This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::CloudFront::DistributionTenant The distribution tenant. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::CloudFront::DistributionTenant", "Properties" : { "[ConnectionGroupId](#cfn-cloudfront-distributiontenant-connectiongroupid)" : String, "[Customizations](#cfn-cloudfront-distributiontenant-customizations)" : Customizations, "[DistributionId](#cfn-cloudfront-distributiontenant-distributionid)" : String, "[Domains](#cfn-cloudfront-distributiontenant-domains)" : [ String, ... ], "[Enabled](#cfn-cloudfront-distributiontenant-enabled)" : Boolean, "[ManagedCertificateRequest](#cfn-cloudfront-distributiontenant-managedcertificaterequest)" : ManagedCertificateRequest, "[Name](#cfn-cloudfront-distributiontenant-name)" : String, "[Parameters](#cfn-cloudfront-distributiontenant-parameters)" : [ Parameter, ... ], "[Tags](#cfn-cloudfront-distributiontenant-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::CloudFront::DistributionTenant Properties: [ConnectionGroupId](#cfn-cloudfront-distributiontenant-connectiongroupid): String [Customizations](#cfn-cloudfront-distributiontenant-customizations): Customizations [DistributionId](#cfn-cloudfront-distributiontenant-distributionid): String [Domains](#cfn-cloudfront-distributiontenant-domains): - String [Enabled](#cfn-cloudfront-distributiontenant-enabled): Boolean [ManagedCertificateRequest](#cfn-cloudfront-distributiontenant-managedcertificaterequest): ManagedCertificateRequest [Name](#cfn-cloudfront-distributiontenant-name): String [Parameters](#cfn-cloudfront-distributiontenant-parameters): - Parameter [Tags](#cfn-cloudfront-distributiontenant-tags): - Tag ``` ## Properties `ConnectionGroupId` The ID of the connection group for the distribution tenant. If you don't specify a connection group, CloudFront uses the default connection group. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Customizations` Customizations for the distribution tenant. For each distribution tenant, you can specify the geographic restrictions, and the Amazon Resource Names (ARNs) for the ACM certificate and AWS WAF web ACL. These are specific values that you can override or disable from the multi-tenant distribution that was used to create the distribution tenant. *Required*: No *Type*: [Customizations](aws-properties-cloudfront-distributiontenant-customizations.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DistributionId` The ID of the multi-tenant distribution. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Domains` The domains associated with the distribution tenant. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Enabled` Indicates whether the distribution tenant is in an enabled state. If disabled, the distribution tenant won't serve traffic. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ManagedCertificateRequest` An object that represents the request for the Amazon CloudFront managed ACM certificate. *Required*: No *Type*: [ManagedCertificateRequest](aws-properties-cloudfront-distributiontenant-managedcertificaterequest.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the distribution tenant. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Parameters` A list of parameter values to add to the resource. A parameter is specified as a key-value pair. A valid parameter value must exist for any parameter that is marked as required in the multi-tenant distribution. *Required*: No *Type*: Array of [Parameter](aws-properties-cloudfront-distributiontenant-parameter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A complex type that contains zero or more `Tag` elements. *Required*: No *Type*: Array of [Tag](aws-properties-cloudfront-distributiontenant-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref ### Fn::GetAtt #### `Arn` The Amazon Resource Name (ARN) of the distribution tenant. `CreatedTime` The date and time when the distribution tenant was created. `DomainResults` Property description not available. `ETag` The current version of the distribution tenant. `Id` The ID of the distribution tenant. `LastModifiedTime` The date and time when the distribution tenant was updated. `Status` The status of the distribution tenant. ## Examples **Topics** + [Create a distribution tenant that inherits its certificate](#aws-resource-cloudfront-distributiontenant--examples--Create_a_distribution_tenant_that_inherits_its_certificate) + [Create a distribution tenant with its own certificate](#aws-resource-cloudfront-distributiontenant--examples--Create_a_distribution_tenant_with_its_own_certificate) + [Create a CloudFront hosted distribution tenant](#aws-resource-cloudfront-distributiontenant--examples--Create_a_hosted_distribution_tenant) + [Create a self hosted distribution tenant](#aws-resource-cloudfront-distributiontenant--examples--Create_a_self_hosted_distribution_tenant) ### Create a distribution tenant that inherits its certificate The following example specifies a distribution tenant that inherits its certificate from its parent multi-tenant distribution. #### JSON ``` { "Resources": { "MyMultiTenantDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "ConnectionMode": "tenant-only", "ViewerCertificate": { "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d", "SslSupportMethod": "sni-only" }, "TenantConfig": { "ParameterDefinitions": [ { "Name": "tenantName", "Definition": { "StringSchema": { "Comment": "Tenant name", "DefaultValue": "root", "Required": false } } } ] }, "DefaultCacheBehavior": { "TargetOriginId": "MyBucket.Arn", "ViewerProtocolPolicy": "allow-all", "AllowedMethods": [ "GET", "HEAD" ], "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" }, "Enabled": true, "Origins": [ { "DomainName": "MyBucket.RegionalDomainName", "Id": "MyBucket.Arn", "OriginPath": "/{{tenantName}}", "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } } }, "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/aws/s3" } } ] }, "PublicAccessBlockConfiguration": { "IgnorePublicAcls": true, "RestrictPublicBuckets": true } } }, "MyBucketBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "MyBucket", "PolicyDocument": { "Id": "RequireEncryptionInTransit", "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "*", "Effect": "Deny", "Resource": [ "MyBucket.Arn", "${MyBucket.Arn}/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } } }, "MyDistributionTenant": { "Type": "AWS::CloudFront::DistributionTenant", "Properties": { "Domains": [ "my-distribution-tenant.example.com" ], "DistributionId": "MyMultiTenantDistribution.Id", "Name": "MyDistributionTenant", "Enabled": true, "Parameters": [ { "Name": "tenantName", "Value": "first-user" } ] } } } } ``` #### YAML ``` Resources: MyMultiTenantDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: ConnectionMode: tenant-only ViewerCertificate: AcmCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d SslSupportMethod: sni-only TenantConfig: ParameterDefinitions: - Name: tenantName Definition: StringSchema: Comment: "Tenant name" DefaultValue: "root" Required: false DefaultCacheBehavior: TargetOriginId: !GetAtt MyBucket.Arn ViewerProtocolPolicy: allow-all AllowedMethods: - GET - HEAD CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId Enabled: true Origins: - DomainName: !GetAtt MyBucket.RegionalDomainName Id: !GetAtt MyBucket.Arn OriginPath: "/{{tenantName}}" S3OriginConfig: OriginAccessIdentity: "" MyBucket: Type: AWS::S3::Bucket Properties: BucketName: amzn-s3-demo-bucket BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: alias/aws/s3 PublicAccessBlockConfiguration: IgnorePublicAcls: true RestrictPublicBuckets: true MyBucketBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Id: RequireEncryptionInTransit Version: '2012-10-17 ' Statement: - Principal: '*' Action: '*' Effect: Deny Resource: - !GetAtt MyBucket.Arn - !Sub ${MyBucket.Arn}/* Condition: Bool: aws:SecureTransport: 'false' MyDistributionTenant: Type: AWS::CloudFront::DistributionTenant Properties: Domains: - my-distribution-tenant.example.com DistributionId: !GetAtt MyMultiTenantDistribution.Id Name: MyDistributionTenant Enabled: true Parameters: - Name: tenantName Value: first-user ``` ### Create a distribution tenant with its own certificate The following example specifies a distribution tenant with its own certificate. #### JSON ``` { "Resources": { "MyMultiTenantDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "ConnectionMode": "tenant-only", "ViewerCertificate": { "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d", "SslSupportMethod": "sni-only" }, "TenantConfig": { "ParameterDefinitions": [ { "Name": "tenantName", "Definition": { "StringSchema": { "Comment": "Tenant name", "DefaultValue": "root", "Required": false } } } ] }, "DefaultCacheBehavior": { "TargetOriginId": "MyBucket.Arn", "ViewerProtocolPolicy": "allow-all", "AllowedMethods": [ "GET", "HEAD" ], "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" }, "Enabled": true, "Origins": [ { "DomainName": "MyBucket.RegionalDomainName", "Id": "MyBucket.Arn", "OriginPath": "/{{tenantName}}", "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } } }, "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/aws/s3" } } ] }, "PublicAccessBlockConfiguration": { "IgnorePublicAcls": true, "RestrictPublicBuckets": true } } }, "MyBucketBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "MyBucket", "PolicyDocument": { "Id": "RequireEncryptionInTransit", "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "*", "Effect": "Deny", "Resource": [ "MyBucket.Arn", "${MyBucket.Arn}/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } } }, "MyDistributionTenant": { "Type": "AWS::CloudFront::DistributionTenant", "Properties": { "Domains": [ "my-distribution-tenant.example.com" ], "DistributionId": "MyMultiTenantDistribution.Id", "Name": "MyDistributionTenant", "Enabled": true, "Parameters": [ { "Name": "tenantName", "Value": "first-user" } ] } } } } ``` #### YAML ``` Resources: MyMultiTenantDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: ConnectionMode: tenant-only TenantConfig: ParameterDefinitions: - Name: tenantName Definition: StringSchema: Comment: "Tenant name" DefaultValue: "root" Required: false DefaultCacheBehavior: TargetOriginId: !GetAtt MyBucket.Arn ViewerProtocolPolicy: allow-all AllowedMethods: - GET - HEAD CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId Enabled: true Origins: - DomainName: !GetAtt MyBucket.RegionalDomainName Id: !GetAtt MyBucket.Arn OriginPath: "/{{tenantName}}" S3OriginConfig: OriginAccessIdentity: "" MyBucket: Type: AWS::S3::Bucket Properties: BucketName: amzn-s3-demo-bucket BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: alias/aws/s3 PublicAccessBlockConfiguration: IgnorePublicAcls: true RestrictPublicBuckets: true MyBucketBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Id: RequireEncryptionInTransit Version: '2012-10-17 ' Statement: - Principal: '*' Action: '*' Effect: Deny Resource: - !GetAtt MyBucket.Arn - !Sub ${MyBucket.Arn}/* Condition: Bool: aws:SecureTransport: 'false' MyDistributionTenant: Type: AWS::CloudFront::DistributionTenant Properties: Domains: - my-distribution-tenant.example.com DistributionId: !GetAtt MyMultiTenantDistribution.Id Name: MyDistributionTenant Enabled: true Customizations: Certificate: Arn: arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d Parameters: - Name: tenantName Value: first-user ``` ### Create a CloudFront hosted distribution tenant The following example specifies a CloudFront hosted distribution tenant. #### JSON ``` { "Resources": { "MyMultiTenantDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "ConnectionMode": "tenant-only", "TenantConfig": { "ParameterDefinitions": [ { "Name": "tenantName", "Definition": { "StringSchema": { "Comment": "Tenant name", "DefaultValue": "root", "Required": false } } } ] }, "DefaultCacheBehavior": { "TargetOriginId": "MyBucket.Arn", "ViewerProtocolPolicy": "allow-all", "AllowedMethods": [ "GET", "HEAD" ], "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" }, "Enabled": true, "Origins": [ { "DomainName": "MyBucket.RegionalDomainName", "Id": "MyBucket.Arn", "OriginPath": "/{{tenantName}}", "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } } }, "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/aws/s3" } } ] }, "PublicAccessBlockConfiguration": { "IgnorePublicAcls": true, "RestrictPublicBuckets": true } } }, "MyBucketBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "MyBucket", "PolicyDocument": { "Id": "RequireEncryptionInTransit", "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "*", "Effect": "Deny", "Resource": [ "MyBucket.Arn", "${MyBucket.Arn}/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } } }, "MyConnectionGroup": { "Type": "AWS::CloudFront::ConnectionGroup", "Properties": { "Name": "cf-hosted-connection-group-cfn" } }, "RecordSet": { "Type": "AWS::Route53::RecordSet", "Properties": { "Name": "my-distribution-tenant.example.com", "Type": "CNAME", "HostedZoneId": "Z06559422OQIFCZO0EORK", "TTL": 300, "ResourceRecords": [ "MyConnectionGroup.RoutingEndpoint" ] } }, "MyDistributionTenant": { "Type": "AWS::CloudFront::DistributionTenant", "Properties": { "ConnectionGroupId": "MyConnectionGroup.Id", "Domains": [ "my-distribution-tenant.example.com" ], "DistributionId": "MyMultiTenantDistribution.Id", "Name": "MyDistributionTenant", "Enabled": true, "ManagedCertificateRequest": { "ValidationTokenHost": "cloudfront" }, "Parameters": [ { "Name": "tenantName", "Value": "first-user" } ] } } } } ``` #### YAML ``` Resources: MyMultiTenantDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: ConnectionMode: tenant-only TenantConfig: ParameterDefinitions: - Name: tenantName Definition: StringSchema: Comment: "Tenant name" DefaultValue: "root" Required: false DefaultCacheBehavior: TargetOriginId: !GetAtt MyBucket.Arn ViewerProtocolPolicy: allow-all AllowedMethods: - GET - HEAD CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId Enabled: true Origins: - DomainName: !GetAtt MyBucket.RegionalDomainName Id: !GetAtt MyBucket.Arn OriginPath: "/{{tenantName}}" S3OriginConfig: OriginAccessIdentity: "" MyBucket: Type: AWS::S3::Bucket Properties: BucketName: amzn-s3-demo-bucket BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: alias/aws/s3 PublicAccessBlockConfiguration: IgnorePublicAcls: true RestrictPublicBuckets: true MyBucketBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Id: RequireEncryptionInTransit Version: '2012-10-17 ' Statement: - Principal: '*' Action: '*' Effect: Deny Resource: - !GetAtt MyBucket.Arn - !Sub ${MyBucket.Arn}/* Condition: Bool: aws:SecureTransport: 'false' MyConnectionGroup: Type: AWS::CloudFront::ConnectionGroup Properties: Name: cf-hosted-connection-group-cfn RecordSet: Type: AWS::Route53::RecordSet Properties: Name: my-distribution-tenant.example.com Type: CNAME HostedZoneId: Z06559422OQIFCZO0EORK TTL: 300 ResourceRecords: - !GetAtt MyConnectionGroup.RoutingEndpoint MyDistributionTenant: Type: AWS::CloudFront::DistributionTenant Properties: ConnectionGroupId: !GetAtt MyConnectionGroup.Id Domains: - my-distribution-tenant.example.com DistributionId: !GetAtt MyMultiTenantDistribution.Id Name: MyDistributionTenant Enabled: true ManagedCertificateRequest: ValidationTokenHost: cloudfront Parameters: - Name: tenantName Value: first-user ``` ### Create a self hosted distribution tenant The following example specifies a self hosted distribution tenant. **Important** You must set up token validation for the distribution tenant when using this option. For more information, see [Request certificates for your CloudFront distribution tenant](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.html) in the *Amazon CloudFront Developer Guide*. #### JSON ``` { "Resources": { "MyMultiTenantDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "ConnectionMode": "tenant-only", "TenantConfig": { "ParameterDefinitions": [ { "Name": "tenantName", "Definition": { "StringSchema": { "Comment": "Tenant name", "DefaultValue": "root", "Required": false } } } ] }, "DefaultCacheBehavior": { "TargetOriginId": "MyBucket.Arn", "ViewerProtocolPolicy": "allow-all", "AllowedMethods": [ "GET", "HEAD" ], "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" }, "Enabled": true, "Origins": [ { "DomainName": "MyBucket.RegionalDomainName", "Id": "MyBucket.Arn", "OriginPath": "/{{tenantName}}", "S3OriginConfig": { "OriginAccessIdentity": "" } } ] } } }, "MyBucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": "amzn-s3-demo-bucket", "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "alias/aws/s3" } } ] }, "PublicAccessBlockConfiguration": { "IgnorePublicAcls": true, "RestrictPublicBuckets": true } } }, "MyBucketBucketPolicy": { "Type": "AWS::S3::BucketPolicy", "Properties": { "Bucket": "MyBucket", "PolicyDocument": { "Id": "RequireEncryptionInTransit", "Version": "2012-10-17", "Statement": [ { "Principal": "*", "Action": "*", "Effect": "Deny", "Resource": [ "MyBucket.Arn", "${MyBucket.Arn}/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] } } }, "MyConnectionGroup": { "Type": "AWS::CloudFront::ConnectionGroup", "Properties": { "Name": "cf-hosted-connection-group-cfn" } }, "RecordSet": { "Type": "AWS::Route53::RecordSet", "Properties": { "Name": "my-distribution-tenant.example.com", "Type": "CNAME", "HostedZoneId": "Z06559422OQIFCZO0EORK", "TTL": 300, "ResourceRecords": [ "MyConnectionGroup.RoutingEndpoint" ] } }, "MyDistributionTenant": { "Type": "AWS::CloudFront::DistributionTenant", "Properties": { "ConnectionGroupId": "MyConnectionGroup.Id", "Domains": [ "my-distribution-tenant.example.com" ], "DistributionId": "MyMultiTenantDistribution.Id", "Name": "MyDistributionTenant", "Enabled": true, "ManagedCertificateRequest": { "ValidationTokenHost": "self-hosted", "PrimaryDomainName": "my-distribution-tenant.example.com" }, "Parameters": [ { "Name": "tenantName", "Value": "first-user" } ] } } } } ``` #### YAML ``` Resources: MyMultiTenantDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: ConnectionMode: tenant-only TenantConfig: ParameterDefinitions: - Name: tenantName Definition: StringSchema: Comment: "Tenant name" DefaultValue: "root" Required: false DefaultCacheBehavior: TargetOriginId: !GetAtt MyBucket.Arn ViewerProtocolPolicy: allow-all AllowedMethods: - GET - HEAD CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId Enabled: true Origins: - DomainName: !GetAtt MyBucket.RegionalDomainName Id: !GetAtt MyBucket.Arn OriginPath: "/{{tenantName}}" S3OriginConfig: OriginAccessIdentity: "" MyBucket: Type: AWS::S3::Bucket Properties: BucketName: amzn-s3-demo-bucket BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: alias/aws/s3 PublicAccessBlockConfiguration: IgnorePublicAcls: true RestrictPublicBuckets: true MyBucketBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref MyBucket PolicyDocument: Id: RequireEncryptionInTransit Version: '2012-10-17 ' Statement: - Principal: '*' Action: '*' Effect: Deny Resource: - !GetAtt MyBucket.Arn - !Sub ${MyBucket.Arn}/* Condition: Bool: aws:SecureTransport: 'false' MyConnectionGroup: Type: AWS::CloudFront::ConnectionGroup Properties: Name: cf-hosted-connection-group-cfn RecordSet: Type: AWS::Route53::RecordSet Properties: Name: my-distribution-tenant.example.com Type: CNAME HostedZoneId: Z06559422OQIFCZO0EORK TTL: 300 ResourceRecords: - !GetAtt MyConnectionGroup.RoutingEndpoint MyDistributionTenant: Type: AWS::CloudFront::DistributionTenant Properties: ConnectionGroupId: !GetAtt MyConnectionGroup.Id Domains: - my-distribution-tenant.example.com DistributionId: !GetAtt MyMultiTenantDistribution.Id Name: MyDistributionTenant Enabled: true ManagedCertificateRequest: ValidationTokenHost: self-hosted PrimaryDomainName: my-distribution-tenant.example.com Parameters: - Name: tenantName Value: first-user ``` ## See also + [Understand how multi-tenant distributions work](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html) in the *Amazon CloudFront Developer Guide* + [Request certificates for your CloudFront distribution tenant](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/managed-cloudfront-certificates.html) in the *Amazon CloudFront Developer Guide* # AWS::CloudFront::DistributionTenant Certificate The AWS Certificate Manager (ACM) certificate associated with your distribution. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Arn](#cfn-cloudfront-distributiontenant-certificate-arn)" : String } ``` ### YAML ``` [Arn](#cfn-cloudfront-distributiontenant-certificate-arn): String ``` ## Properties `Arn` The Amazon Resource Name (ARN) of the ACM certificate. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant Customizations Customizations for the distribution tenant. For each distribution tenant, you can specify the geographic restrictions, and the Amazon Resource Names (ARNs) for the ACM certificate and AWS WAF web ACL. These are specific values that you can override or disable from the multi-tenant distribution that was used to create the distribution tenant. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Certificate](#cfn-cloudfront-distributiontenant-customizations-certificate)" : Certificate, "[GeoRestrictions](#cfn-cloudfront-distributiontenant-customizations-georestrictions)" : GeoRestrictionCustomization, "[WebAcl](#cfn-cloudfront-distributiontenant-customizations-webacl)" : WebAclCustomization } ``` ### YAML ``` [Certificate](#cfn-cloudfront-distributiontenant-customizations-certificate): Certificate [GeoRestrictions](#cfn-cloudfront-distributiontenant-customizations-georestrictions): GeoRestrictionCustomization [WebAcl](#cfn-cloudfront-distributiontenant-customizations-webacl): WebAclCustomization ``` ## Properties `Certificate` The AWS Certificate Manager (ACM) certificate. *Required*: No *Type*: [Certificate](aws-properties-cloudfront-distributiontenant-certificate.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeoRestrictions` The geographic restrictions. *Required*: No *Type*: [GeoRestrictionCustomization](aws-properties-cloudfront-distributiontenant-georestrictioncustomization.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WebAcl` The AWS WAF web ACL. *Required*: No *Type*: [WebAclCustomization](aws-properties-cloudfront-distributiontenant-webaclcustomization.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant DomainResult The details about the domain result. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Domain](#cfn-cloudfront-distributiontenant-domainresult-domain)" : String, "[Status](#cfn-cloudfront-distributiontenant-domainresult-status)" : String } ``` ### YAML ``` [Domain](#cfn-cloudfront-distributiontenant-domainresult-domain): String [Status](#cfn-cloudfront-distributiontenant-domainresult-status): String ``` ## Properties `Domain` The specified domain. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Status` Whether the domain is active or inactive. *Required*: No *Type*: String *Allowed values*: `active | inactive` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant GeoRestrictionCustomization The customizations that you specified for the distribution tenant for geographic restrictions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Locations](#cfn-cloudfront-distributiontenant-georestrictioncustomization-locations)" : [ String, ... ], "[RestrictionType](#cfn-cloudfront-distributiontenant-georestrictioncustomization-restrictiontype)" : String } ``` ### YAML ``` [Locations](#cfn-cloudfront-distributiontenant-georestrictioncustomization-locations): - String [RestrictionType](#cfn-cloudfront-distributiontenant-georestrictioncustomization-restrictiontype): String ``` ## Properties `Locations` The locations for geographic restrictions. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RestrictionType` The method that you want to use to restrict distribution of your content by country: + `none`: No geographic restriction is enabled, meaning access to content is not restricted by client geo location. + `blacklist`: The `Location` elements specify the countries in which you don't want CloudFront to distribute your content. + `whitelist`: The `Location` elements specify the countries in which you want CloudFront to distribute your content. *Required*: No *Type*: String *Allowed values*: `blacklist | whitelist | none` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant ManagedCertificateRequest An object that represents the request for the Amazon CloudFront managed ACM certificate. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CertificateTransparencyLoggingPreference](#cfn-cloudfront-distributiontenant-managedcertificaterequest-certificatetransparencyloggingpreference)" : String, "[PrimaryDomainName](#cfn-cloudfront-distributiontenant-managedcertificaterequest-primarydomainname)" : String, "[ValidationTokenHost](#cfn-cloudfront-distributiontenant-managedcertificaterequest-validationtokenhost)" : String } ``` ### YAML ``` [CertificateTransparencyLoggingPreference](#cfn-cloudfront-distributiontenant-managedcertificaterequest-certificatetransparencyloggingpreference): String [PrimaryDomainName](#cfn-cloudfront-distributiontenant-managedcertificaterequest-primarydomainname): String [ValidationTokenHost](#cfn-cloudfront-distributiontenant-managedcertificaterequest-validationtokenhost): String ``` ## Properties `CertificateTransparencyLoggingPreference` You can opt out of certificate transparency logging by specifying the `disabled` option. Opt in by specifying `enabled`. For more information, see [Certificate Transparency Logging ](https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency) in the *AWS Certificate Manager User Guide*. *Required*: No *Type*: String *Allowed values*: `enabled | disabled` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PrimaryDomainName` The primary domain name associated with the CloudFront managed ACM certificate. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValidationTokenHost` Specify how the HTTP validation token will be served when requesting the CloudFront managed ACM certificate. + For `cloudfront`, CloudFront will automatically serve the validation token. Choose this mode if you can point the domain's DNS to CloudFront immediately. + For `self-hosted`, you serve the validation token from your existing infrastructure. Choose this mode when you need to maintain current traffic flow while your certificate is being issued. You can place the validation token at the well-known path on your existing web server, wait for ACM to validate and issue the certificate, and then update your DNS to point to CloudFront. *Required*: No *Type*: String *Allowed values*: `cloudfront | self-hosted` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant Parameter A list of parameter values to add to the resource. A parameter is specified as a key-value pair. A valid parameter value must exist for any parameter that is marked as required in the multi-tenant distribution. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Name](#cfn-cloudfront-distributiontenant-parameter-name)" : String, "[Value](#cfn-cloudfront-distributiontenant-parameter-value)" : String } ``` ### YAML ``` [Name](#cfn-cloudfront-distributiontenant-parameter-name): String [Value](#cfn-cloudfront-distributiontenant-parameter-value): String ``` ## Properties `Name` The parameter name. *Required*: No *Type*: String *Pattern*: `[a-zA-Z0-9-_]+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The parameter value. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant Tag A complex type that contains `Tag` key and `Tag` value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-cloudfront-distributiontenant-tag-key)" : String, "[Value](#cfn-cloudfront-distributiontenant-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-cloudfront-distributiontenant-tag-key): String [Value](#cfn-cloudfront-distributiontenant-tag-value): String ``` ## Properties `Key` A string that contains `Tag` key. The string length should be between 1 and 128 characters. Valid characters include `a-z`, `A-Z`, `0-9`, space, and the special characters `_ - . : / = + @`. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A string that contains an optional `Tag` value. The string length should be between 0 and 256 characters. Valid characters include `a-z`, `A-Z`, `0-9`, space, and the special characters `_ - . : / = + @`. *Required*: Yes *Type*: String *Pattern*: `([\p{L}\p{Z}\p{N}_.:/=+\-@]*)` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::CloudFront::DistributionTenant WebAclCustomization The AWS WAF web ACL customization specified for the distribution tenant. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Action](#cfn-cloudfront-distributiontenant-webaclcustomization-action)" : String, "[Arn](#cfn-cloudfront-distributiontenant-webaclcustomization-arn)" : String } ``` ### YAML ``` [Action](#cfn-cloudfront-distributiontenant-webaclcustomization-action): String [Arn](#cfn-cloudfront-distributiontenant-webaclcustomization-arn): String ``` ## Properties `Action` The action for the AWS WAF web ACL customization. You can specify `override` to specify a separate AWS WAF web ACL for the distribution tenant. If you specify `disable`, the distribution tenant won't have AWS WAF web ACL protections and won't inherit from the multi-tenant distribution. *Required*: No *Type*: String *Allowed values*: `override | disable` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Arn` The Amazon Resource Name (ARN) of the AWS WAF web ACL. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)