AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-06-10 · Documentation low

File: AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md

Summary

Added new example template for CloudFront distribution with Lambda origin and updated documentation references

Security assessment

The new Lambda origin example demonstrates security best practices including HTTPS-only origin protocol, viewer protocol redirect to HTTPS, and secure caching policies. While these are security-conscious configurations, there's no evidence they address a specific security vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md b/AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md
index b5a9b6692..0229fe242 100644
--- a//AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md
+++ b//AWSCloudFormation/latest/UserGuide/quickref-cloudfront.md
@@ -5 +5 @@
-Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFront distribution resource with custom originAmazon CloudFront distribution with multi-origin support
+Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFront distribution resource with custom originAmazon CloudFront distribution with multi-origin supportAmazon CloudFront distribution with a Lambda function as originSee also
@@ -9 +9 @@ Amazon CloudFront distribution resource with an Amazon S3 originAmazon CloudFron
-Use these sample template snippets with your Amazon CloudFront distribution resource in AWS CloudFormation. For more examples, see the [Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.html#aws-resource-cloudfront-distribution--examples) section in the `AWS::CloudFront::Distribution` resource.
+Use these sample template snippets with your Amazon CloudFront distribution resource in AWS CloudFormation. For more information, see the [Amazon CloudFront resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/AWS_CloudFront.html).
@@ -18,0 +19,4 @@ Use these sample template snippets with your Amazon CloudFront distribution reso
+  * Amazon CloudFront distribution with a Lambda function as origin
+
+  * See also
+
@@ -202 +206 @@ The following example template shows an Amazon CloudFront [Distribution](https:/
-        Type: 'AWS::CloudFront::Distribution'
+        Type: AWS::CloudFront::Distribution
@@ -427,0 +432,95 @@ The following example template shows how to declare a CloudFront [Distribution](
+## Amazon CloudFront distribution with a Lambda function as origin
+
+The following example creates a CloudFront distribution that fronts a specified Lambda function URL (provided as a parameter), enabling HTTPS-only access, caching, compression, and global delivery. It configures the Lambda URL as a custom HTTPS origin and applies a standard AWS caching policy. The distribution is optimized for performance with HTTP/2 and IPv6 support and outputs the CloudFront domain name, allowing users to access the Lambda function through a secure, CDN-backed endpoint. For more information, see [Using Amazon CloudFront with AWS Lambda as origin to accelerate your web applications](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-with-aws-lambda-as-origin-to-accelerate-your-web-applications/) on the AWS Blog.
+
+### JSON
+    
+    
+    {
+        "AWSTemplateFormatVersion": "2010-09-09",
+        "Parameters": {
+            "LambdaEndpoint": {
+                "Type": "String",
+                "Description": "The Lambda function URL endpoint without the 'https://'"
+            }
+        },
+        "Resources": {
+            "MyDistribution": {
+                "Type": "AWS::CloudFront::Distribution",
+                "Properties": {
+                    "DistributionConfig": {
+                        "PriceClass": "PriceClass_All",
+                        "HttpVersion": "http2",
+                        "IPV6Enabled": true,
+                        "Origins": [
+                            {
+                                "DomainName": {
+                                    "Ref": "LambdaEndpoint"
+                                },
+                                "Id": "LambdaOrigin",
+                                "CustomOriginConfig": {
+                                    "HTTPSPort": 443,
+                                    "OriginProtocolPolicy": "https-only"
+                                }
+                            }
+                        ],
+                        "Enabled": "true",
+                        "DefaultCacheBehavior": {
+                            "TargetOriginId": "LambdaOrigin",
+                            "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
+                            "ViewerProtocolPolicy": "redirect-to-https",
+                            "SmoothStreaming": "false",
+                            "Compress": "true"
+                        }
+                    }
+                }
+            }
+        },
+        "Outputs": {
+            "CloudFrontDomain": {
+                "Description": "CloudFront default domain name configured",
+                "Value": {
+                    "Fn::Sub": "https://${MyDistribution.DomainName}/"
+                }
+            }
+        }
+    }
+
+### YAML
+    
+    
+    AWSTemplateFormatVersion: 2010-09-09
+    Parameters:
+      LambdaEndpoint:
+        Type: String
+        Description: The Lambda function URL endpoint without the 'https://'
+    Resources:
+      MyDistribution:
+        Type: AWS::CloudFront::Distribution
+        Properties:
+          DistributionConfig:
+            PriceClass: PriceClass_All
+            HttpVersion: http2
+            IPV6Enabled: true
+            Origins:
+            - DomainName: !Ref LambdaEndpoint
+              Id: LambdaOrigin
+              CustomOriginConfig:
+                HTTPSPort: 443
+                OriginProtocolPolicy: https-only
+            Enabled: 'true'
+            DefaultCacheBehavior:
+              TargetOriginId: LambdaOrigin
+              CachePolicyId: '658327ea-f89d-4fab-a63d-7e88639e58f6'
+              ViewerProtocolPolicy: redirect-to-https
+              SmoothStreaming: 'false'
+              Compress: 'true'
+    Outputs:
+      CloudFrontDomain:
+        Description: CloudFront default domain name configured
+        Value: !Sub https://${MyDistribution.DomainName}/
+
+## See also
+
+For an example of adding a custom alias to a Route 53 record to make a friendly name for a CloudFront distribution, see [Alias resource record set for a CloudFront distribution](./quickref-route53.html#scenario-user-friendly-url-for-cloudfront-distribution).
+