DistributionConfig

Yes

DistributionConfig Object

Tags

No

N/A

Not required

Aliases

No

N/A

For CNAMEs for static website, not applicable.

CacheBehaviors

No

N/A

Covered by default cache behavior

CNAMEs

No

N/A

Not applicable.

Comment

No

“CloudFront distribution for ${stack}data.sagebase.org”

Gives info about distribution.

ContinuousDeploymentPolicyId

No

N/A

Continuous deployment is for distributing traffic for a custom domain name to two different CF distributions. Not applicable.

CustomErrorResponses

No

N/A

For replacing status code in 4xx and 5xx range with custom error messages. No use case for this.

CustomOrigin

No

N/A

Legacy. Covered under Origin.

DefaultCacheBehavior

Yes

DefaultCacheBehavior Object

Required - describes default caches behavior.

DefaultRootObject

No

N/A

Returns a default object when the user sends a request using the root URL and doesn’t include the object. Not applicable to our case since we are signing the URLs and users will always specify an object.

Enabled

Yes

True

Enables the distribution

HttpVersion

No

http2and3

Defaults to HTTP 1.1 , but due to security concerns with HTTP 1.1, will require either HTTP 2 or 3.

IPV6Enabled

No

False

Since we won’t create signed URLs that use IPV6, this is not applicable.

Logging

No

Logging Object

Will allow tracking for data requests.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

OriginGroups

No

N/A

Only used when multiple origins are used. Not applicable.

Origins

No

[Origin Object]

Specifies where data will be pulled from.

PriceClass

No

“PriceClass_100”

Serves objects from the CloudFront edge location that has the lowest latency among the edge locations in the price class. Cost to transfer data out to internet from CloudFront compared to from S3 is only less for North America/Europe, which are the only two regions in Price Class 100. “If you select a price class that does not include all locations, some of your viewers, especially those in geographic locations that are not in your price class, may experience higher latency than if your content were being served from all Amazon CloudFront locations.“

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html

https://aws.amazon.com/cloudfront/pricing/

https://aws.amazon.com/s3/pricing/

Restrictions

No

N/A

Restrictions only relate to countries where content is distributed. Not applicable

S3Origin

No

N/A

Legacy. Not applicable.

Staging

No

N/A

Indicates if this is a staging distribution. Not applicable.

ViewerCertificate

No

ViewerCertificate Object

WebACLId

No

N/A

Current signed URLs through S3 do not use a Web ACL.

AllowedMethods

No

GET, HEAD

Controls which HTTP methods are processed and forwarded to S3. No other methods are required for our use case.

CachedMethods

No

N/A

Not applicable if managed cache policy is CachingDisabled.

CachePolicyId

Conditional

“4135ea2d-6df8-44a3-9df3-4b5a84be39ad"

CachingDisabled. Will open Jira ticket to explore choices for cache settings.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html

Compress

No

N/A

CloudFront doesn’t compress object when caching is disabled.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html

DefaultTTL

No

N/A

Deprecated

FieldLevelEncryptionId

No

N/A

For encrypting data uploaded through CloudFront. Not applicable.

ForwardedValues

Conditional

N/A

Deprecated

FunctionAssociations

No

N/A

Not applicable because no functions will be associated with the distribution.

LambdaFunctionAssociations

No

N/A

Not applicable because no Lambda functions will be associated with the distribution.

MaxTTL

No

N/A

Deprecated

MinTTL

No

N/A

Deprecated

OriginRequestPolicyId

No

{"Ref": "OriginRequestPolicy"}

OriginRequestPolicy Object

Need to be able to forward query strings from the viewer request so we can override the response-content-disposition and response-content-type when creating the signed URL. By default no query strings are forwarded.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

RealtimeLogConfigArn

No

N/A

Not applicable. Will be using standard log. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html

ResponseHeadersPolicyId

No

N/A

The managed response header policies are applicable to static websites, not our use case.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html

SmoothStreaming

No

N/A

This is for media files, so not applicable.

TargetOriginId

Yes

"${stack}data.sagebase.org"

The value of ID for the origin.

TrustedKeyGroups

No

{"Ref": "CloudFrontPublicKeyGroup"}

KeyGroup Object

List of key groups that CloudFront can use to validate signed URLs or signed cookies.

TrustedSigners

No

N/A

Using TrustedKeyGroups, so not applicable.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

ViewerProtocolPolicy

Yes

https-only

All signed URLs will use HTTPS.

ConnectionAttempts

No

N/A

The number of times that CloudFront attempts to connect to the origin. Minimum is 1, maximum is 3, default is 3.

ConnectionTimeout

No

N/A

The number of seconds that CloudFront waits when trying to establish a connection to the origin. Minimum is 1 second, maximum is 10 seconds, default is 10 seconds.

CustomOriginConfig

Conditional

N/A

Used when an origin is not an S3 bucket. Not applicable.

DomainName

Yes

"${stack}data.sagebase.org.s3.us-east-1.amazonaws.com"

Required, this is the domain name of the origin.

Id

Yes

"${stack}data.sagebase.org"

A unique identifier for the origin to be used in the cache behavior portion of the template.

OriginAccessControlId

No

{"Ref": "OriginAccessControl"}

OriginAccessControl Object

Identifies the origin access control, which is used to give permissions to get objects from the S3 bucket origin.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

OriginCustomHeaders

No

N/A

A list of header names and values that CloudFront adds to the request to the origin. Not applicable.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html

OriginPath

No

N/A

An optional path that CloudFront appends to the origin domain name when a request is sent to the origin. Not applicable.

OriginShield

No

N/A

An additional layer of caching in the CloudFront caching infrastructure. None of the use cases described by AWS fit ours.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html

S3OriginConfig

Conditional

S3OriginConfig Object

Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting. If not included get error message "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified".

Bucket

Yes

“${stack}.log.sagebase.org.s3.us-east-1.amazonaws.com”

Required

IncludeCookies

No

True

Prefix

No

“cloudFrontDataRequests”

OriginAccessIdentity

No

““

Per documentation, if you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.

AcmCertificateArn

Conditional

N/A

Not applicable, since we won’t be using alternate domain names or CNAMEs.

CloudFrontDefaultCertificate

Conditional

True

The distribution uses the CloudFront domain name instead of an Alias/CNAME

IamCertificateId

Conditional

N/A

Not applicable, since we won’t be using alternate domain names or CNAMEs.

MinimumProtocolVersion

Conditional

N/A

Not applicable, since we won’t be using alternate domain names or CNAMEs. When SSL Certificate is default CloudFront certificate (*.cloudfront.net), CloudFront automatically sets the security policy to TLSv1. However, setting HTTPVersion in the origin to HTTP/2and3 requires that viewers support TLSv1.2 and TLSv1.3

SslSupportMethod

Conditional

N/A

Not applicable, since we won’t be using alternate domain names or CNAMEs.

KeyGroupConfig

Yes

KeyGroupConfig Object

Required

Comment

No

"Public key group for ${stack}data.sagebase.org CloudFront infrastructure"

Gives description of key group

Items

Yes

{"Ref": "CloudFrontPublicKey"}

PublicKey Object

Lists the identifiers of the public keys in the key group

Name

Yes

"${stack}data-key-group"

Identifies the key group

Properties

Yes

PublicKeyConfig Object

CallerReference

Yes

"${stack}data-public-key"

A string included in the request to help make sure the request can’t be replayed

Comment

No

"Public key for ${stack}data.sagebase.org CloudFront infrastructure"

Describes the public key

EncodedKey

Yes

"${DataCdnPublicKey}"

The public key itself

Name

Yes

"${stack}data-public-key"

Identifies the public key

OriginAccessControlConfig

Yes

OriginAccessControlConfig Object

Description

No

"Origin Access Control for origin ${stack}data.sagebase.org"

Describes the origin access control.

Name

Yes

"${stack}data-origin-access-control"

Identifies the origin access control.

OriginAccessControlOriginType

Yes

s3

The type of origin this access control is for.

SigningBehavior

Yes

always

Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL.

SigningProtocol

Yes

sigv4

The only valid value is sigv4.

OriginRequestPolicyConfig

Yes

OriginRequestPolicyConfig Object

Comment

No

"Origin Request Policy for origin ${stack}data.sagebase.org"

CookiesConfig

Yes

CookiesConfig Object

HeadersConfig

Yes

HeadersConfig Object

Name

Yes

"${stack}data-origin-request-policy"

QueryStringsConfig

Yes

QueryStringsConfig Object

CookieBehavior

Yes

“none“

No cookies are needed to to be sent to the origin from the viewer.

Cookies

No

N/A

HeaderBehavior

Yes

"none"

No headers are needed to to be sent to the origin from the viewer.

Headers

No

N/A

QueryStringBehavior

Yes

"whitelist"

Only the specified query strings from viewer requests are included in requests that CloudFront sends to the origin.

CookiesConfig

Yes

["response-content-disposition", "response-content-type"]

These query strings allow the signed URL to specify the content disposition and content type that will be used in the response headers from CloudFront.