CloudFront offers the most advanced security capabilities, including field level encryption and HTTPS support, seamlessly integrated with AWS Shield, AWS Web Application Firewall and Route 53 to protect against multiple types of attacks including network and application layer DDoS attacks. These services co-reside at edge networking locations – globally scaled and connected via the AWS network backbone – providing a more secure, performant, and available experience for your users.
CloudFront works seamlessly with any AWS origin, such as Amazon S3, Amazon EC2, Elastic Load Balancing, or with any custom HTTP origin. You can customize your content delivery through CloudFront using the secure and programmable edge computing feature AWS Lambda@Edge.
Global Scaled Network for Fast Content Delivery
Amazon CloudFront is massively scaled and globally distributed. The CloudFront network has 225+ points of presence (PoPs) that are interconnected via the AWS backbone delivering ultra-low latency performance and high availability to your end users. The AWS backbone is a private network built on a global, fully redundant, parallel 100 GbE metro fiber network linked via trans-oceanic cables across the Atlantic, Pacific, and Indian Oceans, as well as, the Mediterranean, Red Sea, and South China Seas. Amazon CloudFront automatically maps network conditions and intelligently routes your user’s traffic to the most performant AWS edge location to serve up cached or dynamic content. CloudFront comes default with a multi-tiered caching architecture that offers you improved cache width and origin protection.
Security at the Edge
Amazon CloudFront is a highly secure CDN that provides both network and application level protection. All your CloudFront distributions are defended by default against the most frequently occurring network and transport layer DDoS attacks that target your websites or applications with AWS Shield Standard. To defend against more complex attacks, you can add a flexible, layered security perimeter by integrating CloudFront with AWS Shield Advanced and AWS Web Application Firewall (WAF). Firewall rules, curated and managed by Amazon security experts, to protect against common CVEs and OWASP Top 10 security risks are provided to you on AWS WAF with Amazon Managed Rules (AMR). Finally, CloudFront has the most advanced security compliance certifications namely PCI DSS, ISO/IEC, SOC 1/2/3, FedRAMP Moderate, HIPAA, and more.
Highly Programmable and Secure Edge Computing
Amazon CloudFront offers the programmable and secure edge CDN computing capabilities through AWS Lambda@Edge. For application logic customizations at the edge, Lambda@Edge provides you a general-purpose compute runtime feature for computationally intensive operations such as dynamic origin load-balancing, custom bot-management, or building serverless origins. Triggered by CloudFront requests, Lambda@Edge extend custom code across AWS locations worldwide, allowing custom application logic to run closer to your end users for improved responsiveness. Lambda@Edge come with advanced, built-in security isolation to protect your data from side-channel attacks such as Spectre and Meltdown.
Deep Integration with AWS
Amazon CloudFront is integrated with AWS services such as Amazon S3, Amazon EC2, Elastic Load Balancing, Amazon Route 53, and AWS Elemental Media Services for easy set-up. As a developer, you can use the AWS management console or familiar developer tools such as CloudFormation templates, the AWS Cloud Development Kit, and APIs. CloudFront’s integration with Amazon Cloudwatch and Kinesis offers real-time observability through metrics and logs.
Amazon CloudFront offers cost-effective content-delivery globally. There is no data transfer fee from any AWS origin to CloudFront for origin fetches. Integration with AWS Certificate Manager (ACM) offers custom TLS certificates, at no charge. CloudFront offers a simple, pay-as-you-go pricing model with no upfront fees or required long-term contracts, and support for the CDN is included in your existing AWS Support subscription. Additional price reductions are available for minimum traffic commitments (typically 10 TB/month or higher).
The adoption of Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols to encrypt Internet traffic has increased in response to more cybercrime, compliance requirements (PCI v3.2), and a commitment to secure customer data. Amazon CloudFront is moving in this direction, with a rapidly increasing share of global content traffic on CloudFront delivered over SSL/TLS. CloudFront integrates with AWS Certificate Manager (ACM) for SSL/TLS-level support to ensure secure data transmission using the most modern ciphers and handshakes.
SSL/TLS on CloudFront offers these key benefits:
Ease of use
All browsers have the capability to interact with secured web servers using the SSL/TLS protocol. However, both browser and server need an SSL certificate to establish a secure connection. Support for SSL certificate management requires working with a Certificate Authority (CA), which is a third-party that is trusted by both the subject of the certificate (e.g., the content owner) and the party that relies on the certificate (e.g., the content viewer). The entire manual process of purchasing, uploading, and renewing valid certificates through third-party CAs can be quite lengthy. AWS provides seamless integration between CloudFront and ACM to reduce the creation and deployment time of a new, free custom SSL certificate and make certificate management a simpler, more automatic process.
When you enable SSL with CloudFront, all global edge locations are used for handling your SSL traffic. Clients terminate SSL connections at a nearby CloudFront edge location, thus reducing network latency in setting up an SSL connection. In addition, moving the SSL termination to CloudFront helps you offload encryption to CloudFront servers that are specifically designed to be highly scalable and performance optimized.
CloudFront enables you to generate custom SSL/TLS certificates with ACM and support them with SNI at no additional charge. These features are offered with no setup fees, no hosting fees, and no extra charges for the HTTPS bytes transferred. You simply pay standard (or discounted with a signed contract) CloudFront rates for data transfer and HTTPS requests. For dedicated IP custom SSL, there is an additional charge per month. This additional charge is associated with dedicating multiple IPv4 addresses (a finite resource) for each SSL certificate at each CloudFront edge location.