Cloudfront

Question 1

What is AWS Cloudfront and what is its purpose?

Answer 1

It is a CDN that improves read performance by catching content at the ‘edge’

Question 2

What protection does CloudFront provide?

Answer 2

DDoS Protection

Question 3

What are the 3 different CloudFront origins?

Answer 3

1. S3 bucket - Uploading/downloading files
2. VPC - Load balancers/EC2 instances
3. Custom Origin (HTTP) - Public IP’s

Question 4

Compare CloudFront vs S3 Cross Region Replication

Answer 4

Cloudfront uses the Global Edge network where files are cached for a TLL. This is good for static content that must be available everywhere.

S3 Cross Region Replication must be setup for each region but is good for dynamic contentt htat needs to be available at low latency in a few regions.

Question 5

What API can be used to invalidate part of a CloudFront cache?

Answer 5

CreateInvalidation API

Question 6

What is a CloudFront cache key and what is its default value?

Answer 6

It is a unique identifier for an object in the cache and by default is the hostname + the resource portion of the URL

Question 7

How can you enable a custom Cache Key and what can the cache be based on?

Answer 7

Using CloudFront Cache Policies you can cache based on
1. HTTP Headers
2. Cookies
3. Query Strings

Question 8

When making a request to CloudFront, what will be automatically included in origin requests?

Answer 8

HTTP headers, cookies, and query strings

Question 9

How could you specify values to include in origins requests without including them in the Cache Key?

Answer 9

Using Origin Request Policies (either predefined managed or custom)

Question 10

When performing a cache invalidation, what are two ways you can select which files to invalidate?

Answer 10

1. All files using *
2. Specific paths ‘/’

Question 11

What is the default cache behaviour and when will it be processed?

Answer 11

It is /* and it will always be processed last

Question 12

Describe how Cache Behaviours can be used to enforce authentication?

Answer 12

You could connect /login to connect to a downstream ec2 instance that generates signed cookies. Then when navigating to other paths, another cache behaviour could allow/deny based on those signed cookies.

Question 13

What feature can be used to delivery content from a private subnet via cloudfront?

Answer 13

Using a VPC origin

Question 14

How can you control access to CloudFront based on to the end users country

Answer 14

Geographic restrictions (allow/block lists)

Question 15

Suppose you want to limit access to a resource via CloudFront, what 2 things could you generate?

Answer 15

A signed URL - Single File
A signed Cookie - Multiple Files

Question 16

Compare CloudFront signed URLs to S3 presigned URLs. When should you use each?

Answer 16

CloudFront Signed URL
- Allow access to a path, no matter the origin
- Good for when you want to use caching features

S3 Presigned URL
- Allows for issuing a request as the person who presigned the url
- Limited lifetime

Question 17

What are the two signers for CloudFront signed URLs? Why is one recommended over the other?

Answer 17

1. Trusted Key Group - Preffered as IAM can be used and API can create/rotate keys
2. Account with CloudFront Key Pair - Not recommended as requires root account

Question 18

How many price classes are there for CloudFront?

Answer 18

There are 3 [All, 200, 100]

Question 19

How could you improve your service availablity with CloudFront?

Answer 19

Use two origin groups, with one failing over to the other incase any issue occurs

Question 20

When using Field Level Encryption, where is the data encrypted and decrypted?

Answer 20

Encrypted using Public Key on Edge Location
Decrypted using Private Key on Web Server