AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2025-06-19 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.md

Summary

Restructured documentation by replacing detailed configuration sections with links to dedicated reference pages. Removed extensive technical details about origin settings, cache behaviors, distribution settings, and error handling in favor of modular documentation approach.

Security assessment

The changes are organizational/structural improvements rather than security-specific updates. While some removed sections contained security-related information (e.g., SSL/TLS settings, access controls), the diff shows content removal/linking rather than new security guidance. No specific vulnerabilities or security enhancements are introduced in these changes.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.md b/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.md
index 87adea3da..2250505b3 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.md
@@ -5 +5 @@
-Origin settingsCache behavior settingsDistribution settingsCustom error pages and error cachingGeographic restrictions
+# All distribution settings reference
@@ -7 +7 @@ Origin settingsCache behavior settingsDistribution settingsCustom error pages an
-# Distribution settings reference
+You can choose to manually edit your CloudFront distribution settings when you create or update your distribution. Following are the settings that you can edit.
@@ -9,3 +9 @@ Origin settingsCache behavior settingsDistribution settingsCustom error pages an
-When you use the [CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home) to create a new standard distribution or update an existing standard distribution, you specify the following values.
-
-When you create a multi-tenant distribution, CloudFront configures your distribution settings for you, based on your content origin type. For more details about the preconfigured settings, see [CloudFront multi-tenant distribution reference](./template-preconfigured-origin-settings.html).
+However, CloudFront configures most distribution settings for you, based on your content origin type. For more information, see [Preconfigured distribution settings reference](./template-preconfigured-origin-settings.html).
@@ -17,1089 +15 @@ For more information about creating or updating a distribution by using the Clou
-  * Origin settings
-
-  * Cache behavior settings
-
-  * Distribution settings
-
-  * Custom error pages and error caching
-
-  * Geographic restrictions
-
-
-
-
-## Origin settings
-
-When you use the CloudFront console to create or update a distribution, you provide information about one or more locations, known as _origins_ , where you store the original versions of your web content. CloudFront gets your web content from your origins and serves it to viewers via a worldwide network of edge servers.
-
-For the current maximum number of origins that you can create for a distribution, or to request a higher quota, see [General quotas on distributions](./cloudfront-limits.html#limits-web-distributions).
-
-If you want to delete an origin, you must first edit or delete the cache behaviors that are associated with that origin.
-
-###### Important
-
-If you delete an origin, confirm that files that were previously served by that origin are available in another origin and that your cache behaviors are now routing requests for those files to the new origin.
-
-When you create or update a distribution, you specify the following values for each origin.
-
-###### Topics
-
-  * Origin domain
-
-  * Protocol (custom origins only)
-
-  * Origin path
-
-  * Name
-
-  * Origin access (Amazon S3 origins only)
-
-  * Add custom header
-
-  * Enable Origin Shield
-
-  * Connection attempts
-
-  * Connection timeout
-
-  * Response timeout (custom and VPC origins only)
-
-  * Keep-alive timeout (custom and VPC origins only)
-
-  * Response and keep-alive timeout quotas
-
-
-
-
-### Origin domain
-
-The origin domain is the DNS domain name of the resource where CloudFront will get objects for your origin, such as an Amazon S3 bucket or HTTP server. For example:
-
-  * **Amazon S3 bucket** – ``amzn-s3-demo-bucket`.s3.`us-west-2`.amazonaws.com`
-
-###### Note
-
-If you recently created the S3 bucket, the CloudFront distribution might return `HTTP 307 Temporary Redirect` responses for up to 24 hours. It can take up to 24 hours for the S3 bucket name to propagate to all AWS Regions. When the propagation is complete, the distribution automatically stops sending these redirect responses; you don't need to take any action. For more information, see [Why am I getting an HTTP 307 Temporary Redirect response from Amazon S3?](https://repost.aws/knowledge-center/s3-http-307-response) and [Temporary Request Redirection](https://docs.aws.amazon.com/AmazonS3/latest/dev/Redirects.html#TemporaryRedirection).
-
-  * **Amazon S3 bucket configured as a website** – ``amzn-s3-demo-bucket`.s3-website.`us-west-2`.amazonaws.com`
-
-  * **MediaStore container** – ``examplemediastore`.data.mediastore.`us-west-1`.amazonaws.com`
-
-  * **MediaPackage endpoint** – ``examplemediapackage`.mediapackage.`us-west-1`.amazonaws.com`
-
-  * **Amazon EC2 instance** – ``ec2-203-0-113-25`.compute-1.amazonaws.com`
-
-  * **Elastic Load Balancing load balancer** – ``example-load-balancer-1234567890`.`us-west-2`.elb.amazonaws.com`
-
-  * **Your own web server** – `www.example.com`
-
-
-
-
-Choose the domain name in the **Origin domain** field, or type the name. Resources from opt-in Regions must be entered manually. The domain name is not case-sensitive. Your origin domain must have a publicly resolvable DNS name that routes requests from clients to targets over the internet.
-
-If you configure CloudFront to connect to your origin over HTTPS, one of the domain names in the certificate must match the domain name that you specify for **Origin Domain Name**. If no domain name matches, CloudFront returns HTTP status code 502 (Bad Gateway) to the viewer. For more information, see [Domain names in the CloudFront distribution and in the certificate](./cnames-and-https-requirements.html#https-requirements-domain-names-in-cert) and [SSL/TLS negotiation failure between CloudFront and a custom origin server](./http-502-bad-gateway.html#ssl-negotitation-failure).
-
-###### Note
-
-If you are using an origin request policy that forwards the viewer host header to the origin, the origin must respond with a certificate that matches the viewer host header. For more information, see [Add CloudFront request headers](./adding-cloudfront-headers.html).
-
-If your origin is an Amazon S3 bucket, note the following:
-
-  * If the bucket is configured as a website, enter the Amazon S3 static website hosting endpoint for your bucket; don’t select the bucket name from the list in the **Origin domain** field. The static website hosting endpoint appears in the Amazon S3 console, on the **Properties** page under **Static website hosting**. For more information, see [Use an Amazon S3 bucket that's configured as a website endpoint](./DownloadDistS3AndCustomOrigins.html#concept_S3Origin_website).
-
-  * If you configured Amazon S3 Transfer Acceleration for your bucket, do not specify the `s3-accelerate` endpoint for **Origin domain**.
-
-  * If you're using a bucket from a different AWS account and if the bucket is not configured as a website, enter the name, using the following format:
-
-``bucket-name`.s3.`region`.amazonaws.com`
-
-If your bucket reside in a US Region, and you want Amazon S3 to route requests to a facility in northern Virginia, use the following format:
-
-``bucket-name`.s3.us-east-1.amazonaws.com`
-
-  * The files must be publicly readable unless you secure your content in Amazon S3 by using a CloudFront origin access control. For more information about access control, see [Restrict access to an Amazon S3 origin](./private-content-restricting-access-to-s3.html).
-
-
-
-
-###### Important
-
-If the origin is an Amazon S3 bucket, the bucket name must conform to DNS naming requirements. For more information, go to [Bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) in the _Amazon Simple Storage Service User Guide_.
-
-When you change the value of **Origin domain** for an origin, CloudFront immediately begins replicating the change to CloudFront edge locations. Until the distribution configuration is updated in a given edge location, CloudFront continues to forward requests to the previous origin. As soon as the distribution configuration is updated in that edge location, CloudFront begins to forward requests to the new origin.
-
-Changing the origin does not require CloudFront to repopulate edge caches with objects from the new origin. As long as the viewer requests in your application have not changed, CloudFront continues to serve objects that are already in an edge cache until the TTL on each object expires or until seldom-requested objects are evicted. 
-
-### Protocol (custom origins only)
-
-###### Note
-
-This applies only to custom origins.
-
-The protocol policy that you want CloudFront to use when fetching objects from your origin. 
-
-Choose one of the following values:
-
-  * **HTTP only:** CloudFront uses only HTTP to access the origin.
-
-###### Important
-
-**HTTP only** is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 doesn’t support HTTPS connections for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.
-
-  * **HTTPS only:** CloudFront uses only HTTPS to access the origin.
-
-  * **Match viewer:** CloudFront communicates with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.
-
-###### Important
-
-For HTTPS viewer requests that CloudFront forwards to this origin, one of the domain names in the SSL/TLS certificate on your origin server must match the domain name that you specify for **Origin domain**. Otherwise, CloudFront responds to the viewer requests with an HTTP status code 502 (Bad Gateway) instead of returning the requested object. For more information, see [Requirements for using SSL/TLS certificates with CloudFront](./cnames-and-https-requirements.html).
-
-
-
-
-###### Topics
-
-  * HTTP port
-
-  * HTTPS port
-
-  * Minimum origin SSL protocol
-
-
-
-
-#### HTTP port
-
-###### Note
-
-This applies only to custom origins.
-
-(Optional) You can specify the HTTP port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 80.
-
-###### Important
-
-Port 80 is the default setting when the origin is an Amazon S3 static website hosting endpoint, because Amazon S3 only supports port 80 for static website hosting endpoints. The CloudFront console does not support changing this setting for Amazon S3 static website hosting endpoints.
-
-#### HTTPS port
-
-###### Note
-
-This applies only to custom origins.
-
-(Optional) You can specify the HTTPS port on which the custom origin listens. Valid values include ports 80, 443, and 1024 to 65535. The default value is port 443. When **Protocol** is set to **HTTP only** , you cannot specify a value for **HTTPS port**.
-
-#### Minimum origin SSL protocol
-
-###### Note
-
-This applies only to custom origins.
-
-Choose the minimum TLS/SSL protocol that CloudFront can use when it establishes an HTTPS connection to your origin. Lower TLS protocols are less secure, so we recommend that you choose the latest TLS protocol that your origin supports. When **Protocol** is set to **HTTP only** , you cannot specify a value for **Minimum origin SSL protocol**.
-
-If you use the CloudFront API to set the TLS/SSL protocol for CloudFront to use, you cannot set a minimum protocol. Instead, you specify all of the TLS/SSL protocols that CloudFront can use with your origin. For more information, see [OriginSslProtocols](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_OriginSslProtocols.html) in the _Amazon CloudFront API Reference_.
-