Syntax Properties Return values Examples See also

AWS::CloudFront::Distribution

A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::CloudFront::Distribution",
  "Properties" : {
      "DistributionConfig" : DistributionConfig,
      "Tags" : [ Tag, ... ]
    }
}

YAML


Type: AWS::CloudFront::Distribution
Properties:
  DistributionConfig: 
    DistributionConfig
  Tags: 
    - Tag

Properties

DistributionConfig

The distribution's configuration.

Required: Yes

Type: DistributionConfig

Update requires: No interruption

Tags

A complex type that contains zero or more Tag elements.

Required: No

Type: Array of Tag

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the CloudFront distribution ID. For example: E27LVI50CSW06W.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

DomainName: The domain name of the resource, such as d111111abcdef8.cloudfront.net.
Id: The distribution's identifier. For example: E1U5RQF7T870K0.

Examples

Create a standard distribution
Create a multi-tenant distribution without a certificate
Create a multi-tenant distribution with a wildcard certificate

Create a standard distribution

The following example specifies a standard distribution and assigns it a single tag.

JSON


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "cloudfrontdistribution": {
            "Type": "AWS::CloudFront::Distribution",
            "Properties": {
                "DistributionConfig": {
                    "CacheBehaviors": [
                        {
                            "LambdaFunctionAssociations": [
                                {
                                    "EventType": "string-value",
                                    "LambdaFunctionARN": "string-value"
                                }
                            ]
                        }
                    ],
                    "DefaultCacheBehavior": {
                        "LambdaFunctionAssociations": [
                            {
                                "EventType": "string-value",
                                "LambdaFunctionARN": "string-value"
                            }
                        ]
                    },
                    "IPV6Enabled": "boolean-value",
                    "Origins": [
                        {
                            "CustomOriginConfig": {
                                "OriginKeepaliveTimeout": "integer-value",
                                "OriginReadTimeout": "integer-value"
                            }
                        }
                    ]
                },
                "Tags": [
                    {
                        "Key": "string-value",
                        "Value": "string-value"
                    }
                ]
            }
        }
    }
}

YAML


AWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: string-value
                LambdaFunctionARN: string-value
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: string-value
              LambdaFunctionARN: string-value
        IPV6Enabled: boolean-value
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: integer-value
              OriginReadTimeout: integer-value
      Tags:
        - Key: string-value
          Value: string-value

Create a multi-tenant distribution without a certificate

The following example specifies a basic multi-tenant distribution without a certificate.

JSON


{
  "Resources": {
    "MyMultiTenantDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "ConnectionMode": "tenant-only",
          "TenantConfig": {
            "ParameterDefinitions": [
              {
                "Name": "tenantName",
                "Definition": {
                  "StringSchema": {
                    "Comment": "Tenant name",
                    "DefaultValue": "root",
                    "Required": false
                  }
                }
              }
            ]
          },
          "DefaultCacheBehavior": {
            "TargetOriginId": "MyBucket.Arn",
            "ViewerProtocolPolicy": "allow-all",
            "AllowedMethods": [
              "GET",
              "HEAD"
            ],
            "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
          },
          "Enabled": true,
          "Origins": [
            {
              "DomainName": "MyBucket.RegionalDomainName",
              "Id": "MyBucket.Arn",
              "OriginPath": "/{{tenantName}}",
              "S3OriginConfig": {
                "OriginAccessIdentity": ""
              }
            }
          ]
        }
      }
    },
    "MyBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "amzn-s3-demo-bucket",
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "alias/aws/s3"
              }
            }
          ]
        },
        "PublicAccessBlockConfiguration": {
          "IgnorePublicAcls": true,
          "RestrictPublicBuckets": true
        }
      }
    },
    "MyBucketBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "MyBucket",
        "PolicyDocument": {
          "Id": "RequireEncryptionInTransit",
          "Version": "2012-10-17",
          "Statement": [
            {
              "Principal": "*",
              "Action": "*",
              "Effect": "Deny",
              "Resource": [
                "MyBucket.Arn",
                "${MyBucket.Arn}/*"
              ],
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": "false"
                }
              }
            }
          ]
        }
      }
    }
  }
}

YAML


Resources:
  MyMultiTenantDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        ConnectionMode: tenant-only
        TenantConfig: 
          ParameterDefinitions:
            - Name: tenantName
              Definition:
                StringSchema:
                  Comment: "Tenant name"
                  DefaultValue: "root"
                  Required: false
        DefaultCacheBehavior:
          TargetOriginId: !GetAtt MyBucket.Arn
          ViewerProtocolPolicy: allow-all
          AllowedMethods:
            - GET
            - HEAD
          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId
        Enabled: true
        Origins:
          - DomainName: !GetAtt MyBucket.RegionalDomainName
            Id: !GetAtt MyBucket.Arn
            OriginPath: "/{{tenantName}}"
            S3OriginConfig:
              OriginAccessIdentity: ""
  
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: amzn-s3-demo-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  MyBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt MyBucket.Arn
              - !Sub ${MyBucket.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'

Create a multi-tenant distribution with a wildcard certificate

The following example specifies a basic multi-tenant distribution with a wildcard certificate.

JSON


{
  "Resources": {
    "MyMultiTenantDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "ConnectionMode": "tenant-only",
          "ViewerCertificate": {
            "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d",
            "SslSupportMethod": "sni-only"
          },
          "TenantConfig": {
            "ParameterDefinitions": [
              {
                "Name": "tenantName",
                "Definition": {
                  "StringSchema": {
                    "Comment": "Tenant name",
                    "DefaultValue": "root",
                    "Required": false
                  }
                }
              }
            ]
          },
          "DefaultCacheBehavior": {
            "TargetOriginId": "MyBucket.Arn",
            "ViewerProtocolPolicy": "allow-all",
            "AllowedMethods": [
              "GET",
              "HEAD"
            ],
            "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
          },
          "Enabled": true,
          "Origins": [
            {
              "DomainName": "MyBucket.RegionalDomainName",
              "Id": "MyBucket.Arn",
              "OriginPath": "/{{tenantName}}",
              "S3OriginConfig": {
                "OriginAccessIdentity": ""
              }
            }
          ]
        }
      }
    },
    "MyBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "amzn-s3-demo-bucket",
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "alias/aws/s3"
              }
            }
          ]
        },
        "PublicAccessBlockConfiguration": {
          "IgnorePublicAcls": true,
          "RestrictPublicBuckets": true
        }
      }
    },
    "MyBucketBucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "MyBucket",
        "PolicyDocument": {
          "Id": "RequireEncryptionInTransit",
          "Version": "2012-10-17",
          "Statement": [
            {
              "Principal": "*",
              "Action": "*",
              "Effect": "Deny",
              "Resource": [
                "MyBucket.Arn",
                "${MyBucket.Arn}/*"
              ],
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": "false"
                }
              }
            }
          ]
        }
      }
    }
  }
}

YAML


Resources:
  MyMultiTenantDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        ConnectionMode: tenant-only
        ViewerCertificate:
          AcmCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d
          SslSupportMethod: sni-only
        TenantConfig: 
          ParameterDefinitions:
            - Name: tenantName
              Definition:
                StringSchema:
                  Comment: "Tenant name"
                  DefaultValue: "root"
                  Required: false
        DefaultCacheBehavior:
          TargetOriginId: !GetAtt MyBucket.Arn
          ViewerProtocolPolicy: allow-all
          AllowedMethods:
            - GET
            - HEAD
          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId
        Enabled: true
        Origins:
          - DomainName: !GetAtt MyBucket.RegionalDomainName
            Id: !GetAtt MyBucket.Arn
            OriginPath: "/{{tenantName}}"
            S3OriginConfig:
              OriginAccessIdentity: ""
  
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: amzn-s3-demo-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: alias/aws/s3
      PublicAccessBlockConfiguration:
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  MyBucketBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Id: RequireEncryptionInTransit
        Version: '2012-10-17'
        Statement:
          - Principal: '*'
            Action: '*'
            Effect: Deny
            Resource:
              - !GetAtt MyBucket.Arn
              - !Sub ${MyBucket.Arn}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'