AWS CloudFront Origin Request Policy
This page shows how to write Terraform and CloudFormation for CloudFront Origin Request Policy and write them securely.
aws_cloudfront_origin_request_policy (Terraform)
The Origin Request Policy in CloudFront can be configured in Terraform with the resource name aws_cloudfront_origin_request_policy
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_cloudfront_origin_request_policy" "cf_dynamic_rp" {
name = "COP26-Dynamic-RequestPolicy"
comment = "Dynamic request policy for the COP26 WordPress site"
cookies_config {
cookie_behavior = "whitelist"
cookies {
Parameters
-
comment
optional - string -
etag
optional computed - string -
id
optional computed - string -
name
required - string -
cookies_config
list block-
cookie_behavior
required - string -
cookies
list block-
items
optional - set of string
-
-
-
headers_config
list block-
header_behavior
optional - string -
headers
list block-
items
optional - set of string
-
-
-
query_strings_config
list block-
query_string_behavior
required - string -
query_strings
list block-
items
optional - set of string
-
-
Explanation in Terraform Registry
Tips: Best Practices for The Other AWS CloudFront Resources
In addition to the aws_cloudfront_distribution, AWS CloudFront has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_cloudfront_distribution
Ensure to enable access logging of CloudFront distribution
To avoid attacks, it is better to configure access logging of a CloudFront distribution. The logs are important for the early-stage detection of attacks and incident responses. It is better to enable the feature while being careful of handling cookies.
AWS::CloudFront::OriginRequestPolicy (CloudFormation)
The OriginRequestPolicy in CloudFront can be configured in CloudFormation with the resource name AWS::CloudFront::OriginRequestPolicy
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
OriginRequestPolicyConfig
required - OriginRequestPolicyConfig
Explanation in CloudFormation Registry
An origin request policy.
When it’s attached to a cache behavior, the origin request policy determines the values that CloudFront includes in requests that it sends to the origin. Each request that CloudFront sends to the origin includes the following:+ The request body and the URL path (without the domain name) from the viewer request.
The headers that CloudFront automatically includes in every origin request, including
Host
,User-Agent
, andX-Amz-Cf-Id
.All HTTP headers, cookies, and URL query strings that are specified in the cache policy or the origin request policy. These can include items from the viewer request and, in the case of headers, additional ones that are added by CloudFront.
CloudFront sends a request when it can’t find an object in its cache that matches the request. If you want to send values to the origin and also include them in the cache key, use
CachePolicy
.
Frequently asked questions
What is AWS CloudFront Origin Request Policy?
AWS CloudFront Origin Request Policy is a resource for CloudFront of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS CloudFront Origin Request Policy?
For Terraform, the cabinetoffice/cop26-edge source code example is useful. See the Terraform Example section for further details.