AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-07-19 · Documentation low

File: AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md

Summary

Added multiple detailed examples for creating CloudFront distribution tenants with different configurations including certificate inheritance, custom certificates, CloudFront hosted, and self-hosted setups

Security assessment

The examples demonstrate security-related configurations including SSL certificate management (AcmCertificateArn), S3 bucket encryption (SSEAlgorithm: aws:kms), secure transport enforcement (aws:SecureTransport condition), and public access restrictions. However, these are standard security best practices documentation rather than addressing a specific security vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md
index bf592ac63..bf8d61d13 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distributiontenant.md
@@ -3 +3 @@
-SyntaxPropertiesReturn values
+SyntaxPropertiesReturn valuesExamplesSee also
@@ -198,0 +199,888 @@ The status of the distribution tenant.
+## Examples
+
+###### 
+
+  * Create a distribution tenant that inherits its certificate
+
+  * Create a distribution tenant with its own certificate
+
+  * Create a CloudFront hosted distribution tenant
+
+  * Create a self hosted distribution tenant
+
+
+
+
+### Create a distribution tenant that inherits its certificate
+
+The following example specifies a distribution tenant that inherits its certificate from its parent multi-tenant distribution.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "MyMultiTenantDistribution": {
+          "Type": "AWS::CloudFront::Distribution",
+          "Properties": {
+            "DistributionConfig": {
+              "ConnectionMode": "tenant-only",
+              "ViewerCertificate": {
+                "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d",
+                "SslSupportMethod": "sni-only"
+              },
+              "TenantConfig": {
+                "ParameterDefinitions": [
+                  {
+                    "Name": "tenantName",
+                    "Definition": {
+                      "StringSchema": {
+                        "Comment": "Tenant name",
+                        "DefaultValue": "root",
+                        "Required": false
+                      }
+                    }
+                  }
+                ]
+              },
+              "DefaultCacheBehavior": {
+                "TargetOriginId": "MyBucket.Arn",
+                "ViewerProtocolPolicy": "allow-all",
+                "AllowedMethods": [
+                  "GET",
+                  "HEAD"
+                ],
+                "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
+              },
+              "Enabled": true,
+              "Origins": [
+                {
+                  "DomainName": "MyBucket.RegionalDomainName",
+                  "Id": "MyBucket.Arn",
+                  "OriginPath": "/{{tenantName}}",
+                  "S3OriginConfig": {
+                    "OriginAccessIdentity": ""
+                  }
+                }
+              ]
+            }
+          }
+        },
+        "MyBucket": {
+          "Type": "AWS::S3::Bucket",
+          "Properties": {
+            "BucketName": "amzn-s3-demo-bucket",
+            "BucketEncryption": {
+              "ServerSideEncryptionConfiguration": [
+                {
+                  "ServerSideEncryptionByDefault": {
+                    "SSEAlgorithm": "aws:kms",
+                    "KMSMasterKeyID": "alias/aws/s3"
+                  }
+                }
+              ]
+            },
+            "PublicAccessBlockConfiguration": {
+              "IgnorePublicAcls": true,
+              "RestrictPublicBuckets": true
+            }
+          }
+        },
+        "MyBucketBucketPolicy": {
+          "Type": "AWS::S3::BucketPolicy",
+          "Properties": {
+            "Bucket": "MyBucket",
+            "PolicyDocument": {
+              "Id": "RequireEncryptionInTransit",
+              "Version": "2012-10-17",
+              "Statement": [
+                {
+                  "Principal": "*",
+                  "Action": "*",
+                  "Effect": "Deny",
+                  "Resource": [
+                    "MyBucket.Arn",
+                    "${MyBucket.Arn}/*"
+                  ],
+                  "Condition": {
+                    "Bool": {
+                      "aws:SecureTransport": "false"
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        },
+        "MyDistributionTenant": {
+          "Type": "AWS::CloudFront::DistributionTenant",
+          "Properties": {
+            "Domains": [
+              "my-distribution-tenant.example.com"
+            ],
+            "DistributionId": "MyMultiTenantDistribution.Id",
+            "Name": "MyDistributionTenant",
+            "Enabled": true,
+            "Parameters": [
+              {
+                "Name": "tenantName",
+                "Value": "first-user"
+              }
+            ]
+          }
+        }
+      }
+    }
+
+#### YAML
+    
+    
+    Resources:
+      MyMultiTenantDistribution:
+        Type: AWS::CloudFront::Distribution
+        Properties:
+          DistributionConfig:
+            ConnectionMode: tenant-only
+            ViewerCertificate:
+              AcmCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d
+              SslSupportMethod: sni-only
+            TenantConfig: 
+              ParameterDefinitions:
+                - Name: tenantName
+                  Definition:
+                    StringSchema:
+                      Comment: "Tenant name"
+                      DefaultValue: "root"
+                      Required: false
+            DefaultCacheBehavior:
+              TargetOriginId: !GetAtt MyBucket.Arn
+              ViewerProtocolPolicy: allow-all
+              AllowedMethods:
+                - GET
+                - HEAD
+              CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId
+            Enabled: true
+            Origins:
+              - DomainName: !GetAtt MyBucket.RegionalDomainName
+                Id: !GetAtt MyBucket.Arn
+                OriginPath: "/{{tenantName}}"
+                S3OriginConfig:
+                  OriginAccessIdentity: ""
+      
+      MyBucket:
+        Type: AWS::S3::Bucket
+        Properties:
+          BucketName: amzn-s3-demo-bucket
+          BucketEncryption:
+            ServerSideEncryptionConfiguration:
+              - ServerSideEncryptionByDefault:
+                  SSEAlgorithm: aws:kms
+                  KMSMasterKeyID: alias/aws/s3
+          PublicAccessBlockConfiguration:
+            IgnorePublicAcls: true
+            RestrictPublicBuckets: true
+      MyBucketBucketPolicy:
+        Type: AWS::S3::BucketPolicy
+        Properties:
+          Bucket: !Ref MyBucket
+          PolicyDocument:
+            Id: RequireEncryptionInTransit
+            Version: '2012-10-17'
+            Statement:
+              - Principal: '*'