ReddRadar
Agent skill
aws-cloudformation-cloudfront
Provides AWS CloudFormation patterns for CloudFront distributions, origins (ALB, S3, Lambda@Edge, VPC Origins), CacheBehaviors, Functions, SecurityHeaders, parameters, Outputs and cross-stack references. Use when creating CloudFront distributions with CloudFormation, configuring multiple origins, implementing caching strategies, managing custom domains with ACM, configuring WAF, and optimizing performance.
Install this agent skill to your Project
npx add-skill https://github.com/giuseppe-trisciuoglio/developer-kit/tree/main/plugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-cloudfront
SKILL.md
AWS CloudFormation CloudFront CDN
Overview
Create production-ready CDN infrastructure using AWS CloudFormation templates. This skill covers CloudFront distributions, multiple origins (ALB, S3, API Gateway, Lambda@Edge, VPC Origins), CacheBehaviors, Functions, SecurityHeaders, and best practices for parameters, outputs, and cross-stack references.
When to Use
- Creating CloudFront distributions with CloudFormation
- Configuring origins (ALB, S3, Lambda@Edge, VPC Origins) with path patterns
- Implementing caching with CacheBehaviors and Cache Policies
- Configuring custom domains with ACM and SecurityHeaders
- Integrating WAF with CloudFront distributions
Instructions
Follow these steps to create CloudFront distributions with CloudFormation:
1. Define Distribution Parameters
Validate before deploying:
aws cloudformation validate-template --template-body file://template.yaml
cfn-lint template.yaml
Specify domain names, ACM certificates, price class, and origin settings:
Parameters:
DomainName:
Type: String
Default: cdn.example.com
Description: Custom domain name for CloudFront distribution
CertificateArn:
Type: AWS::ACM::Certificate::Arn
Description: ACM certificate ARN for HTTPS
PriceClass:
Type: String
Default: PriceClass_All
AllowedValues:
- PriceClass_All
- PriceClass_100
- PriceClass_200
Description: CloudFront price class
OriginDomainName:
Type: String
Description: Domain name of the origin (ALB or S3)
2. Configure Origins
Add S3 buckets, ALBs, API Gateway, or custom origins. For S3 origins, use OAI (legacy) or OAC (recommended):
Resources:
# S3 Bucket
StaticBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "static-assets-${AWS::AccountId}-${AWS::Region}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
# Origin Access Control (recommended)
OriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: !Sub "${AWS::StackName}-oac"
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
3. Set Up Default Cache Behavior
Configure viewer request/response policies and caching:
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt StaticBucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
S3OriginConfig:
OriginAccessIdentity: ""
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
Compress: true
CachePolicyId: !Ref CachePolicy
4. Add Additional Cache Behaviors
Create path-specific caching rules for different content types:
Resources:
ApiCachePolicy:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: !Sub "${AWS::StackName}-api-cache"
DefaultTTL: 300
MaxTTL: 600
MinTTL: 60
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- PathPattern: "/api/*"
TargetOriginId: ApiOrigin
CachePolicyId: !GetAtt ApiCachePolicy.Id
AllowedMethods:
- GET
- HEAD
- OPTIONS
- PUT
- POST
5. Configure Security Settings
Implement security headers and WAF integration:
Resources:
SecurityHeadersPolicy:
Type: AWS::CloudFront::ResponseHeadersPolicy
Properties:
ResponseHeadersPolicyConfig:
Name: !Sub "${AWS::StackName}-security-headers"
SecurityHeadersConfig:
StrictTransportSecurity:
AccessControlMaxAgeSec: 31536000
IncludeSubdomains: true
Override: true
FrameOptions:
FrameOption: DENY
Override: true
WAFWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: !Sub "${AWS::StackName}-waf"
Scope: CLOUDFRONT
DefaultAction:
Allow: {}
6. Add CloudFront Functions
Configure functions for request/response manipulation:
Resources:
RewritePathFunction:
Type: AWS::CloudFront::Function
Properties:
Name: !Sub "${AWS::StackName}-rewrite-path"
FunctionCode: |
function handler(event) {
var request = event.request;
// Function code here
return request;
}
Runtime: cloudfront-js-1.0
AutoPublish: true
7. Configure Monitoring
Set up logging and access logs to S3:
Resources:
AccessLogsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cloudfront-logs-${AWS::AccountId}"
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Logging:
Bucket: !Ref AccessLogsBucket
Prefix: cloudfront-logs/
IncludeCookies: false
8. Create Outputs
Export distribution details for cross-stack references:
Outputs:
DistributionDomainName:
Description: CloudFront distribution domain name
Value: !GetAtt CloudFrontDistribution.DomainName
Export:
Name: !Sub "${AWS::StackName}-DistributionDomainName"
DistributionId:
Description: CloudFront distribution ID
Value: !Ref CloudFrontDistribution
Export:
Name: !Sub "${AWS::StackName}-DistributionId"
Best Practices
Security
- Always use HTTPS with minimum TLS 1.2
- Implement SecurityHeaders with HSTS, XSS protection
- Use WAF for protection against common attacks
- Configure appropriate Access-Control for CORS
- Limit origin access with OAI/OAC
- Use Signed URLs for private content
- Implement rate limiting
- Configure geo-restrictions if needed
Performance
- Use appropriate PriceClass to optimize costs
- Configure Cache TTL based on content type
- Enable compression (Gzip/Brotli)
- Use CloudFront Functions for lightweight operations
- Optimize header forwarding (do not forward unnecessary headers)
- Consider Origin Shield to reduce load on origins
- Use multiple origins with path patterns
Monitoring
- Enable CloudWatch metrics and alarms
- Configure real-time logs for troubleshooting
- Monitor cache hit ratio
- Configure alerts for error rate and latency
- Use CloudFront reports for traffic analysis
Deployment
- Use change sets before deployment
- Test templates with cfn-lint
- Organize stacks by lifecycle and ownership
- Implement blue/green deployments with weighted aliases
- Use StackSets for multi-region deployment
Template Structure
- Use AWS-specific parameter types (AWS::ACM::Certificate::Arn, AWS::S3::Bucket::RegionalDomainName)
- Implement parameter constraints (MinLength, MaxLength, AllowedValues, AllowedPattern)
- Use Conditions for environment-specific configuration
- Leverage Mappings for region-specific configuration
- Apply Metadata for parameter grouping and labels
- Use nested stacks for modularity
Cache Strategy
- Use Cache Policies for different content types
- Configure Origin Request Policies to control what's sent to origin
- Set appropriate TTL values:
- Static assets: 86400-31536000 seconds (1 day to 1 year)
- API responses: 60-600 seconds (1-10 minutes)
- Dynamic content: 0 seconds (no caching)
- Enable compression for text-based content
- Use versioned paths for cache busting
Constraints and Warnings
- ACM certificates: Must be in
us-east-1(N. Virginia) for CloudFront - Limits: Max 200 distributions per AWS account, 25 origins per distribution, 25 cache behaviors per distribution
- Deployment time: CloudFront distributions take up to 30 minutes to deploy; plan accordingly
- Certificate requirements: Max 100 alternate domain names per distribution; include default domain for SSL
- OAI deprecation: Prefer Origin Access Control (OAC) over Origin Access Identity (OAI) for S3 origins
- Lambda@Edge limits: 128MB memory, 30s timeout for viewer request/response; separate limits apply for origin requests
- Change sets: Always use change sets before deploying to preview resource changes and avoid accidental deletions
- Drift detection: CloudFormation does not detect drift for CloudFront distributions — manage all settings in templates
Examples
Minimal S3 Static Site Distribution
AWSTemplateFormatVersion: "2010-09-09"
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "cdn-static-${AWS::AccountId}"
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
OriginAccessControl:
Type: AWS::CloudFront::OriginAccessControl
Properties:
OriginAccessControlConfig:
Name: !Sub "${AWS::StackName}-oac"
OriginAccessControlOriginType: s3
SigningBehavior: always
SigningProtocol: sigv4
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
DefaultRootObject: index.html
Origins:
- Id: S3Origin
DomainName: !GetAtt S3Bucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: redirect-to-https
Compress: true
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
PriceClass: PriceClass_All
HttpVersion: http2and3
Outputs:
DistributionDomainName:
Value: !GetAtt CloudFrontDistribution.DomainName
Multi-Origin with Cache Behaviors
Resources:
CachePolicyApi:
Type: AWS::CloudFront::CachePolicy
Properties:
CachePolicyConfig:
Name: !Sub "${AWS::StackName}-api"
DefaultTTL: 300
MaxTTL: 600
MinTTL: 60
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName: !GetAtt StaticBucket.RegionalDomainName
AccessControlId: !Ref OriginAccessControl
- Id: ApiOrigin
DomainName: !GetAtt ApiLoadBalancer.DNSName
CustomOriginConfig:
OriginProtocolPolicy: https-only
HTTPPort: 80
HTTPSPort: 443
CacheBehaviors:
- PathPattern: "/api/*"
TargetOriginId: ApiOrigin
CachePolicyId: !GetAtt CachePolicyApi.Id
ViewerProtocolPolicy: https-only
- PathPattern: "/static/*"
TargetOriginId: S3Origin
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
References
For detailed implementation guidance, see:
-
template-structure.md - Complete template structure, AWS-specific parameter types, parameter constraints, SSM parameter references, metadata for parameter grouping, transform for macros, conditions for environment-specific configuration, nested stacks, and cross-stack references with export/import patterns
-
origins.md - Origin configuration including S3 origins with OAI/OAC, ALB origins with security groups, API Gateway origins (REST and HTTP APIs), Lambda@Edge origins, VPC origins with Global Accelerator, custom origins, and multi-origin configurations with path patterns
-
caching.md - Cache policies (managed, custom, images, videos), origin request policies, response headers policies, cache behaviors configuration, forwarded values (query strings, headers, cookies), cache key configuration, and TTL configuration best practices
-
security.md - Security headers (CSP, HSTS, XSS protection), CORS configuration, WAF integration with managed and custom rules, origin access control (OAI vs OAC), signed URLs and signed cookies, geo-restrictions, HTTPS enforcement, TLS configuration, and field-level encryption
-
advanced-features.md - CloudFront Functions (viewer request, viewer response, origin request), Lambda@Edge for authentication and URL rewriting, geo-restrictions, price class optimization, compression (Gzip and Brotli), real-time logs to Kinesis and S3, custom error pages, function associations, and Origin Shield configuration
-
constraints.md - Resource limits (200 distributions max, 25 origins max, 25 cache behaviors max), DNS and certificate constraints (ACM in us-east-1, 300 alternate domain names), operational constraints (15 invalidations max, 30 min deployment), security constraints (HTTPS, CSP, WAF), and cost considerations (data transfer, regional pricing, Lambda@Edge costs)
Related Resources
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
giuseppe-trisciuoglio/developer-kit
aws-cli-beast
Provides advanced AWS CLI patterns for managing EC2, Lambda, S3, DynamoDB, RDS, VPC, IAM, and CloudWatch. Generates bulk operation scripts, automates cross-service workflows, validates security configurations, and executes JMESPath queries for complex filtering. Triggers on "aws cli help", "aws command line", "aws scripting", "aws automation", "aws batch operations", "aws bulk operations", "aws cli pagination", "aws multi-region", "aws profiles", "aws cli troubleshooting".
giuseppe-trisciuoglio/developer-kit
aws-cost-optimization
Provides structured AWS cost optimization guidance using five pillars (right-sizing, elasticity, pricing models, storage optimization, monitoring) and twelve actionable best practices with executable AWS CLI examples. Use when optimizing AWS costs, reviewing AWS spending, finding unused AWS resources, implementing FinOps practices, reducing EC2/EBS/S3 bills, configuring AWS Budgets, or performing AWS Well-Architected cost reviews.
giuseppe-trisciuoglio/developer-kit
aws-sam-bootstrap
Provides AWS SAM bootstrap patterns: generates `template.yaml` and `samconfig.toml` for new projects via `sam init`, creates SAM templates for existing Lambda/CloudFormation code migration, validates build/package/deploy workflows, and configures local testing with `sam local invoke`. Use when the user asks about SAM projects, `sam init`, `sam deploy`, serverless deployments, or needs to bootstrap/migrate Lambda functions with SAM templates.
giuseppe-trisciuoglio/developer-kit
aws-drawio-architecture-diagrams
Creates professional AWS architecture diagrams in draw.io XML format (.drawio files) using official AWS Architecture Icons (aws4 library). Use when the user asks for AWS diagrams, VPC layouts, multi-tier architectures, serverless designs, network topology, or draw.io exports involving Lambda, EC2, RDS, or other AWS services.
giuseppe-trisciuoglio/developer-kit
aws-cloudformation-bedrock
Provides AWS CloudFormation patterns for Amazon Bedrock resources including agents, knowledge bases, data sources, guardrails, prompts, flows, and inference profiles. Use when creating Bedrock agents with action groups, implementing RAG with knowledge bases, configuring vector stores, setting up content moderation guardrails, managing prompts, orchestrating workflows with flows, and configuring inference profiles for model optimization.
giuseppe-trisciuoglio/developer-kit
aws-cloudformation-s3
Provides AWS CloudFormation patterns for Amazon S3. Use when creating S3 buckets, policies, versioning, lifecycle rules, and implementing template structure with Parameters, Outputs, Mappings, Conditions, and cross-stack references.
Didn't find tool you were looking for?