CloudFront is an AWS web service that allows user to access web content (static and dynamic) faster, no matter where the origin of the content is. Consider it as a Content Delivery Network (CDN) mechanism that helps in improving the read performance as the content is cached at the edge locations. CloudFront delivers content through a worldwide network of data centers called edge locations. If the content is already present at the edge location, then CloudFront will deliver it with min latency, but if not then it will fetch it from the source, actual origin where the requested content is placed. For example, a user in India is trying to access a content that is located in an S3 bucket in USA, then CloudFront will fetch the requested content from the edge location located in India or nearer to the user. The origin can be an S3 bucket, an Application Load Balancer or it can also be an EC2 instance.
In this example we will see how through CloudFront we can access the S3 file and images. So for that we first create the S3 bucket called democfs3 and upload a nice pic of Range Rover (yes the car I like the most and will buy one day surely)
But after uploading the pic when we try to access the image using object url, it gives below error as the pic is not available with public access
So lets now create the CloudFront distribution with Origin Access Control (OAC). Now before OAC was introduced by AWS, Origin Access Identity (OAI) was used. However, although OAI provides a secure way to access S3 origins to CloudFront, it has limitations such as not supporting granular policy configurations, HTTP and HTTPS requests that use the POST method in AWS regions that require AWS Signature Version 4 (SigV4), or integrating with SSE-KMS. To strengthen security and deepen feature integrations, AWS introduced origin access control (OAC), a new feature that secures S3 origins by permitting access to the designated distributions only.
After the CloudFront distribution is created we also need to update the S3 policy that will allow our distribution to access the files and images within S3. Now you can copy the policy from the prompt itself as shown below OR later you can also copy the policy under the “Origin” tab of the distribution.
Once saved and the distribution is deployed successfully, we can check the access to files and images using distribution domain as below
As well as my favorite car image with specific url
And to confirm we are getting it from our CloudFront, we can inspect and check cache under the network tab
Now it can happen that the data at origin has been updated but the edge location is still catering a old image to the customer. This can be handled by setting the TTL for the edge location to refresh OR by creating a invalidation.
We can also restrict access through CloudFront based on geographic location. To do this navigate to Security tab and under it “CloudFront geographic restrictions ”
We can allow specific country locations or block specific country location from accessing