CloudFront multi-tenant distribution reference - Amazon CloudFront
Amazon S3 originAPI Gateway originCustom origin and EC2 instanceElastic Load Balancing originLambda function URL originMediaPackage v1 originMediaPackage v2 originMediaTailor origin

CloudFront multi-tenant distribution reference

With a multi-tenant distribution, you can have CloudFront configure most distribution settings for you, based on your content origin type. For more information about multi-tenant distributions, see Understand how multi-tenant distributions work.

The following sections describe the default preconfiguration settings for multi-tenant distributions, and the settings that you can customize.

Amazon S3 origin

Following are the origin settings that CloudFront preconfigures for your Amazon S3 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control (console only) – CloudFront sets this up for you. For multi-tenant distributions with no parameters used in the origin domain, CloudFront attempts to add the S3 bucket policy.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

Following are the cache settings that CloudFront preconfigures for your Amazon S3 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Restrict viewer access – No

  • Cache policyCachingOptimized

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Amazon S3 origin in a multi-tenant distribution.

Customizable settings

  • S3 access – CloudFront sets this for you, based on your S3 bucket settings:

    • If your bucket is public – No Origin Access Control (OAC) policy is needed.

    • If your bucket is private – You can choose or create an OAC policy to use.

  • Enable Origin Shield – No

  • Compress objects automatically – Yes

    • If you choose Yes, then the CachingOptimized caching policy is used.

    • If you choose No, then the CachingOptimizedForUncompressedObjects caching policy is used.

API Gateway origin

Following are the origin settings that CloudFront preconfigures for your API Gateway origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Origin Access Control (console only) – CloudFront sets this up for you

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your API Gateway origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyCachingDisabled (Possible values: UseOriginCacheControlHeaders, UseOriginCacheControlHeaders-QueryStrings)

  • Origin request policyAllViewerExceptHostHeader (Possible values: AllViewer, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your API Gateway origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

Custom origin and EC2 instance

Following are the origin settings that CloudFront preconfigures for your custom origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – Match viewer

  • HTTP port – 80

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your custom origin and EC2 instance in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyUseOriginCacheControlHeaders (Possible values: UseOriginCacheControlHeaders-QueryStrings, CachingDisabled, CacheOptimized, CachingOptimizedForUncompressedObjects)

  • Origin request policyAllViewer (Possible values: AllViewerExceptHostHeader, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your custom origin and EC2 instance in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

Elastic Load Balancing origin

Following are the origin settings that CloudFront preconfigures for your Elastic Load Balancing origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your Elastic Load Balancing origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

  • Origin request policyAll Viewer (Possible values: AllViewerExceptHostHeader, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Elastic Load Balancing origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

Lambda function URL origin

Following are the origin settings that CloudFront preconfigures for your Lambda function URL origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control – CloudFront sets this up for you and adds the policy

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your Lambda function URL origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyCachingDisabled (Possible values: UseOriginCacheControlHeaders, UseOriginCacheControlHeaders-QueryStrings)

  • Origin request policyAllViewerExceptHostHeader

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Lambda function URL origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

MediaPackage v1 origin

Following are the origin settings that CloudFront preconfigures for your MediaPackage v1 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – You provide this by entering your MediaPackage URL.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaPackage v1 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyElemental-MediaPackage

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

MediaPackage v2 origin

Following are the origin settings that CloudFront preconfigures for your MediaPackage v2 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control – CloudFront sets this up for you and adds the policy

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaPackage v2 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyElemental-MediaPackage

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

MediaTailor origin

Following are the origin settings that CloudFront preconfigures for your MediaTailor origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – You provide this by entering your MediaPackage URL.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaTailor origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policy – None

  • Origin request policyElemental-MediaTailor-PersonalizedManifests

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No