DistributionConfig

DistributionConfig Object

Tags

N/A

Not required

Aliases

["data.${stack}.sagebase.org"]

RecordSet Object

Alias used so an SSL Certificate can be set to specify minimum TLS versions.

CacheBehaviors

N/A

Covered by default cache behavior

CNAMEs

N/A

Not applicable.

Comment

“CloudFront distribution for ${stack}data.sagebase.org”

Gives info about distribution.

ContinuousDeploymentPolicyId

N/A

Continuous deployment is for distributing traffic for a custom domain name to two different CF distributions. Not applicable.

CustomErrorResponses

N/A

For replacing status code in 4xx and 5xx range with custom error messages. No use case for this.

CustomOrigin

N/A

Legacy. Covered under Origin.

DefaultCacheBehavior

DefaultCacheBehavior Object

Required - describes default caches behavior.

DefaultRootObject

N/A

Returns a default object when the user sends a request using the root URL and doesn’t include the object. Not applicable to our case since we are signing the URLs and users will always specify an object.

Enabled

True

Enables the distribution

HttpVersion

http2and3

Defaults to HTTP 1.1 , but due to security concerns with HTTP 1.1, will require either HTTP 2 or 3.

IPV6Enabled

False

Not applicable.

Logging

Logging Object

Will allow tracking for data requests.

OriginGroups

N/A

Only used when multiple origins are used. Not applicable.

Origins

[Origin Object]

Specifies where data will be pulled from.

PriceClass

“PriceClass_100”

Serves objects from the CloudFront edge location that has the lowest latency among the edge locations in the price class. Cost to transfer data out to internet from CloudFront compared to from S3 is only less for North America/Europe, which are the only two regions in Price Class 100. “If you select a price class that does not include all locations, some of your viewers, especially those in geographic locations that are not in your price class, may experience higher latency than if your content were being served from all Amazon CloudFront locations.“

Restrictions

N/A

Restrictions only relate to countries where content is distributed. Not applicable

S3Origin

N/A

Legacy. Not applicable.

Staging

N/A

Indicates if this is a staging distribution. Not applicable.

ViewerCertificate

ViewerCertificate Object

Gives ability to set minimum TLS version.

WebACLId

N/A

Current signed URLs through S3 do not use a Web ACL.

AllowedMethods

No

GET, HEAD

Controls which HTTP methods are processed and forwarded to S3. No other methods are required for our use case.

CachedMethods

No

N/A

Not applicable if managed cache policy is CachingDisabled.

CachePolicyId

Conditional

“4135ea2d-6df8-44a3-9df3-4b5a84be39ad"

CachingDisabled. Will open Jira ticket to explore choices for cache settings.

Compress

No

N/A

CloudFront doesn’t compress object when caching is disabled.

DefaultTTL

No

N/A

Deprecated

FieldLevelEncryptionId

No

N/A

For encrypting data uploaded through CloudFront. Not applicable.

ForwardedValues

Conditional

N/A

Deprecated

FunctionAssociations

No

N/A

Not applicable because no functions will be associated with the distribution.

LambdaFunctionAssociations

No

N/A

Not applicable because no Lambda functions will be associated with the distribution.

MaxTTL

No

N/A

Deprecated

MinTTL

No

N/A

Deprecated

OriginRequestPolicyId

No

"b689b0a8-53d0-40ab-baf2-68738e2966ac"

Need to be able to forward headers and query strings from the viewer request so we can override the response-content-disposition and response-content-type when creating the signed URL and pass other headers such as Range. By default no query strings or headers are forwarded. The chosen policy does not pass the host header, which allows CloudFront to use the S3 origin’s domain as the host in its request to the S3 origin.

RealtimeLogConfigArn

No

N/A

Not applicable. Will be using standard log.

ResponseHeadersPolicyId

No

N/A

The managed response header policies are applicable to static websites, not our use case.

SmoothStreaming

No

N/A

This is for media files, so not applicable.

TargetOriginId

Yes

"${stack}data.sagebase.org"

The value of ID for the origin.

TrustedKeyGroups

No

{"Ref": "CloudFrontPublicKeyGroup"}

KeyGroup Object

List of key groups that CloudFront can use to validate signed URLs or signed cookies.

TrustedSigners

No

N/A

Using TrustedKeyGroups, so not applicable.

ViewerProtocolPolicy

Yes

https-only

All signed URLs will use HTTPS.

ConnectionAttempts

No

N/A

The number of times that CloudFront attempts to connect to the origin. Minimum is 1, maximum is 3, default is 3.

ConnectionTimeout

No

N/A

The number of seconds that CloudFront waits when trying to establish a connection to the origin. Minimum is 1 second, maximum is 10 seconds, default is 10 seconds.

CustomOriginConfig

Conditional

N/A

Used when an origin is not an S3 bucket. Not applicable.

DomainName

Yes

"${stack}data.sagebase.org.s3.us-east-1.amazonaws.com"

Required, this is the domain name of the origin.

Id

Yes

"${stack}data.sagebase.org"

A unique identifier for the origin to be used in the cache behavior portion of the template.

OriginAccessControlId

No

{"Ref": "OriginAccessControl"}

OriginAccessControl Object

Identifies the origin access control, which is used to give permissions to get objects from the S3 bucket origin.

OriginCustomHeaders

No

N/A

A list of header names and values that CloudFront adds to the request to the origin. Not applicable.

OriginPath

No

N/A

An optional path that CloudFront appends to the origin domain name when a request is sent to the origin. Not applicable.

OriginShield

No

N/A

An additional layer of caching in the CloudFront caching infrastructure. None of the use cases described by AWS fit ours.

S3OriginConfig

Conditional

S3OriginConfig Object

Use S3OriginConfig to specify an Amazon S3 bucket that is not configured with static website hosting. If not included get error message "Invalid request provided: Exactly one of CustomOriginConfig and S3OriginConfig must be specified".

AcmCertificateArn

Conditional

"${DataCdnCertificateArn}"

ACM SSL certificate for the Alias defined in DistributionConfig.

CloudFrontDefaultCertificate

Conditional

N/A

Only required if the default CloudFront domain name is used.

IamCertificateId

Conditional

N/A

Only required if the SSL certificate is stored in IAM

MinimumProtocolVersion

Conditional

“TLSv1.2_2021”

SslSupportMethod

Conditional

“sni-only”

Recommended by AWS. Accepts HTTPS connections from only viewers that support Server Name Indication, which is an extension to TLS that allows clients to indicate the host they are attempting to connect to during the handshake process.

Bucket

Yes

“${stack}.log.sagebase.org.s3.us-east-1.amazonaws.com”

Required

IncludeCookies

No

False

Prefix

No

“cloudFrontDataRequests”

OriginAccessIdentity

No

““

Per documentation, if you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.

KeyGroupConfig

Yes

KeyGroupConfig Object

Required

Comment

No

"Public key group for ${stack}data.sagebase.org CloudFront infrastructure"

Gives description of key group

Items

Yes

{"Ref": "CloudFrontPublicKey"}

PublicKey Object

Lists the identifiers of the public keys in the key group

Name

Yes

"${stack}data-key-group"

Identifies the key group

Properties

Yes

PublicKeyConfig Object

CallerReference

Yes

"${stack}data-public-key"

A string included in the request to help make sure the request can’t be replayed

Comment

No

"Public key for ${stack}data.sagebase.org CloudFront infrastructure"

Describes the public key

EncodedKey

Yes

"${DataCdnPublicKey}"

The public key itself

Name

Yes

"${stack}data-public-key"

Identifies the public key

OriginAccessControlConfig

Yes

OriginAccessControlConfig Object

Description

No

"Origin Access Control for origin ${stack}data.sagebase.org"

Describes the origin access control.

Name

Yes

"${stack}data-origin-access-control"

Identifies the origin access control.

OriginAccessControlOriginType

Yes

s3

The type of origin this access control is for.

SigningBehavior

Yes

always

Specifies if CloudFront overwrites Authorization header from the viewer request in its request to the origin if it exists. Not applicable since we won’t be checking authorization with the signed URL.

SigningProtocol

Yes

sigv4

The only valid value is sigv4.

AliasTarget

No

AliasTarget Object

CidrRoutingConfig

No

N/A

Not applicable

Comment

No

"Record set for the CloudFront distribution for ${stack}data.sagebase.org"

Failover

No

N/A

For configuring failover if once resource goes down. Not applicable.

GeoLocation

No

N/A

Lets you control how Route 53 responds to DNS queries based on geographic origin. Not applicable.

HealthCheckId

No

N/A

Not possible with CloudFront.

HostedZoneId

No

N/A

HostedZoneName used instead.

HostedZoneName

No

"${stack}.sagebase.org."

The name of the hosted zone where the record is created.

MultiValueAnswer

No

N/A

For routing traffic randomly to multiple resources. Not applicable.

Name

Yes

"data.${stack}.sagebase.org"

Region

No

N/A

For latency based resource record sets only.

ResourceRecords

No

N/A

Omitted if AliasTarget is used.

SetIdentifier

No

N/A

For differentiating among multiple resource record sets. Not applicable.

TTL

No

N/A

Omitted when using an alias resource record set.

Type

Yes

“A”

“A” is used for CloudFront distributions.

Weight

No

N/A

For weighted resource record sets only.

DNSName

Yes

{ "Fn::GetAtt": ["CloudFront", "DomainName"] }

For a CloudFront distribution, the domain name.

EvaluateTargetHealth

No

N/A

Cannot be set for CloudFront distributions.

HostedZoneId

Yes

“Z2FDTNDATAQYW2"

Always the hosted zone ID when an alias record is created for a CloudFront distribution.

DistributionId

Yes

{ "Ref": "CloudFront" }

MonitoringSubscription

Yes

Object (Contains only RealTimeMetricsSubscriptionsConfig)

RealTimeMetricsSubscriptionConfig

No

Object (Contains only RealTimeMetricsSubscriptionStatus)

RealTimeMetricsSubscriptionStatus

Yes

“Enabled”