CloudFront

Best practices

• Restrict access to origin servers (where your original content is stored) from CDN segments only (allow traffic only from the CDN segments towards servers or services that store content).

• Share content via the HTTPS protocol to preserve the confidentiality of the content and to assure the authenticity of the content.

• When distributing content over HTTPS, use TLS 1.2 over older protocols, such as SSL v3.

• If you have a requirement to distribute private content, use CloudFront signed URLs.

• If you have a requirement to distribute sensitive content, use field-level encryption as an extra protection layer.

• Use AWS Web Application Firewall (WAF) to protect content on Amazon CloudFront from application-layer attacks (such as detecting and blocking bot traffic, OWASP Top 10 application attacks, and more).

• Enable CloudFront standard logs for audit logging purposes. Store the logs in a dedicated Amazon S3 bucket, with strict access controls, to avoid log tampering.