Document toolboxDocument toolbox

Synapse Data CloudFront CloudFormation Template Properties

Distribution

Property

Required

Value

Justification

Property

Required

Value

Justification

DistributionConfig

Yes

DistributionConfig Object

 

Tags

No

N/A

Not required

DistributionConfig

Property

Required

Value

Justification

Property

Required

Value

Justification

Aliases

No

["data.${stack}.sagebase.org"]

RecordSet Object

Alias used so an SSL Certificate can be set to specify minimum TLS versions.

CacheBehaviors

No

N/A

Covered by default cache behavior

CNAMEs

No

N/A

Not applicable.

Comment

No

“CloudFront distribution for ${stack}data.sagebase.org

Gives info about distribution.

ContinuousDeploymentPolicyId

No

N/A

Continuous deployment is for distributing traffic for a custom domain name to two different CF distributions. Not applicable.

CustomErrorResponses

No

N/A

For replacing status code in 4xx and 5xx range with custom error messages. No use case for this.

CustomOrigin

No

N/A

Legacy. Covered under Origin.

DefaultCacheBehavior

Yes

DefaultCacheBehavior Object

Required - describes default caches behavior.

DefaultRootObject

No

N/A

Returns a default object when the user sends a request using the root URL and doesn’t include the object. Not applicable to our case since we are signing the URLs and users will always specify an object.

Enabled

Yes

True

Enables the distribution

HttpVersion

No

http2and3

Defaults to HTTP 1.1 , but due to security concerns with HTTP 1.1, will require either HTTP 2 or 3.

IPV6Enabled

No

False

Not applicable.

Logging

No

Logging Object

Will allow tracking for data requests.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

OriginGroups

No

N/A

Only used when multiple origins are used. Not applicable.

Origins

No

[Origin Object]

Specifies where data will be pulled from.

PriceClass

No

“PriceClass_100”

Serves objects from the CloudFront edge location that has the lowest latency among the edge locations in the price class. Cost to transfer data out to internet from CloudFront compared to from S3 is only less for North America/Europe, which are the only two regions in Price Class 100. “If you select a price class that does not include all locations, some of your viewers, especially those in geographic locations that are not in your price class, may experience higher latency than if your content were being served from all Amazon CloudFront locations.“

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html

Amazon CloudFront CDN - Plans & Pricing - Try For Free

Amazon S3 Pricing - Cloud Object Storage - AWS

Restrictions

No

N/A

Restrictions only relate to countries where content is distributed. Not applicable

S3Origin

No

N/A

Legacy. Not applicable.

Staging

No

N/A

Indicates if this is a staging distribution. Not applicable.

ViewerCertificate

No

ViewerCertificate Object

Gives ability to set minimum TLS version.

WebACLId

No

N/A

Current signed URLs through S3 do not use a Web ACL.

DefaultCacheBehavior

Property

Required

Value

Justification

Property

Required

Value

Justification

AllowedMethods

No

GET, HEAD

Controls which HTTP methods are processed and forwarded to S3. No other methods are required for our use case.

CachedMethods

No

N/A

Not applicable if managed cache policy is CachingDisabled.

CachePolicyId

Conditional

4135ea2d-6df8-44a3-9df3-4b5a84be39ad"

CachingDisabled. Will open Jira ticket to explore choices for cache settings.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html

Compress

No

N/A

CloudFront doesn’t compress object when caching is disabled.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html

DefaultTTL

No

N/A

Deprecated

FieldLevelEncryptionId

No

N/A

For encrypting data uploaded through CloudFront. Not applicable.

ForwardedValues

Conditional

N/A

Deprecated

FunctionAssociations

No

N/A

Not applicable because no functions will be associated with the distribution.

LambdaFunctionAssociations

No

N/A

Not applicable because no Lambda functions will be associated with the distribution.

MaxTTL

No

N/A

Deprecated

MinTTL

No

N/A

Deprecated

OriginRequestPolicyId

No

"b689b0a8-53d0-40ab-baf2-68738e2966ac"

Need to be able to forward headers and query strings from the viewer request so we can override the response-content-disposition and response-content-type when creating the signed URL and pass other headers such as Range. By default no query strings or headers are forwarded. The chosen policy does not pass the host header, which allows CloudFront to use the S3 origin’s domain as the host in its request to the S3 origin.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

RealtimeLogConfigArn

No

N/A

Not applicable. Will be using standard log. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html

ResponseHeadersPolicyId

No

N/A

The managed response header policies are applicable to static websites, not our use case.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/modifying-response-headers.html

SmoothStreaming

No

N/A

This is for media files, so not applicable.

TargetOriginId

Yes

"${stack}data.sagebase.org"

The value of ID for the origin.

TrustedKeyGroups

No

{"Ref": "CloudFrontPublicKeyGroup"}

KeyGroup Object

List of key groups that CloudFront can use to validate signed URLs or signed cookies.

TrustedSigners

No

N/A

Using TrustedKeyGroups, so not applicable.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

ViewerProtocolPolicy

Yes

https-only

All signed URLs will use HTTPS.

Origin

Property

Required

Value

Justification

Property

Required

Value

Justification

ConnectionAttempts

No

N/A

The number of times that CloudFront attempts to connect to the origin. Minimum is 1, maximum is 3, default is 3.

ConnectionTimeout

No

N/A

The number of seconds that CloudFront waits when trying to establish a connection to the origin. Minimum is 1 second, maximum is 10 seconds, default is 10 seconds.

CustomOriginConfig

Conditional

N/A

Used when an origin is not an S3 bucket. Not applicable.

DomainName

Yes

"${stack}data.sagebase.org.s3.us-east-1.amazonaws.com"

Required, this is the domain name of the origin.

Id

Yes

"${stack}data.sagebase.org"

A unique identifier for the origin to be used in the cache behavior portion of the template.

OriginAccessControlId

No

{"Ref": "OriginAccessControl"}

OriginAccessControl Object

Identifies the origin access control, which is used to give permissions to get objects from the S3 bucket origin.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

OriginCustomHeaders

No

N/A

A list of header names and values that CloudFront adds to the request to the origin. Not applicable.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/add-origin-custom-headers.html

OriginPath

No

N/A

An optional path that CloudFront appends to the origin domain name when a request is sent to the origin. Not applicable.

OriginShield

No

N/A

An additional layer of caching in the CloudFront caching infrastructure. None of the use cases described by AWS fit ours.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html

S3OriginConfig

Conditional

S3OriginConfig Object

Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting. If not included get error message "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified".

ViewerCertificate

Property

Required

Value

Justification

Property

Required

Value

Justification

AcmCertificateArn

Conditional

"${DataCdnCertificateArn}"

ACM SSL certificate for the Alias defined in DistributionConfig.

CloudFrontDefaultCertificate

Conditional

N/A

Only required if the default CloudFront domain name is used.

IamCertificateId

Conditional

N/A

Only required if the SSL certificate is stored in IAM

MinimumProtocolVersion

Conditional

“TLSv1.2_2021”

 

SslSupportMethod

Conditional

“sni-only”

Recommended by AWS. Accepts HTTPS connections from only viewers that support Server Name Indication, which is an extension to TLS that allows clients to indicate the host they are attempting to connect to during the handshake process.

Logging

Property

Required

Value

Justification

Property

Required

Value

Justification

Bucket

Yes

“${stack}.log.sagebase.org.s3.us-east-1.amazonaws.com”

Required

IncludeCookies

No

False

 

Prefix

No

“cloudFrontDataRequests”

 

S3OriginConfig

Property

Required

Value

Justification

Property

Required

Value

Justification

OriginAccessIdentity

No

““

Per documentation, if you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.

KeyGroup

Property

Required

Value

Justification

Property

Required

Value

Justification

KeyGroupConfig

Yes

KeyGroupConfig Object

Required

KeyGroupConfig

Property

Required

Value

Justification

Property

Required

Value

Justification

Comment

No

"Public key group for ${stack}data.sagebase.org CloudFront infrastructure"

Gives description of key group

Items

Yes

{"Ref": "CloudFrontPublicKey"}

PublicKey Object

Lists the identifiers of the public keys in the key group

Name

Yes

"${stack}data-key-group"

Identifies the key group

PublicKey

Property

Required

Value

Justification

Property

Required

Value

Justification

Properties

Yes

PublicKeyConfig Object

 

PublicKeyConfig

Property

Required

Value

Justification

Property

Required

Value

Justification

CallerReference

Yes

"${stack}data-public-key"

A string included in the request to help make sure the request can’t be replayed

Comment

No

"Public key for ${stack}data.sagebase.org CloudFront infrastructure"

Describes the public key

EncodedKey

Yes

"${DataCdnPublicKey}"

The public key itself

Name

Yes

"${stack}data-public-key"

Identifies the public key

OriginAccessControl

Property

Required

Value

Justification

Property

Required

Value

Justification

OriginAccessControlConfig

Yes

OriginAccessControlConfig Object

 

OriginAccessControlConfig

Property

Required

Value

Justification

Property

Required

Value

Justification

Description

No

"Origin Access Control for origin ${stack}data.sagebase.org"

Describes the origin access control.

Name

Yes

"${stack}data-origin-access-control"

Identifies the origin access control.

OriginAccessControlOriginType

Yes

s3

The type of origin this access control is for.

SigningBehavior

Yes

always

Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL.

SigningProtocol

Yes

sigv4

The only valid value is sigv4.

RecordSet

Property

Required

Value

Justification

Property

Required

Value

Justification

AliasTarget

No

AliasTarget Object

 

CidrRoutingConfig

No

N/A

Not applicable

Comment

No

"Record set for the CloudFront distribution for ${stack}data.sagebase.org"

 

Failover

No

N/A

For configuring failover if once resource goes down. Not applicable.

GeoLocation

No

N/A

Lets you control how Route 53 responds to DNS queries based on geographic origin. Not applicable.

HealthCheckId

No

N/A

Not possible with CloudFront.

HostedZoneId

No

N/A

HostedZoneName used instead.

HostedZoneName

No

"${stack}.sagebase.org."

The name of the hosted zone where the record is created.

MultiValueAnswer

No

N/A

For routing traffic randomly to multiple resources. Not applicable.

Name

Yes

"data.${stack}.sagebase.org"

 

Region

No

N/A

For latency based resource record sets only.

ResourceRecords

No

N/A

Omitted if AliasTarget is used.

SetIdentifier

No

N/A

For differentiating among multiple resource record sets. Not applicable.

TTL

No

N/A

Omitted when using an alias resource record set.

Type

Yes

“A”

“A” is used for CloudFront distributions.

Weight

No

N/A

For weighted resource record sets only.

AliasTarget

Property

Required

Value

Justification

Property

Required

Value

Justification

DNSName

Yes

{ "Fn::GetAtt": ["CloudFront", "DomainName"] }

For a CloudFront distribution, the domain name.

EvaluateTargetHealth

No

N/A

Cannot be set for CloudFront distributions.

HostedZoneId

Yes

“Z2FDTNDATAQYW2"

Always the hosted zone ID when an alias record is created for a CloudFront distribution.

CloudFrontMonitoringSubscription

Property

Required

Value

Justification

Property

Required

Value

Justification

DistributionId

Yes

{ "Ref": "CloudFront" }

 

MonitoringSubscription

Yes

Object (Contains only RealTimeMetricsSubscriptionsConfig)

 

RealTimeMetricsSubscriptionConfig

No

Object (Contains only RealTimeMetricsSubscriptionStatus)

 

RealTimeMetricsSubscriptionStatus

Yes

“Enabled”