AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-07-19 · Documentation low

File: AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md

Summary

Expanded CloudFront distribution documentation with multi-tenant configuration examples, including security configurations for S3 origins

Security assessment

The changes add examples demonstrating security best practices like enforcing HTTPS transport (aws:SecureTransport condition), KMS bucket encryption, and public access restrictions. However, these are general security recommendations rather than fixes for specific vulnerabilities.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md
index 6985a6467..02de396bc 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md
@@ -90 +90 @@ The distribution's identifier. For example: `E1U5RQF7T870K0`.
-### Create a distribution
+###### 
@@ -92 +92,12 @@ The distribution's identifier. For example: `E1U5RQF7T870K0`.
-The following example specifies a distribution and assigns it a single tag.
+  * Create a standard distribution
+
+  * Create a multi-tenant distribution without a certificate
+
+  * Create a multi-tenant distribution with a wildcard certificate
+
+
+
+
+### Create a standard distribution
+
+The following example specifies a standard distribution and assigns it a single tag.
@@ -168,0 +180,331 @@ The following example specifies a distribution and assigns it a single tag.
+### Create a multi-tenant distribution without a certificate
+
+The following example specifies a basic multi-tenant distribution without a certificate.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "MyMultiTenantDistribution": {
+          "Type": "AWS::CloudFront::Distribution",
+          "Properties": {
+            "DistributionConfig": {
+              "ConnectionMode": "tenant-only",
+              "TenantConfig": {
+                "ParameterDefinitions": [
+                  {
+                    "Name": "tenantName",
+                    "Definition": {
+                      "StringSchema": {
+                        "Comment": "Tenant name",
+                        "DefaultValue": "root",
+                        "Required": false
+                      }
+                    }
+                  }
+                ]
+              },
+              "DefaultCacheBehavior": {
+                "TargetOriginId": "MyBucket.Arn",
+                "ViewerProtocolPolicy": "allow-all",
+                "AllowedMethods": [
+                  "GET",
+                  "HEAD"
+                ],
+                "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
+              },
+              "Enabled": true,
+              "Origins": [
+                {
+                  "DomainName": "MyBucket.RegionalDomainName",
+                  "Id": "MyBucket.Arn",
+                  "OriginPath": "/{{tenantName}}",
+                  "S3OriginConfig": {
+                    "OriginAccessIdentity": ""
+                  }
+                }
+              ]
+            }
+          }
+        },
+        "MyBucket": {
+          "Type": "AWS::S3::Bucket",
+          "Properties": {
+            "BucketName": "amzn-s3-demo-bucket",
+            "BucketEncryption": {
+              "ServerSideEncryptionConfiguration": [
+                {
+                  "ServerSideEncryptionByDefault": {
+                    "SSEAlgorithm": "aws:kms",
+                    "KMSMasterKeyID": "alias/aws/s3"
+                  }
+                }
+              ]
+            },
+            "PublicAccessBlockConfiguration": {
+              "IgnorePublicAcls": true,
+              "RestrictPublicBuckets": true
+            }
+          }
+        },
+        "MyBucketBucketPolicy": {
+          "Type": "AWS::S3::BucketPolicy",
+          "Properties": {
+            "Bucket": "MyBucket",
+            "PolicyDocument": {
+              "Id": "RequireEncryptionInTransit",
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Principal": "*",
+                  "Action": "*",
+                  "Effect": "Deny",
+                  "Resource": [
+                    "MyBucket.Arn",
+                    "${MyBucket.Arn}/*"
+                  ],
+                  "Condition": {
+                    "Bool": {
+                      "aws:SecureTransport": "false"
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        }
+      }
+    }
+
+#### YAML
+    
+    
+    Resources:
+      MyMultiTenantDistribution:
+        Type: AWS::CloudFront::Distribution
+        Properties:
+          DistributionConfig:
+            ConnectionMode: tenant-only
+            TenantConfig: 
+              ParameterDefinitions:
+                - Name: tenantName
+                  Definition:
+                    StringSchema:
+                      Comment: "Tenant name"
+                      DefaultValue: "root"
+                      Required: false
+            DefaultCacheBehavior:
+              TargetOriginId: !GetAtt MyBucket.Arn
+              ViewerProtocolPolicy: allow-all
+              AllowedMethods:
+                - GET
+                - HEAD
+              CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId
+            Enabled: true
+            Origins:
+              - DomainName: !GetAtt MyBucket.RegionalDomainName
+                Id: !GetAtt MyBucket.Arn
+                OriginPath: "/{{tenantName}}"
+                S3OriginConfig:
+                  OriginAccessIdentity: ""
+      
+      MyBucket:
+        Type: AWS::S3::Bucket
+        Properties:
+          BucketName: amzn-s3-demo-bucket
+          BucketEncryption:
+            ServerSideEncryptionConfiguration:
+              - ServerSideEncryptionByDefault:
+                  SSEAlgorithm: aws:kms
+                  KMSMasterKeyID: alias/aws/s3
+          PublicAccessBlockConfiguration:
+            IgnorePublicAcls: true
+            RestrictPublicBuckets: true
+      MyBucketBucketPolicy:
+        Type: AWS::S3::BucketPolicy
+        Properties:
+          Bucket: !Ref MyBucket
+          PolicyDocument:
+            Id: RequireEncryptionInTransit
+            Version: '2012-10-17'
+            Statement:
+              - Principal: '*'
+                Action: '*'
+                Effect: Deny
+                Resource:
+                  - !GetAtt MyBucket.Arn
+                  - !Sub ${MyBucket.Arn}/*
+                Condition:
+                  Bool:
+                    aws:SecureTransport: 'false'
+
+### Create a multi-tenant distribution with a wildcard certificate
+
+The following example specifies a basic multi-tenant distribution with a wildcard certificate.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "MyMultiTenantDistribution": {
+          "Type": "AWS::CloudFront::Distribution",
+          "Properties": {
+            "DistributionConfig": {
+              "ConnectionMode": "tenant-only",
+              "ViewerCertificate": {
+                "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d",