# CloudFront

Amazon **CloudFront** is a **global Content Delivery Network (CDN)** that **securely delivers** content with **low latency and high transfer speeds**. It helps protect **web applications, APIs, and media assets** by enforcing **access controls, encryption, and security monitoring**.

#### **✅ SecureCart’s Use Case**

SecureCart uses CloudFront to:\
✔ **Serve static assets (images, JavaScript, CSS) and API responses** with low latency.\
✔ **Protect against DDoS attacks** while securing content delivery.\
✔ **Restrict unauthorized access** to private media files.\
✔ **Enhance security by encrypting content in transit and at rest**.

***

### **🔹 CloudFront Security Features**

CloudFront provides **multiple security layers** to protect content **from unauthorized access, data breaches, and cyber threats**.

| **Security Feature**            | **Description**                                                              | **Use Case in SecureCart**                                                                                              |
| ------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| **CloudFront Signed URLs**      | Grants **temporary, controlled access** to private content.                  | SecureCart provides **exclusive deals** to VIP customers via **signed URLs** that expire after 24 hours.                |
| **CloudFront Signed Cookies**   | Allows **temporary access** to multiple private files without changing URLs. | SecureCart provides **paying members access to premium product videos** using **signed cookies**.                       |
| **Origin Access Control (OAC)** | Ensures CloudFront is the **only entity allowed to fetch objects from S3**.  | SecureCart restricts direct access to its S3 **product image bucket**, ensuring **only CloudFront can retrieve files**. |
| **Field-Level Encryption**      | Encrypts sensitive **form fields** before sending them to the origin.        | SecureCart protects **customer payment information** by **encrypting sensitive fields** in API requests.                |
| **AWS WAF Integration**         | Protects applications from **SQL injection, XSS, and DDoS attacks**.         | SecureCart blocks malicious bots and prevents **unauthorized API access** using **AWS WAF rules**.                      |
| **Geo-Restriction**             | Blocks access from **specific geographic regions**.                          | SecureCart restricts its **product listings** from appearing in regions where it does not ship.                         |
| **Origin Shield**               | Adds **an extra caching layer** to reduce origin load and mitigate attacks.  | SecureCart reduces **high traffic spikes** from sales events, preventing origin overload.                               |

***

### **🔹 CloudFront Access Control**

#### **1️⃣ Restricting Access to S3 with Origin Access Control (OAC)**

> **✅ SecureCart ensures that CloudFront is the only service allowed to access its S3 bucket**\
> **Why?** This prevents direct S3 access, forcing requests to go through **CloudFront’s security layer**.

#### **🔹 Steps to Implement OAC for SecureCart**

1️⃣ **Enable Origin Access Control (OAC)** in CloudFront.\
2️⃣ **Update the S3 bucket policy** to allow **CloudFront access only**.\
3️⃣ **Block all public access** to the S3 bucket.\
4️⃣ **Verify secure content delivery through CloudFront**.

✅ **Use Case:** SecureCart’s **product images, order invoices, and customer documents** are only accessible through CloudFront, not directly from S3.

***

#### **2️⃣ CloudFront Signed URLs vs. Signed Cookies**

| **Feature**        | **Signed URLs**                                   | **Signed Cookies**                                                      |
| ------------------ | ------------------------------------------------- | ----------------------------------------------------------------------- |
| **Use Case**       | Grants access to **single files**.                | Grants access to **multiple files** in a session.                       |
| **Best For**       | Temporary access to a **specific download link**. | SecureCart’s VIP members accessing **multiple premium product videos**. |
| **Expiration**     | URL expires after a **defined duration**.         | Cookie remains valid for a **session**.                                 |
| **Implementation** | Embed the signed URL in **email or website**.     | Set a signed cookie **via application logic**.                          |

✅ **Use Case:** SecureCart allows **limited-time product demo downloads** using **signed URLs**.

***

#### **3️⃣ Encrypting Sensitive Data with Field-Level Encryption**

CloudFront’s **Field-Level Encryption (FLE)** allows **end-to-end encryption** of sensitive data **before reaching the origin**.

✔ **Use Case:** SecureCart protects **credit card details** and **customer login credentials** by encrypting sensitive fields in **checkout forms**.

🔹 **Implementation Steps:**\
1️⃣ **Create a Field-Level Encryption configuration** in CloudFront.\
2️⃣ **Specify which form fields need encryption** (e.g., `card_number`, `CVV`).\
3️⃣ **Use a public key to encrypt data before sending it to the origin**.\
4️⃣ **The origin server decrypts the data using a private key**.

***

#### **4️⃣ Protecting Against Cyber Threats with AWS WAF**

SecureCart **integrates AWS WAF with CloudFront** to block **SQL injection, XSS attacks, and DDoS threats**.

✔ **Use Case:** SecureCart’s API Gateway is protected against **malicious bots** trying to scrape product pricing data.

🔹 **Recommended AWS WAF Rules for SecureCart**\
✅ **IP Rate-Based Blocking:** Limits excessive API requests.\
✅ **Geo-Restriction Rules:** Blocks traffic from unauthorized countries.\
✅ **SQL Injection & XSS Protection:** Filters **malicious input** from attackers.\
✅ **Bot Control Managed Rules:** Prevents scraping and spam bots.

***

#### **5️⃣ Restricting Access with Geo-Restriction**

CloudFront’s **Geo-Restriction (Geoblocking)** prevents content from being accessed in specific countries.

✔ **Use Case:** SecureCart restricts product content from being accessed in **regions where it does not operate**.

🔹 **Steps to Implement Geo-Restriction:**\
1️⃣ **Enable Geo-Restriction in CloudFront**.\
2️⃣ **Choose "Whitelist" to allow only specific countries** or "Blacklist" to block certain regions.\
3️⃣ **Apply the restriction to the distribution**.\
4️⃣ **Test access from restricted locations**.

✅ **Example:** SecureCart blocks **promo videos and special offers** from being viewed in countries where its e-commerce store does not operate.

***

#### **6️⃣ Secure Private APIs Behind CloudFront**

SecureCart’s **internal APIs** need **restricted access** for **authenticated users only**.

🔹 **Security Measures for Secure API Access**:\
✔ **CloudFront Signed URLs** – Grants temporary access to API endpoints.\
✔ **IAM Authentication & Authorization** – Ensures **only authorized Lambda/API Gateway invocations**.\
✔ **AWS Shield Advanced Protection** – Protects against **DDoS attacks** on API endpoints.\
✔ **AWS WAF Web ACL Rules** – Blocks **malicious requests**.

✅ **Use Case:** SecureCart’s **order processing API** is **only accessible** through CloudFront using **signed requests**.

***

### **🚀 Summary**

🔹 **Amazon CloudFront enhances security by encrypting content, enforcing access controls, and integrating with AWS security services like AWS WAF and AWS Shield.**\
🔹 SecureCart **restricts direct access to S3 using Origin Access Control (OAC)**.\
🔹 **Signed URLs & Signed Cookies** are used for **temporary, secure access to premium content**.\
🔹 **Field-Level Encryption (FLE) ensures sensitive data is protected before reaching the origin**.\
🔹 **AWS WAF protects CloudFront distributions against SQL injection, XSS, and DDoS threats**.\
🔹 **Geo-restriction blocks unauthorized access from specific regions**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/cloudfront.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.