Creating an Amazon CloudFront Distribution [A Step-by-Step Guide]

What is CloudFront?

CloudFront is a CDN (Content Delivery Network). The CloudFront retrieves data from the Amazon S3 bucket and distributes it to multiple datacenter locations. The data that delivers through a network of data centers is called edge locations.

The nearest edge location is routed when the user requests for data, so we will get some benefits like the lowest latency, low network traffic, fast access to data, etc.

A picture will help you to clarify how this actually works, so take a look at the image shown below. We have stored our content or data in an S3 bucket located in a region in N.Virginia(us-east-1), and we have users located around the world who access that content.

As the arrows show, whenever a user requests content, the request must go over the public internet to the source location–the S3 bucket in N.Virginia(us-east-1). Depending on the user’s location, content delivery can take a long time.

The delays in the response or in content delivery might even cause some user requests to bounce and return an error from the page.

Now imagine that we set up CloudFront in front of the S3 bucket. In the following image, you can see that there are no longer requests traversing the globe to get to our content.

Instead, requests are routed to the ones that are closest in terms of delivery speed. These are also called “least latent” Edge Location. As shown with the green arrows, CloudFront then quickly serves cached content directly to the requesting user nearby.

CloudFront retrieves the content from the S3 bucket origin if it is not cached with an edge server. Instead of the public internet, the content traverses the AWS private network and CloudFront optimizes the TCP handshake. Hence, the request and content return are still much faster than access across the public internet.

So by using CloudFront will fetch data from CloudFront data centers instead of S3. The following Image is showing us the same thing.

Let’s start the creation of CloudFront distribution.

1. Steps for creating a CloudFront distribution 

• Sign in to the AWS Management Console and in the Find Services, you can see a search box in that type cloud and choose CloudFront.
• You should Global for the region at the top right. 
• Click Create Distribution.

• Under Web click Get Started.

• For Origin Domain Name once you place the cursor in there you should see your available S3 buckets.

Note: I already created S3 bucket in AWS so If you don’t have any website on S3 bucket then plz create it first

• Pick the website bucket you created.
• If it’s not listed type it in: e.g 2020–05–21-mybucket.s3.amazonaws.com that is nothing but your bucket name.
• Leave Origin Path blank.
• The Origin ID should have been pre-populated when you choose your bucket.
• Click Yes to Restrict Bucket Access.
• Under Origin Access Identity select Create a New Identity.
• It will pre-populate the Comment and append the bucket name.
• For Grant Read Permissions on Bucket choose options Update Bucket Policy. [This will update the bucket policy for us].
• Leave the Origin Custom Headers blank.

• For the Default Cache Behavior Settings section:
• Under Viewer Protocol Policy select option Redirect HTTP to HTTPS.
• For Allowed HTTP Methods choose GET, HEAD.
• Leave Field-level Encryption Config blank.
• Leave GET, HEAD (Cached by default) for Cached HTTP Methods.
• For Cache Based on Selected Request Headers leave it as the default none (Improves Caching).
• For Object Caching also leave it as the default Use Origin Cache Headers.

• Under Forward Cookies leave it as None (Improves Caching).
• Also for Query String Forwarding and Caching leave as None (Improves Caching).
• For Smoothing streaming select No.
• For Restrict Viewer Access (Use Signed URLs or Signed Cookies) select No.
• Leave Compress Objects Automatically as No.
• Leave Lambda Function Associations as the default.

• Scroll down to Distribution Settings.
• For Price Class leave the default Use All Edge Locations (Best Performance).
• We will not be using WAF, so for AWS WAF Web ACL, leave it as None.
• Leave Alternate Domain Names (CNAMEs) blank. 
• We will also use the Default CloudFront Certificate for SSL Certificate.

• For Supported HTTP Versions leave as HTTP/2,HTTP/1.1,HTTP/1.0.
• Under Default Root Object type index.html.
• We can leave Logging set to Off.
• Leave Enable IPv6 checked.
• Finally set the Distribution State to Enabled.

• Click Create Distribution.
• Click on Distributions at the top left to see the status of CloudFront distribution being built or not.
• This can take 15–20 minutes to complete.

2. Restrict our S3 bucket policy to Cloud Front

• Click Services at the top left and type in S3 or select it from History.
• Click on your Bucket name 2019-mm-dd-xx-mybucket.

IMPORTANT: Your bucket will have a different name.

• Click Permissions.
• Select Bucket Policy.
• We can see that CloudFront has added what we call an “Origin Access Identity” to the policy.

{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::2020–05–21-mybucket/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2V8GJ8FKJPGFQ"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::2020–05–21-mybucket/*"
}
]
}

• Remove the public s3 section so it looks like following

{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2V8GJ8FKJPGFQ"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::2020–05–21-mybucket/*"
}
]
}

• This will only allow our specific CloudFront distribution access to our S3 bucket which is what we want.
• Click Save.

3. Steps for testing that we successfully locked down S3 from public view

• Browse to your S3 endpoint: Example: http://2020-05-21-mybucket.s3-website-us-east-1.amazonaws.com 
• You will see a 403 Forbidden because we removed public access from the bucket policy.

• Click on the CloudFront distribution ID. (The blue hyperlink)

• Copy the URL under Domain Name.

Browse to that URL and you should now see the index.html page. And your CloudFront is ready.

Happy Coding 😃