Creating AWS CloudFront Distribution with S3 Origin

CloudFront is a fast content delivery network(CDN) service that securely delivers data, videos, applications, and APIs on a global scale with low latency, high transfer speeds, all within a developer-friendly environment. You can read more about CloudFront in one of our previous blogs. Amazon CloudFront is built on Amazon’s highly reliable infrastructure, providing a cost-effective, fast and reliable way to provide service to your customers.

In this blog, I’ll be sharing my experience of configuring AWS CloudFront with the data origin in S3.

How to set up AWS CloudFront?

  1. Sign in to your AWS management console and then go to CloudFront service, which should give you a window just like below the below screenshot.
CloudFront starting dashboard

2. Meanwhile, get your Amazon S3 up and running. Also, create a folder in S3 and upload a file. I will be uploading an image file in this case.

I am currently working from Mumbai region and so created an S3 bucket named cloud-front-bucket-january-canada in Canada region for this illustration. Permissions for the file need to be set in a way so that it’s accessible for the public for now.

3. Now let’s configure the distribution on CloudFront console. After clicking on ‘Create Distribution’ given in step 1, we get this below shown console with 2 options.

As explained in the page itself, Web is used for static and dynamic content whereas RTMP is used for streaming media files. So here we need to select Web as it’s a simple static content that we are working on.

4. Once we click on Get Started under Web, we get a long list of options to choose from. Let’s discuss those options one at a time. As shown above, we get the Origin Settings first; in Origin Domain Name, we need to select the source which is our S3 bucket here. Next option is Origin Path, where we need to give the path of the folder in which we have the image file. If the file(s) is not in a folder and directly uploaded to S3, we should leave this blank.

Origin Settings in creating CloudFront Distribution

Having filled Origin Domain Name, Origin ID(it’s automatically populated), we now click ‘yes’ on Restrict Bucket Access which will enable the customers to use only the CloudFront URL and disable the S3 URL for everyone. You can also read about all these options by clicking on the small ‘i’ right next to each box. Next, we click on ‘Create New Identity’ for Origin Access and then Grant Read Permissions on Bucket.

Let’s look at the next batch of options from the form.

Selecting “Redirect HTTP to HTTPS” helps anyone to view the content accessing the URL using either of the prefixes. If we select ‘HTTPS only’ option, which in fact is a secure option, anyone using HTTP as a prefix will face an error and will not be able to access the content. Rest of the options are kept in default values. The TTL(Time to Live) values represent the time for which the data exist in Edge Locations. The unit of the TTL is seconds.

We use the default values for the rest of the settings on this page.

We can also give custom SSL certificate if we require our users to access the content using an alternate domain name, for example, You can also import/request a certificate with ACM which is AWS Certificate Manager. Please read more about that here. Now, we can click on ‘Create Distribution’ which will create our CloudFront distribution.

CloudFront Distribution initialisation page.

It’s normal to see a message just like above after we click on Create Distribution. It gives us the information on how to configure signed URLs for private content distribution(contents which customers pay to access). To see our newly created distribution, click on the option Distribution from the left panel.

AWS usually takes around 10–15 mins to provision a distribution, however, in the grand scheme of things it’s quite alright considering the level of architecture running behind. Once it’s done we can see the status changing to ‘Deployed’ just like the below screenshot.

Select the particular distribution and go to ‘Distribution Settings’ to view/change specific settings like geo restrictions, custom error messages, invalidation etc.

Next, go to AWS S3 and access the uploaded file using the URL mentioned there and notice the time taken for it to load. Remember, here we are accessing a file in Canada S3 bucket. Since we have already kept it open for public, we can access the file using this link and view it on our browser.

Let’s change the permission settings for this file and remove public read access. We are bound to receive the below error while accessing the file.

Image accessed using S3 URL

Next, I will try and access the same file using CloudFront URL, which we get from the General tab of the particular Distribution. Please refer to the below screenshot.

Settings tab of CloudFront Distribution

Copy the Domain Name and paste it in the address bar, followed by the file name. You will be able to access the file now and it’s happening through CloudFront distribution.

Image accessed using distribution URL

You will notice a lag while loading the file for the first time because the edge location has just pulled the file from the origin for you. However, after the first time, that lag will be gone and you will be able to access the same file instantly on any other browser or even on a different device. The reason behind that is now the file is being accessed from the nearby edge location and not the origin, which is the S3 bucket in this case. We can also set up an EC2 instance as an origin for a distribution. CloudFront can also be used to upload files as well which is a story for another day.

Please make sure that you go through the Amazon docs to understand more about the pricing of CloudFront and some of it’s settings like invalidations where you can exclude some of the file being cached. Don’t forget to disable and delete the CloudFront Distribution after this testing because it will cost you money. Just like the initialization, it will take around 10–15 mins to disable the distribution and afterwards, you will get the option to delete it as well.