Cloudfront Distribution Setup for Amazon S3

Reading Time: 3 minutes

Amazon CloudFront is a web service that speeds up the distribution of your static and dynamic content such as HTML, CSS, js, and images to your users.

CloudFront delivers the content through a worldwide network of data centers called edge locations, which means when a user requests the content that you are serving with CloudFront, the user is routed to the edge location that provides the lowest latency(time delay) so that content is delivered with the best possible performance.

  • If the content is already in the edge location than it delivers it immediately.
  • If the content is not there than CloudFront retrieves it from an origin that you have defined such as an Amazon bucket or an Http server that you have identified as the source for your content.

Flow to setup CloudFront to deliver content:

We create a CloudFront distribution to tell CloudFront where you want content to be delivered from and the details about how to track and manage content delivery. Then CloudFront uses computers—edge servers—that are close to your viewers to deliver that content quickly when someone wants to see it or use it.



How You Configure CloudFront to Deliver Your Content:

  1. You specify origin servers, like an Amazon S3 bucket or your own HTTP server, from which CloudFront gets your files which will then be distributed from CloudFront edge locations all over the world. Origin server stores the original, definitive version of your objects. If you’re serving content over HTTP, your origin server is either an Amazon S3 bucket or an HTTP server, such as a web server.
  2. You upload your files to your origin servers. Your files, also known as objects, typically include web pages, images, and media files, but can be anything that can be served over HTTP or a supported version of Adobe RTMP, the protocol used by Adobe Flash Media Server.
  3. You create a CloudFront distribution, which tells CloudFront which origin servers to get your files from when users request the files. At the same time, you specify details such as whether you want CloudFront to log all requests and whether you want the distribution to be enabled as soon as it’s created.
  4. CloudFront assigns a domain name to your new distribution that you can see in the CloudFront console, or that is returned in the response to a programmatic request, for example, an API request.
  5. CloudFront sends your distribution’s configuration (but not your content) to all of its edge locations—collections of servers in geographically dispersed data centers where CloudFront caches copies of your objects.


Automate the CloudFront distribution via Terraform:

CloudFront distributions take about 15 minutes to a deployed state after creation or modification.

This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters

data "aws_s3_bucket" "blog_repo" {
bucket = ""
resource "aws_cloudfront_distribution" "s3_distribution" {
origin {
origin_id = "default"
domain_name = "${data.aws_s3_bucket.blog_repo.bucket_domain_name}"
s3_origin_config {
origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}"
enabled = true
is_ipv6_enabled = true
comment = "Added authentication to bucket"
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "default"
forwarded_values {
query_string = false
cookies {
forward = "none"
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 0
max_ttl = 0
restrictions {
geo_restriction {
restriction_type = "none"
tags = {
Environment = "development"
viewer_certificate {
cloudfront_default_certificate = true
resource "aws_cloudfront_origin_access_identity" "origin_access_identity" {
comment = "Some comment"
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${data.aws_s3_bucket.blog_repo.arn}/*"]
principals {
type = "AWS"
identifiers = ["${aws_cloudfront_origin_access_identity.origin_access_identity.iam_arn}"]
resource "aws_s3_bucket_policy" "example" {
bucket = "${}"
policy = "${data.aws_iam_policy_document.s3_policy.json}"

After you’ve created your distribution, CloudFront knows where your Amazon S3 origin server is, and you know the domain name associated with the distribution. You can create a link to your Amazon S3 bucket content with that domain name, and have CloudFront serve it.

If your object is in a folder within your bucket, include the folder in the URL. For example
if image.jpg is located in the knoldus_images folder,
and your CloudFront URL is: then the URL would be:


Terraform for cloudfront distribution







Written by 

Neelam is a software consultant with experience of more than 6 months. She likes to keep up with the trending technologies. She is familiar with languages such as C, C++, Java, Scala, Angular 4 and is currently working on lagom with java. Her hobbies includes playing Table Tennis and listening music.