AWS CloudFront

Overview

S3 bucket
- Distributing files and caching at edge
- Enhanced security with origin access identity(OAI)
- used as ingress

Cloudfront is global, s3 co is to be done in every region
Cloudfront caches for a TTL, S3 CO updates real-time
CloudFront is suitable for static content, S3 CO for dynamic content to be available with low-latency in few regions

Creat bucket and add few objects
Go to cloud front and create distribution with origin domain name as the bucket created
Restrict bucket access - makes user have access only through CF URL and not Bucket URL
Create or use an OAI
Create distribution - takes sometime( around 10 mins)
Now an OAI would have been created and if we go to the bucket-> bucket policy-> we can see only OAI created will have access
Once CF is ready we can try to access the object, it’ll take time for CF to propogate to bucket(3-4 hours), till then we can make ACL and bucket ACL public and object as public, and now we can see the object

Because of caching if you change anything in an object and if the TTL is not crossed, the user will see older version of the object through CF
Hence we can use CreateInvalidation for this problem
CloudFront-> distribution-> invalidate-> create invalidation-> give the pattern of objects that’s to be invalidated (* for all objects)
Now even if there is any change in any object of the bucket, changes will be reflected

OAI for S3 Buckets
HTTP, HTTPS, HTTP to HTTPS restrictions
Geo restriction
- Can restrict based on location
- Whitelist and blacklist, both can be done
- use case- copyright laws for accessing content
- CF distribution-> restrictions-> enable geo restriction-> whitelist/blacklist regions

If you want to distribute paid shared content to users
signed URL/ cookie can attach policy like
- URL expiration
- IP ranges
- trusted signers
Signed URL for individual files, cookies for multiple files(one cookie for many files)