AWS AWSCloudFormation documentation change
Summary
Added new example template for CloudFront distribution with Lambda origin and updated documentation references
Security assessment
The new Lambda origin example demonstrates security best practices including HTTPS-only origin protocol, viewer protocol redirect to HTTPS, and secure caching policies. While these are security-conscious configurations, there's no evidence they address a specific security vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md b/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md index b5a9b6692..0229fe242 100644 --- a//AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md +++ b//AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md @@ -5 +5 @@ -Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFront distribution resource with custom originAmazon CloudFront distribution with multi-origin support +Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFront distribution resource with custom originAmazon CloudFront distribution with multi-origin supportAmazon CloudFront distribution with a Lambda function as originSee also @@ -9 +9 @@ Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFron -Use these sample template snippets with your Amazon CloudFront distribution resource in AWS CloudFormation. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html#aws-resource-cloudfront-distribution--examples) section in the `AWS::CloudFront::Distribution` resource. +Use these sample template snippets with your Amazon CloudFront distribution resource in AWS CloudFormation. For more information, see the [Amazon CloudFront resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html). @@ -18,0 +19,4 @@ Use these sample template snippets with your Amazon CloudFront distribution reso + * Amazon CloudFront distribution with a Lambda function as origin + + * See also + @@ -202 +206 @@ The following example template shows an Amazon CloudFront [Distribution](https:/ - Type: 'AWS::CloudFront::Distribution' + Type: AWS::CloudFront::Distribution @@ -427,0 +432,95 @@ The following example template shows how to declare a CloudFront [Distribution]( +## Amazon CloudFront distribution with a Lambda function as origin + +The following example creates a CloudFront distribution that fronts a specified Lambda function URL (provided as a parameter), enabling HTTPS-only access, caching, compression, and global delivery. It configures the Lambda URL as a custom HTTPS origin and applies a standard AWS caching policy. The distribution is optimized for performance with HTTP/2 and IPv6 support and outputs the CloudFront domain name, allowing users to access the Lambda function through a secure, CDN-backed endpoint. For more information, see [Using Amazon CloudFront with AWS Lambda as origin to accelerate your web applications](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/) on the AWS Blog. + +### JSON + + + { + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "LambdaEndpoint": { + "Type": "String", + "Description": "The Lambda function URL endpoint without the 'https://'" + } + }, + "Resources": { + "MyDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "PriceClass": "PriceClass_All", + "HttpVersion": "http2", + "IPV6Enabled": true, + "Origins": [ + { + "DomainName": { + "Ref": "LambdaEndpoint" + }, + "Id": "LambdaOrigin", + "CustomOriginConfig": { + "HTTPSPort": 443, + "OriginProtocolPolicy": "https-only" + } + } + ], + "Enabled": "true", + "DefaultCacheBehavior": { + "TargetOriginId": "LambdaOrigin", + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6", + "ViewerProtocolPolicy": "redirect-to-https", + "SmoothStreaming": "false", + "Compress": "true" + } + } + } + } + }, + "Outputs": { + "CloudFrontDomain": { + "Description": "CloudFront default domain name configured", + "Value": { + "Fn::Sub": "https://${MyDistribution.DomainName}/" + } + } + } + } + +### YAML + + + AWSTemplateFormatVersion: 2010-09-09 + Parameters: + LambdaEndpoint: + Type: String + Description: The Lambda function URL endpoint without the 'https://' + Resources: + MyDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + PriceClass: PriceClass_All + HttpVersion: http2 + IPV6Enabled: true + Origins: + - DomainName: !Ref LambdaEndpoint + Id: LambdaOrigin + CustomOriginConfig: + HTTPSPort: 443 + OriginProtocolPolicy: https-only + Enabled: 'true' + DefaultCacheBehavior: + TargetOriginId: LambdaOrigin + CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6' + ViewerProtocolPolicy: redirect-to-https + SmoothStreaming: 'false' + Compress: 'true' + Outputs: + CloudFrontDomain: + Description: CloudFront default domain name configured + Value: !Sub https://${MyDistribution.DomainName}/ + +## See also + +For an example of adding a custom alias to a Route 53 record to make a friendly name for a CloudFront distribution, see [Alias resource record set for a CloudFront distribution](./quickref-route53.html#scenario-user-friendly-url-for-cloudfront-distribution). +