...
Property | Required | Value | Justification | |
|---|---|---|---|---|
Aliases | No | N/A | For CNAMEs for static website, not applicable["data.${stack}.sagebase.org"] | Alias used so an SSL Certificate can be set to specify minimum TLS versions. |
CacheBehaviors | No | N/A | Covered by default cache behavior | |
CNAMEs | No | N/A | Not applicable. | |
Comment | No | “CloudFront distribution for ${stack}data.sagebase.org” | Gives info about distribution. | |
ContinuousDeploymentPolicyId | No | N/A | Continuous deployment is for distributing traffic for a custom domain name to two different CF distributions. Not applicable. | |
CustomErrorResponses | No | N/A | For replacing status code in 4xx and 5xx range with custom error messages. No use case for this. | |
CustomOrigin | No | N/A | Legacy. Covered under Origin. | |
DefaultCacheBehavior | Yes | Required - describes default caches behavior. | ||
DefaultRootObject | No | N/A | Returns a default object when the user sends a request using the root URL and doesn’t include the object. Not applicable to our case since we are signing the URLs and users will always specify an object. | |
Enabled | Yes | True | Enables the distribution | |
HttpVersion | No | http2and3 | Defaults to HTTP 1.1 , but due to security concerns with HTTP 1.1, will require either HTTP 2 or 3. | |
IPV6Enabled | No | False | Since we won’t create signed URLs that use IPV6, this is not Not applicable. | |
Logging | No | Will allow tracking for data requests. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html | ||
OriginGroups | No | N/A | Only used when multiple origins are used. Not applicable. | |
Origins | No | Specifies where data will be pulled from. | ||
PriceClass | No | “PriceClass_100” | Serves objects from the CloudFront edge location that has the lowest latency among the edge locations in the price class. Cost to transfer data out to internet from CloudFront compared to from S3 is only less for North America/Europe, which are the only two regions in Price Class 100. “If you select a price class that does not include all locations, some of your viewers, especially those in geographic locations that are not in your price class, may experience higher latency than if your content were being served from all Amazon CloudFront locations.“ https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html | |
Restrictions | No | N/A | Restrictions only relate to countries where content is distributed. Not applicable | |
S3Origin | No | N/A | Legacy. Not applicable. | |
Staging | No | N/A | Indicates if this is a staging distribution. Not applicable. | |
ViewerCertificate | No | Gives ability to set minimum TLS version. | ||
WebACLId | No | N/A | Current signed URLs through S3 do not use a Web ACL. |
...
Property | Required | Value | Justification | |
|---|---|---|---|---|
AllowedMethods | No | GET, HEAD | Controls which HTTP methods are processed and forwarded to S3. No other methods are required for our use case. | |
CachedMethods | No | N/A | Not applicable if managed cache policy is CachingDisabled. | |
CachePolicyId | Conditional | “ | CachingDisabled. Will open Jira ticket to explore choices for cache settings. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html | |
Compress | No | N/A | CloudFront doesn’t compress object when caching is disabled. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html | |
DefaultTTL | No | N/A | Deprecated | |
FieldLevelEncryptionId | No | N/A | For encrypting data uploaded through CloudFront. Not applicable. | |
ForwardedValues | Conditional | N/A | Deprecated | |
FunctionAssociations | No | N/A | Not applicable because no functions will be associated with the distribution. | |
LambdaFunctionAssociations | No | N/A | Not applicable because no Lambda functions will be associated with the distribution. | |
MaxTTL | No | N/A | Deprecated | |
MinTTL | No | N/A | Deprecated | |
OriginRequestPolicyId | No | {"Ref": "OriginRequestPolicy"} | "b689b0a8-53d0-40ab-baf2-68738e2966ac" | Need to be able to forward headers and query strings from the viewer request so we can override the response-content-disposition and response-content-type when creating the signed URL and pass other headers such as Range. By default no query strings are forwarded.https://docs.aws.or headers are forwarded. The chosen policy does not pass the host header, which allows CloudFront to use the S3 origin’s domain as the host in its request to the S3 origin. |
RealtimeLogConfigArn | No | N/A | Not applicable. Will be using standard log. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html | |
ResponseHeadersPolicyId | No | N/A | The managed response header policies are applicable to static websites, not our use case. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html | |
SmoothStreaming | No | N/A | This is for media files, so not applicable. | |
TargetOriginId | Yes | "${stack}data.sagebase.org" | The value of ID for the origin. | |
TrustedKeyGroups | No | {"Ref": "CloudFrontPublicKeyGroup"} | List of key groups that CloudFront can use to validate signed URLs or signed cookies. | |
TrustedSigners | No | N/A | Using TrustedKeyGroups, so not applicable. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html | |
ViewerProtocolPolicy | Yes | https-only | All signed URLs will use HTTPS. |
...
Property | Required | Value | Justification |
|---|---|---|---|
ConnectionAttempts | No | N/A | The number of times that CloudFront attempts to connect to the origin. Minimum is 1, maximum is 3, default is 3. |
ConnectionTimeout | No | N/A | The number of seconds that CloudFront waits when trying to establish a connection to the origin. Minimum is 1 second, maximum is 10 seconds, default is 10 seconds. |
CustomOriginConfig | Conditional | N/A | Used when an origin is not an S3 bucket. Not applicable. |
DomainName | Yes | Required, this is the domain name of the origin. | |
Id | Yes | "${stack}data.sagebase.org" | A unique identifier for the origin to be used in the cache behavior portion of the template. |
OriginAccessControlId | No | {"Ref": "OriginAccessControl"} | Identifies the origin access control, which is used to give permissions to get objects from the S3 bucket origin. |
OriginCustomHeaders | No | N/A | A list of header names and values that CloudFront adds to the request to the origin. Not applicable. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html |
OriginPath | No | N/A | An optional path that CloudFront appends to the origin domain name when a request is sent to the origin. Not applicable. |
OriginShield | No | N/A | An additional layer of caching in the CloudFront caching infrastructure. None of the use cases described by AWS fit ours. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html |
S3OriginConfig | Conditional | Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting. If not included get error message "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified". |
...
ViewerCertificate
| Anchor |
|---|
...
|
...
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-loggingviewercertificate.html
...
Property | Required | Value | Justification |
|---|
AcmCertificateArn |
Conditional |
"${ |
Required
IncludeCookies
No
True
Prefix
No
“cloudFrontDataRequests”
...
...
Property
...
Required
...
Value
...
Justification
...
OriginAccessIdentity
...
No
...
““
...
Per documentation, if you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.
DataCdnCertificateArn}" | ACM SSL certificate for the Alias defined in DistributionConfig. | ||
CloudFrontDefaultCertificate | Conditional | N/A | Only required if the default CloudFront domain name is used. |
IamCertificateId | Conditional | N/A | Only required if the SSL certificate is stored in IAM |
MinimumProtocolVersion | Conditional | “TLSv1.2_2021” | |
SslSupportMethod | Conditional | “sni-only” | Recommended by AWS. Accepts HTTPS connections from only viewers that support Server Name Indication, which is an extension to TLS that allows clients to indicate the host they are attempting to connect to during the handshake process. |
Logging
| Anchor | ||||
|---|---|---|---|---|
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificatelogging.html
Property | Required | Value | Justification |
|---|
Bucket |
Conditional
N/A
Not applicable, since we won’t be using alternate domain names or CNAMEs.
CloudFrontDefaultCertificate
Conditional
True
The distribution uses the CloudFront domain name instead of an Alias/CNAME
IamCertificateId
Conditional
N/A
Not applicable, since we won’t be using alternate domain names or CNAMEs.
MinimumProtocolVersion
Conditional
N/A
Not applicable, since we won’t be using alternate domain names or CNAMEs. When SSL Certificate is default CloudFront certificate (*.cloudfront.net), CloudFront automatically sets the security policy to TLSv1. However, setting HTTPVersion in the origin to HTTP/2and3 requires that viewers support TLSv1.2 and TLSv1.3
SslSupportMethod
Conditional
N/A
Yes | “${stack}.log.sagebase.org.s3.us-east-1.amazonaws.com” | Required | |
IncludeCookies | No | False | |
Prefix | No | “cloudFrontDataRequests” |
S3OriginConfig
| Anchor | ||||
|---|---|---|---|---|
|
Property | Required | Value | Justification |
|---|---|---|---|
OriginAccessIdentity | No | ““ | Per documentation, if you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty |
KeyGroup
| Anchor | ||||
|---|---|---|---|---|
|
...
Property | Required | Value | Justification |
|---|---|---|---|
Description | No | "Origin Access Control for origin ${stack}data.sagebase.org" | Describes the origin access control. |
Name | Yes | "${stack}data-origin-access-control" | Identifies the origin access control. |
OriginAccessControlOriginType | Yes | s3 | The type of origin this access control is for. |
SigningBehavior | Yes | always | Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL. |
SigningProtocol | Yes | sigv4 | The only valid value is sigv4. |
...
RecordSet
| Anchor |
|---|
...
|
...
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resourceproperties-cloudfront-originrequestpolicy.html
...
Property
...
Required
...
Value
...
Justification
...
OriginRequestPolicyConfig
...
Yes
...
OriginRequestPolicyConfig Object
...
...
Property
...
Required
...
Value
...
Justification
...
Comment
...
No
...
"Origin Request Policy for origin ${stack}data.sagebase.org"
...
CookiesConfig
...
Yes
...
...
HeadersConfig
...
Yes
...
Property | Required | Value | Justification |
|---|---|---|---|
AliasTarget | No | ||
CidrRoutingConfig | No | N/A | Not applicable |
Comment | No | "Record set for the CloudFront distribution for ${stack}data.sagebase.org" | |
Failover | No | N/A | For configuring failover if once resource goes down. Not applicable. |
GeoLocation | No | N/A | Lets you control how Route 53 responds to DNS queries based on geographic origin. Not applicable. |
HealthCheckId | No | N/A | Not possible with CloudFront. |
HostedZoneId | No | N/A | HostedZoneName used instead. |
HostedZoneName | No | "${stack}.sagebase.org." | The name of the hosted zone where the record is created. |
MultiValueAnswer | No | N/A | For routing traffic randomly to multiple resources. Not applicable. |
Name | Yes | "data.${stack} |
QueryStringsConfig
Yes
...
Property
Required
Value
Justification
CookieBehavior
Yes
“none“
No cookies are needed to to be sent to the origin from the viewer.
.sagebase.org" | |||
Region | No | N/A | For latency based resource record sets only. |
ResourceRecords | No | N/A | Omitted if AliasTarget is used. |
SetIdentifier | No | N/A | For differentiating among multiple resource record sets. Not applicable. |
TTL | No | N/A | Omitted when using an alias resource record set. |
Type | Yes | “A” | “A” is used for CloudFront distributions. |
Weight | No | N/A |
...
For weighted resource record sets only. |
AliasTarget
| Anchor |
|---|
...
|
...
|
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfrontroute53-originrequestpolicy-headersconfigaliastarget.html
...
Property | Required | Value | Justification |
|---|---|---|---|
DNSName |
HeaderBehavior
Yes
"none"
No headers are needed to to be sent to the origin from the viewer.
Yes | { "Fn::GetAtt": ["CloudFront", "DomainName"] } | For a CloudFront distribution, the domain name. |
EvaluateTargetHealth | No | N/A |
...
Cannot be set for CloudFront distributions. | |||
HostedZoneId | Yes | “Z2FDTNDATAQYW2" | Always the hosted zone ID when an alias record is created for a CloudFront distribution. |
CloudFrontMonitoringSubscription
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-propertiesresource-cloudfront-originrequestpolicy-querystringsconfigmonitoringsubscription.html
Property | Required | Value | Justification |
|---|
DistributionId | Yes | { "Ref": " |
CloudFront" |
Only the specified query strings from viewer requests are included in requests that CloudFront sends to the origin.
QueryStrings
Yes
["response-content-disposition", "response-content-type"]
} | |||
MonitoringSubscription | Yes | Object (Contains only RealTimeMetricsSubscriptionsConfig) | |
RealTimeMetricsSubscriptionConfig | No | Object (Contains only RealTimeMetricsSubscriptionStatus) | |
RealTimeMetricsSubscriptionStatus | Yes | “Enabled” |