# CloudFront

Amazon **CloudFront** is a **global Content Delivery Network (CDN)** that **securely delivers** content with **low latency and high transfer speeds**. It helps protect **web applications, APIs, and media assets** by enforcing **access controls, encryption, and security monitoring**.

#### **✅ SecureCart’s Use Case**

SecureCart uses CloudFront to:\
✔ **Serve static assets (images, JavaScript, CSS) and API responses** with low latency.\
✔ **Protect against DDoS attacks** while securing content delivery.\
✔ **Restrict unauthorized access** to private media files.\
✔ **Enhance security by encrypting content in transit and at rest**.

***

### **🔹 CloudFront Security Features**

CloudFront provides **multiple security layers** to protect content **from unauthorized access, data breaches, and cyber threats**.

| **Security Feature**            | **Description**                                                              | **Use Case in SecureCart**                                                                                              |
| ------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- |
| **CloudFront Signed URLs**      | Grants **temporary, controlled access** to private content.                  | SecureCart provides **exclusive deals** to VIP customers via **signed URLs** that expire after 24 hours.                |
| **CloudFront Signed Cookies**   | Allows **temporary access** to multiple private files without changing URLs. | SecureCart provides **paying members access to premium product videos** using **signed cookies**.                       |
| **Origin Access Control (OAC)** | Ensures CloudFront is the **only entity allowed to fetch objects from S3**.  | SecureCart restricts direct access to its S3 **product image bucket**, ensuring **only CloudFront can retrieve files**. |
| **Field-Level Encryption**      | Encrypts sensitive **form fields** before sending them to the origin.        | SecureCart protects **customer payment information** by **encrypting sensitive fields** in API requests.                |
| **AWS WAF Integration**         | Protects applications from **SQL injection, XSS, and DDoS attacks**.         | SecureCart blocks malicious bots and prevents **unauthorized API access** using **AWS WAF rules**.                      |
| **Geo-Restriction**             | Blocks access from **specific geographic regions**.                          | SecureCart restricts its **product listings** from appearing in regions where it does not ship.                         |
| **Origin Shield**               | Adds **an extra caching layer** to reduce origin load and mitigate attacks.  | SecureCart reduces **high traffic spikes** from sales events, preventing origin overload.                               |

***

### **🔹 CloudFront Access Control**

#### **1️⃣ Restricting Access to S3 with Origin Access Control (OAC)**

> **✅ SecureCart ensures that CloudFront is the only service allowed to access its S3 bucket**\
> **Why?** This prevents direct S3 access, forcing requests to go through **CloudFront’s security layer**.

#### **🔹 Steps to Implement OAC for SecureCart**

1️⃣ **Enable Origin Access Control (OAC)** in CloudFront.\
2️⃣ **Update the S3 bucket policy** to allow **CloudFront access only**.\
3️⃣ **Block all public access** to the S3 bucket.\
4️⃣ **Verify secure content delivery through CloudFront**.

✅ **Use Case:** SecureCart’s **product images, order invoices, and customer documents** are only accessible through CloudFront, not directly from S3.

***

#### **2️⃣ CloudFront Signed URLs vs. Signed Cookies**

| **Feature**        | **Signed URLs**                                   | **Signed Cookies**                                                      |
| ------------------ | ------------------------------------------------- | ----------------------------------------------------------------------- |
| **Use Case**       | Grants access to **single files**.                | Grants access to **multiple files** in a session.                       |
| **Best For**       | Temporary access to a **specific download link**. | SecureCart’s VIP members accessing **multiple premium product videos**. |
| **Expiration**     | URL expires after a **defined duration**.         | Cookie remains valid for a **session**.                                 |
| **Implementation** | Embed the signed URL in **email or website**.     | Set a signed cookie **via application logic**.                          |

✅ **Use Case:** SecureCart allows **limited-time product demo downloads** using **signed URLs**.

***

#### **3️⃣ Encrypting Sensitive Data with Field-Level Encryption**

CloudFront’s **Field-Level Encryption (FLE)** allows **end-to-end encryption** of sensitive data **before reaching the origin**.

✔ **Use Case:** SecureCart protects **credit card details** and **customer login credentials** by encrypting sensitive fields in **checkout forms**.

🔹 **Implementation Steps:**\
1️⃣ **Create a Field-Level Encryption configuration** in CloudFront.\
2️⃣ **Specify which form fields need encryption** (e.g., `card_number`, `CVV`).\
3️⃣ **Use a public key to encrypt data before sending it to the origin**.\
4️⃣ **The origin server decrypts the data using a private key**.

***

#### **4️⃣ Protecting Against Cyber Threats with AWS WAF**

SecureCart **integrates AWS WAF with CloudFront** to block **SQL injection, XSS attacks, and DDoS threats**.

✔ **Use Case:** SecureCart’s API Gateway is protected against **malicious bots** trying to scrape product pricing data.

🔹 **Recommended AWS WAF Rules for SecureCart**\
✅ **IP Rate-Based Blocking:** Limits excessive API requests.\
✅ **Geo-Restriction Rules:** Blocks traffic from unauthorized countries.\
✅ **SQL Injection & XSS Protection:** Filters **malicious input** from attackers.\
✅ **Bot Control Managed Rules:** Prevents scraping and spam bots.

***

#### **5️⃣ Restricting Access with Geo-Restriction**

CloudFront’s **Geo-Restriction (Geoblocking)** prevents content from being accessed in specific countries.

✔ **Use Case:** SecureCart restricts product content from being accessed in **regions where it does not operate**.

🔹 **Steps to Implement Geo-Restriction:**\
1️⃣ **Enable Geo-Restriction in CloudFront**.\
2️⃣ **Choose "Whitelist" to allow only specific countries** or "Blacklist" to block certain regions.\
3️⃣ **Apply the restriction to the distribution**.\
4️⃣ **Test access from restricted locations**.

✅ **Example:** SecureCart blocks **promo videos and special offers** from being viewed in countries where its e-commerce store does not operate.

***

#### **6️⃣ Secure Private APIs Behind CloudFront**

SecureCart’s **internal APIs** need **restricted access** for **authenticated users only**.

🔹 **Security Measures for Secure API Access**:\
✔ **CloudFront Signed URLs** – Grants temporary access to API endpoints.\
✔ **IAM Authentication & Authorization** – Ensures **only authorized Lambda/API Gateway invocations**.\
✔ **AWS Shield Advanced Protection** – Protects against **DDoS attacks** on API endpoints.\
✔ **AWS WAF Web ACL Rules** – Blocks **malicious requests**.

✅ **Use Case:** SecureCart’s **order processing API** is **only accessible** through CloudFront using **signed requests**.

***

### **🚀 Summary**

🔹 **Amazon CloudFront enhances security by encrypting content, enforcing access controls, and integrating with AWS security services like AWS WAF and AWS Shield.**\
🔹 SecureCart **restricts direct access to S3 using Origin Access Control (OAC)**.\
🔹 **Signed URLs & Signed Cookies** are used for **temporary, secure access to premium content**.\
🔹 **Field-Level Encryption (FLE) ensures sensitive data is protected before reaching the origin**.\
🔹 **AWS WAF protects CloudFront distributions against SQL injection, XSS, and DDoS threats**.\
🔹 **Geo-restriction blocks unauthorized access from specific regions**.