A

Not applicable.

Comment

No

“CloudFront distribution for ${stack}data.sagebase.org

Gives info about distribution.

ContinuousDeploymentPolicyId

No

N/A

Continuous deployment is for distributing traffic for a custom domain name to two different CF distributions. Not applicable.

CustomErrorResponses

No

N/A

For replacing status code in 4xx and 5xx range with custom error messages. No use case for this.

CustomOrigin

No

N/A

Legacy. Covered under Origin.

DefaultCacheBehavior

Yes

DefaultCacheBehavior Object

Required - describes default caches behavior.

DefaultRootObject

No

N/A

Returns a default object when the user sends a request using the root URL and doesn’t include the object. Not applicable to our case since we are signing the URLs and users will always specify an object.

Enabled

Yes

True

Enables the distribution

HttpVersion

No

http2and3

Defaults to HTTP 1.1 , but due to security concerns with HTTP 1.1, will require either HTTP 2 or 3.

IPV6Enabled

No

False

Since we won’t create signed URLs that use IPV6, this is not Not applicable.

Logging

No

Logging Object

Will allow tracking for data requests.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

OriginGroups

No

N/A

Only used when multiple origins are used. Not applicable.

Origins

No

[Origin Object]

Specifies where data will be pulled from.

PriceClass

No

“PriceClass_100”

Serves objects from the CloudFront edge location that has the lowest latency among the edge locations in the price class. Cost to transfer data out to internet from CloudFront compared to from S3 is only less for North America/Europe, which are the only two regions in Price Class 100. “If you select a price class that does not include all locations, some of your viewers, especially those in geographic locations that are not in your price class, may experience higher latency than if your content were being served from all Amazon CloudFront locations.“

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html

https://aws.amazon.com/cloudfront/pricing/

https://aws.amazon.com/s3/pricing/

Restrictions

No

N/A

Restrictions only relate to countries where content is distributed. Not applicable

S3Origin

No

N/A

Legacy. Not applicable.

Staging

No

N/A

Indicates if this is a staging distribution. Not applicable.

ViewerCertificate

No

N/A

Not required. Minimum TLS requirement set in HttpVersionViewerCertificate Object

Gives ability to set minimum TLS version.

WebACLId

No

N/A

Current signed URLs through S3 do not use a Web ACL.

...

Property

Required

Value

Justification

ConnectionAttempts

No

N/A

The number of times that CloudFront attempts to connect to the origin. Minimum is 1, maximum is 3, default is 3.

ConnectionTimeout

No

N/A

The number of seconds that CloudFront waits when trying to establish a connection to the origin. Minimum is 1 second, maximum is 10 seconds, default is 10 seconds.

CustomOriginConfig

Conditional

N/A

Used when an origin is not an S3 bucket. Not applicable.

DomainName

Yes

"${stack}data.sagebase.org.s3.us-east-1.amazonaws.com"

Required, this is the domain name of the origin.

Id

Yes

"${stack}data.sagebase.org"

A unique identifier for the origin to be used in the cache behavior portion of the template.

OriginAccessControlId

No

{"Ref": "OriginAccessControl"}

OriginAccessControl Object

Identifies the origin access control, which is used to give permissions to get objects from the S3 bucket origin.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

OriginCustomHeaders

No

N/A

A list of header names and values that CloudFront adds to the request to the origin. Not applicable.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html

OriginPath

No

N/A

An optional path that CloudFront appends to the origin domain name when a request is sent to the origin. Not applicable.

OriginShield

No

N/A

An additional layer of caching in the CloudFront caching infrastructure. None of the use cases described by AWS fit ours.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html

S3OriginConfig

Conditional

S3OriginConfig Object

Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting. If not included get error message "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified".

ViewerCertificate
Anchor
ViewerCertificate
ViewerCertificate

Property

Required

Value

Justification

AcmCertificateArn

Conditional

"${DataCdnCertificateArn}"

ACM SSL certificate for the Alias defined in DistributionConfig.

CloudFrontDefaultCertificate

Conditional

N/A

Only required if the default CloudFront domain name is used.

IamCertificateId

Conditional

N/A

Only required if the SSL certificate is stored in IAM

MinimumProtocolVersion

Conditional

“TLSv1.2_2021”

SslSupportMethod

Conditional

“sni-only”

Recommended by AWS. Accepts HTTPS connections from only viewers that support Server Name Indication, which is an extension to TLS that allows clients to indicate the host they are attempting to connect to during the handshake process.

Logging
Anchor
Logging
Logging

...

Property

Required

Value

Justification

Description

No

"Origin Access Control for origin ${stack}data.sagebase.org"

Describes the origin access control.

Name

Yes

"${stack}data-origin-access-control"

Identifies the origin access control.

OriginAccessControlOriginType

Yes

s3

The type of origin this access control is for.

SigningBehavior

Yes

always

Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL.

SigningProtocol

Yes

sigv4

The only valid value is sigv4.

RecordSet
Anchor
RecordSet
RecordSet

Property

Required

Value

Justification

AliasTarget

No

AliasTarget Object

CidrRoutingConfig

No

N/A

Not applicable

Comment

No

"Record set for the CloudFront distribution for ${stack}data.sagebase.org"

Failover

No

N/A

For configuring failover if once resource goes down. Not applicable.

GeoLocation

No

N/A

Lets you control how Route 53 responds to DNS queries based on geographic origin. Not applicable.

HealthCheckId

No

N/A

Not possible with CloudFront.

HostedZoneId

No

N/A

HostedZoneName used instead.

HostedZoneName

No

"${stack}.sagebase.org."

The name of the hosted zone where the record is created.

MultiValueAnswer

No

N/A

For routing traffic randomly to multiple resources. Not applicable.

Name

Yes

"data.${stack}.sagebase.org"

Region

No

N/A

For latency based resource record sets only.

ResourceRecords

No

N/A

Omitted if AliasTarget is used.

SetIdentifier

No

N/A

For differentiating among multiple resource record sets. Not applicable.

TTL

No

N/A

Omitted when using an alias resource record set.

Type

Yes

“A”

“A” is used for CloudFront distributions.

Weight

No

N/A

For weighted resource record sets only.

AliasTarget
Anchor
AliasTarget
AliasTarget

Property

Required

Value

Justification

DNSName

Yes

{ "Fn::GetAtt": ["CloudFront", "DomainName"] }

For a CloudFront distribution, the domain name.

EvaluateTargetHealth

No

N/A

Cannot be set for CloudFront distributions.

HostedZoneId

Yes

“Z2FDTNDATAQYW2"

Always the hosted zone ID when an alias record is created for a CloudFront distribution.