AWS CloudFront Distribution

This page shows how to write Terraform and CloudFormation for CloudFront Distribution and write them securely.

aws_cloudfront_distribution (Terraform)

The Distribution in CloudFront can be configured in Terraform with the resource name aws_cloudfront_distribution. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "aws_cloudfront_distribution" "lib-haxe-org" {
  aliases         = [""]
  enabled         = true
  is_ipv6_enabled = true
  price_class     = "PriceClass_100"
resource "aws_cloudfront_distribution" "default" {
  viewer_certificate {
    cloudfront_default_certificate = true
resource "aws_cloudfront_distribution" "positive1" {
  origin {
    domain_name = aws_s3_bucket.b.bucket_regional_domain_name
    origin_id   = local.s3_origin_id

    s3_origin_config {
resource "aws_cloudfront_distribution" "pass" {
  enabled = true

  default_cache_behavior {
    response_headers_policy_id =
resource "aws_cloudfront_distribution" "allowed" {
  web_acl_id = "arn:1234"
  logging_config {}

resource "aws_cloudfront_distribution" "denied" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_cloudfront_distribution

There are 3 settings in aws_cloudfront_distribution that should be taken care of for security reasons. The following section explain an overview and example code.


Ensure to enable access logging of CloudFront distribution

To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.


Ensure to use modern TLS protocols

A CloudFront distribution uses outdated TLS protocols. It's better to adopt TLS v1.2+.


Ensure to use HTTPS as much as possible

To avoid attacks, it is better to use HTTPS as much as possible. CloudFront is available through HTTP, which is vulnerable to Meet-in-the-Middle (MITM) attacks.

Review your AWS CloudFront settings

You can check if the aws_cloudfront_distribution setting in your .tf file is correct in 3 min with Shisho Cloud.


Explanation in Terraform Registry

Creates an Amazon CloudFront web distribution. For information about CloudFront distributions, see the [Amazon CloudFront Developer Guide][1]. For specific information about creating CloudFront web distributions, see the [POST Distribution][2] page in the Amazon CloudFront API Reference.

NOTE: CloudFront distributions take about 15 minutes to a deployed state after creation or modification. During this time, deletes to resources will be blocked. If you need to delete a distribution that is enabled and you do not want to wait, you need to use the retain_on_delete flag.

AWS::CloudFront::Distribution (CloudFormation)

The Distribution in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::Distribution. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.


Explanation in CloudFormation Registry

A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

Frequently asked questions

What is AWS CloudFront Distribution?

AWS CloudFront Distribution is a resource for CloudFront of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS CloudFront Distribution?

For Terraform, the HaxeFoundation/haxe-terraform, snyk-labs/infrastructure-as-code-goof and Checkmarx/kics source code examples are useful. See the Terraform Example section for further details.