# Get started with CloudFront
<a name="GettingStarted"></a>

The topics in this section show you how to get started delivering your content with Amazon CloudFront.

The [Set up your AWS account](setting-up-cloudfront.md) topic describes prerequisites for the following tutorials, such as creating an AWS account and creating a user with administrative access.

The basic distribution tutorial shows you how to set up origin access control (OAC) to send authenticated requests to an Amazon S3 origin.

The secure static website tutorial shows you how to create a secure static website for your domain name using OAC with an Amazon S3 origin. The tutorial uses an Amazon CloudFront (CloudFront) template for configuration and deployment.

**Topics**
+ [

# Set up your AWS account
](setting-up-cloudfront.md)
+ [

# Get started with a CloudFront standard distribution
](GettingStarted.SimpleDistribution.md)
+ [

# Get started with a standard distribution (AWS CLI)
](get-started-cli-tutorial.md)
+ [

# Get started with a secure static website
](getting-started-secure-static-website-cloudformation-template.md)

# Set up your AWS account
<a name="setting-up-cloudfront"></a>

This topic describes preliminary steps, such as creating an AWS account, to prepare you to use Amazon CloudFront.

**Topics**
+ [

## Sign up for an AWS account
](#sign-up-for-aws)
+ [

## Create a user with administrative access
](#create-an-admin)
+ [

## Choose how to access CloudFront
](#introduction-accessing-cloudfront)

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

## Choose how to access CloudFront
<a name="introduction-accessing-cloudfront"></a>

You can access Amazon CloudFront in the following ways:
+ **AWS Management Console** – The procedures throughout this guide explain how to use the AWS Management Console to perform tasks.
+ **AWS SDKs** – If you're using a programming language that AWS provides an SDK for, you can use an SDK to access CloudFront. SDKs simplify authentication, integrate easily with your development environment, and provide access to CloudFront commands. For more information, see [Using CloudFront with an AWS SDK](sdk-general-information-section.md).
+ **CloudFront API** – If you're using a programming language that an SDK isn't available for, see the [Amazon CloudFront API Reference](https://docs.aws.amazon.com/cloudfront/latest/APIReference/Welcome.html) for information about API actions and about how to make API requests.
+ **AWS CLI** – The AWS Command Line Interface (AWS CLI) is a unified tool for managing AWS services. For information about how to install and configure the AWS CLI, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.
+ **Tools for Windows PowerShell** – If you have experience with Windows PowerShell, you might prefer to use AWS Tools for Windows PowerShell. For more information, see [Installing the AWS Tools for Windows PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html) in the *AWS Tools for PowerShell User Guide*.

# Get started with a CloudFront standard distribution
<a name="GettingStarted.SimpleDistribution"></a>

The procedures in this section show you how to use CloudFront to set up a standard distribution that does the following:
+ Creates an S3 bucket to use as your distribution origin.
+ Stores the original versions of your objects in an Amazon Simple Storage Service (Amazon S3) bucket.
+ Uses origin access control (OAC) to send authenticated requests to your Amazon S3 origin. OAC sends requests through CloudFront to prevent viewers from accessing your S3 bucket directly. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md).
+ Uses the CloudFront domain name in URLs for your objects (for example, `https://d111111abcdef8.cloudfront.net/index.html`).
+ Keeps your objects in CloudFront edge locations for the default duration of 24 hours (the minimum duration is 0 seconds).

Most of this is configured automatically for you when you create a CloudFront distribution.

**Topics**
+ [

## Prerequisites
](#GettingStartedSignup)
+ [

## Create an Amazon S3 bucket
](#GettingStartedCreateBucket)
+ [

## Upload the content to the bucket
](#GettingStartedUploadContent)
+ [

## Create a CloudFront distribution that uses an Amazon S3 origin with OAC
](#GettingStartedCreateDistribution)
+ [

## Access your content through CloudFront
](#GettingStartedAccessingDistributions)
+ [

## Clean up
](#GettingStartedDistributionCleanup)
+ [

## Enhance your basic distribution
](#GettingStartedDistributionNotes)

## Prerequisites
<a name="GettingStartedSignup"></a>

Before you begin, make sure that you’ve completed the steps in [Set up your AWS account](setting-up-cloudfront.md).

## Create an Amazon S3 bucket
<a name="GettingStartedCreateBucket"></a>

An Amazon S3 bucket is a container for files (objects) or folders. CloudFront can distribute almost any type of file for you when an S3 bucket is the source. For example, CloudFront can distribute text, images, and videos. There is no maximum for the amount of data that you can store on Amazon S3.

For this tutorial, you create an S3 bucket with the provided sample `hello world` files that you will use to create a basic webpage.

**To create a bucket**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. We recommend that you use our Hello World sample for this Getting started. Download the *hello world* webpage: [hello-world-html.zip](samples/hello-world-html.zip). Unzip it and save the `css` folder and `index` file in a convenient location, such as the desktop where you are running your browser.

1. Choose **Create bucket**.

1. Enter a unique **Bucket name** that conforms to the [General purpose buckets naming rules](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html#general-purpose-bucket-names) in the *Amazon Simple Storage Service User Guide*.

1. For **Region**, we recommend choosing an AWS Region that is geographically close to you. (This reduces latency and costs.)
   + Choosing a different Region works, too. You might do this to address regulatory requirements, for example.

1. Leave all other settings at their defaults, and then choose **Create bucket**.

## Upload the content to the bucket
<a name="GettingStartedUploadContent"></a>

After you create your Amazon S3 bucket, upload the contents of the unzipped `hello world` file to it. (You downloaded and unzipped this file in [Create an Amazon S3 bucket](#GettingStartedCreateBucket).)

**To upload the content to Amazon S3**

1. In the **General purpose buckets** section, choose the name of your new bucket.

1. Choose **Upload**.

1. On the **Upload** page, drag the `css` folder and `index` file into the drop area.

1. Leave all other settings at their defaults, and then choose **Upload**.

## Create a CloudFront distribution that uses an Amazon S3 origin with OAC
<a name="GettingStartedCreateDistribution"></a>

For this tutorial, you will create a CloudFront distribution that uses an Amazon S3 origin with origin access control (OAC). OAC helps you securely send authenticated requests to your Amazon S3 origin. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md).<a name="GettingStartedCreateDistributionProcedure"></a>

**To create a CloudFront distribution with an Amazon S3 origin that uses OAC**

1. Open the CloudFront console at [https://console.aws.amazon.com/cloudfront/v4/home](https://console.aws.amazon.com/cloudfront/v4/home).

1. Choose **Create distribution**.

1. Enter a **Distribution name** for the standard distribution. The name will appear as the value for the `Name` key as a tag. You can change this value later. You can add up to 50 tags for your standard distribution. For more information, see [Tag a distribution](tagging.md).

1. Choose **Single website or app**, **Next**.

1. Choose **Next**.

1. For **Origin type** page, select the **Amazon S3**.

1. For **S3 origin**, choose **Browse S3** and select the S3 bucket that you created for this tutorial.

1. For **Settings**, choose **Use recommended origin settings**. CloudFront will use the default recommended cache and origin settings for your Amazon S3 origin, including setting up Origin Access Control (OAC). For more information about the recommended settings, see [Preconfigured distribution settings reference](template-preconfigured-origin-settings.md).

1. Choose **Next**.

1. On the **Enable security protections** page, choose whether to enable AWS WAF security protections.

1. Choose **Next**.

1. Choose **Create distribution**. CloudFront updates the S3 bucket policy for you.

1. Review the **Details** section for your new distribution. When your distribution is done deploying, the **Last modified** field changes from **Deploying** to a date and time.

1. Record the domain name that CloudFront assigns to your distribution. It looks similar to the following: `d111111abcdef8.cloudfront.net`.

Before using the distribution and S3 bucket from this tutorial in a production environment, make sure to configure it to meet your specific needs. For information about configuring access in a production environment, see [Configure secure access and restrict access to content](SecurityAndPrivateContent.md).

## Access your content through CloudFront
<a name="GettingStartedAccessingDistributions"></a>

To access your content through CloudFront, combine the domain name for your CloudFront distribution with the main page for your content. (You recorded your distribution domain name in [Create a CloudFront distribution that uses an Amazon S3 origin with OAC](#GettingStartedCreateDistribution).)
+ Your distribution domain name might look like this: `d111111abcdef8.cloudfront.net`.
+  The path to the main page of a website is typically `/index.html`. 

Therefore, the URL to access your content through CloudFront might look like this:

`https://d111111abcdef8.cloudfront.net/index.html`.

If you followed the previous steps and used the *hello world* webpage, you should see a webpage that says **Hello world\$1**.

When you upload more content to this S3 bucket, you can access the content through CloudFront by combining the CloudFront distribution domain name with the path to the object in the S3 bucket. For example, if you upload a new file named `new-page.html` to the root of your S3 bucket, the URL looks like this:

`https://d111111abcdef8.cloudfront.net/new-page.html`.

## Clean up
<a name="GettingStartedDistributionCleanup"></a>

If you created your distribution and S3 bucket only as a learning exercise, delete them so that you no longer accrue charges. Delete the distribution first. For more information, see the following links:
+ [Delete a distribution](HowToDeleteDistribution.md)
+ [Deleting a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-bucket.html)

## Enhance your basic distribution
<a name="GettingStartedDistributionNotes"></a>

This Get started tutorial provides a minimal framework for creating a distribution. We recommend that you explore the following enhancements:
+ You can use the CloudFront private content feature to restrict access to the content in the Amazon S3 buckets. For more information about distributing private content, see [Serve private content with signed URLs and signed cookies](PrivateContent.md).
+ You can configure your CloudFront distribution to use a custom domain name (for example, `www.example.com` instead of `d111111abcdef8.cloudfront.net`). For more information, see [Use custom URLs](CNAMEs.md).
+ This tutorial uses an Amazon S3 origin with origin access control (OAC). However, you can't use OAC if your origin is an S3 bucket configured as a [website endpoint](https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteEndpoints.html). If that's the case, you must set up your bucket with CloudFront as a custom origin. For more information, see [Use an Amazon S3 bucket that's configured as a website endpoint](DownloadDistS3AndCustomOrigins.md#concept_S3Origin_website). For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md).

# Get started with a standard distribution (AWS CLI)
<a name="get-started-cli-tutorial"></a>

The procedures in this section show you how to use the AWS CLI with CloudFront to set up a basic configuration that involves the following:
+ Creating an Amazon S3 bucket to use as your distribution origin.
+ Storing the original versions of your objects in the S3 bucket.
+ Using origin access control (OAC) to send authenticated requests to your Amazon S3 origin. OAC sends requests through CloudFront to prevent viewers from accessing your S3 bucket directly. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md).
+ Using the CloudFront domain name in URLs for your objects (for example, `https://d111111abcdef8.cloudfront.net/index.html`).
+ Keeping your objects in CloudFront edge locations for the default duration of 24 hours (the minimum duration is 0 seconds).

Most of these options are customizable. For information about how to customize your CloudFront distribution options, see [Create a distribution](distribution-web-creating-console.md).

## Prerequisites
<a name="get-started-cli-prereqs"></a>

Before you begin, make sure that you’ve completed the steps in [Set up your AWS account](setting-up-cloudfront.md).

Install the AWS CLI and configure it with your credentials. For more information, see [Getting started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) in the *AWS CLI User Guide*.



## Create an Amazon S3 bucket
<a name="get-started-cli-create-bucket"></a>

An Amazon S3 bucket is a container for files (objects) or folders. CloudFront can distribute almost any type of file for you when an S3 bucket is the source. For example, CloudFront can distribute text, images, and videos. There is no maximum for the amount of data that you can store on Amazon S3.

For this tutorial, you create an S3 bucket and upload an HTML file that you will use to create a basic webpage.

```
aws s3 mb s3://amzn-s3-demo-bucket/ --region us-east-1
```

Replace *amzn-s3-demo-bucket* with a globally unique bucket name. For the AWS Region, we recommend choosing a Region that is geographically close to you. This reduces latency and costs, but choosing a different Region works, too. For example, you might do this to address regulatory requirements.

## Upload the content to the bucket
<a name="get-started-cli-upload-content"></a>

For this tutorial, download and extract the sample content files for a basic "Hello World" webpage.

```
# Create a temporary directory
mkdir -p ~/cloudfront-demo

# Download the sample Hello World files
curl -o ~/cloudfront-demo/hello-world-html.zip https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/samples/hello-world-html.zip

# Extract the zip file
unzip ~/cloudfront-demo/hello-world-html.zip -d ~/cloudfront-demo/hello-world
```

This creates a directory with an `index.html` file and a `css` folder. Upload these files to your S3 bucket.

```
aws s3 cp ~/cloudfront-demo/hello-world/ s3://amzn-s3-demo-bucket/ --recursive
```

## Create an Origin Access Control (OAC)
<a name="get-started-cli-create-oac"></a>

For this tutorial, you will create an origin access control (OAC). OAC helps you securely send authenticated requests to your Amazon S3 origin. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md).

```
aws cloudfront create-origin-access-control \
    --origin-access-control-config Name="oac-for-s3",SigningProtocol=sigv4,SigningBehavior=always,OriginAccessControlOriginType=s3
```

Save the OAC ID from the output as an environment variable. Replace the example value with your own OAC ID. You will use this in the next step.

```
OAC_ID="E1ABCD2EFGHIJ"
```

## Create a standard distribution
<a name="get-started-cli-create-classic"></a>

Create a distribution configuration file named `distribution-config.json`. Replace the example bucket name with your bucket name for the `Id`, `DomainName`, and `TargetOriginId` values.

```
cat > distribution-config.json << EOF
{
    "CallerReference": "cli-example-$(date +%s)",
    "Origins": {
        "Quantity": 1,
        "Items": [
            {
                "Id": "S3-amzn-s3-demo-bucket",
                "DomainName": "amzn-s3-demo-bucket.s3.amazonaws.com",
                "S3OriginConfig": {
                    "OriginAccessIdentity": ""
                },
                "OriginAccessControlId": "$OAC_ID"
            }
        ]
    },
    "DefaultCacheBehavior": {
        "TargetOriginId": "S3-amzn-s3-demo-bucket",
        "ViewerProtocolPolicy": "redirect-to-https",
        "AllowedMethods": {
            "Quantity": 2,
            "Items": ["GET", "HEAD"],
            "CachedMethods": {
                "Quantity": 2,
                "Items": ["GET", "HEAD"]
            }
        },
        "DefaultTTL": 86400,
        "MinTTL": 0,
        "MaxTTL": 31536000,
        "Compress": true,
        "ForwardedValues": {
            "QueryString": false,
            "Cookies": {
                "Forward": "none"
            }
        }
    },
    "Comment": "CloudFront distribution for S3 bucket",
    "Enabled": true
}
EOF
```

Create the standard distribution.

```
aws cloudfront create-distribution --distribution-config file://distribution-config.json
```

Save the distribution ID and domain name from the output as environment variables. Replace the example values with your own. You'll use these later in this tutorial.

```
DISTRIBUTION_ID="EABCD1234XMPL"
DOMAIN_NAME="d111111abcdef8.cloudfront.net"
```

Before using the distribution and S3 bucket from this tutorial in a production environment, make sure to configure it to meet your specific needs. For information about configuring access in a production environment, see [Configure secure access and restrict access to content](SecurityAndPrivateContent.md).

## Update your S3 bucket policy
<a name="get-started-cli-update-bucket-policy"></a>

Update your S3 bucket policy to allow CloudFront to access the objects. Replace the example bucket name with your bucket name.

```
# Get your AWS account ID
ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)

# Create the bucket policy
cat > bucket-policy.json << EOF
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::$ACCOUNT_ID:distribution/$DISTRIBUTION_ID"
                }
            }
        }
    ]
}
EOF

# Apply the bucket policy
aws s3api put-bucket-policy \
    --bucket amzn-s3-demo-bucket \
    --policy file://bucket-policy.json
```

## Confirm distribution deployment
<a name="get-started-cli-confirm-deployment"></a>

After you create your distribution, it will take some time to finish deploying. When the distribution status changes from `InProgress` to `Deployed`, proceed to the next step.

```
aws cloudfront get-distribution --id $DISTRIBUTION_ID --query 'Distribution.Status'
```

Alternatively, you can use the `wait` command to wait for distribution deployment.

```
aws cloudfront wait distribution-deployed --id $DISTRIBUTION_ID
```

## Access your content through CloudFront
<a name="get-started-cli-access-content"></a>

To access your content through CloudFront, combine the domain name for your CloudFront distribution with the main page for your content. Replace the example CloudFront domain name with your own.

```
https://d111111abcdef8.cloudfront.net/index.html
```

If you followed the previous steps and created the HTML file, you should see a webpage that says **Hello world\$1**.

When you upload more content to this S3 bucket, you can access the content through CloudFront by combining the CloudFront distribution domain name with the path to the object in the S3 bucket. For example, if you upload a new file named `new-page.html` to the root of your S3 bucket, the URL looks like this:

`https://d111111abcdef8.cloudfront.net/new-page.html`.

## Clean up
<a name="get-started-cli-cleanup"></a>

If you created your distribution and S3 bucket only as a learning exercise, delete them so that you no longer accrue charges. Disable and delete the distribution first.

**To disable and delete a standard distribution (AWS CLI)**

1. First, disable the distribution.

   ```
   # Get the current configuration and ETag
   ETAG=$(aws cloudfront get-distribution-config --id $DISTRIBUTION_ID --query 'ETag' --output text)
   
   # Create a modified configuration with Enabled=false
   aws cloudfront get-distribution-config --id $DISTRIBUTION_ID | \
   jq '.DistributionConfig.Enabled = false' > temp_disabled_config.json
   
   # Update the distribution to disable it
   aws cloudfront update-distribution \
       --id $DISTRIBUTION_ID \
       --distribution-config file://<(jq '.DistributionConfig' temp_disabled_config.json) \
       --if-match $ETAG
   ```

1. Wait for the distribution to be disabled.

   ```
   aws cloudfront wait distribution-deployed --id $DISTRIBUTION_ID
   ```

1. Delete the distribution.

   ```
   # Get the current ETag
   ETAG=$(aws cloudfront get-distribution-config --id $DISTRIBUTION_ID --query 'ETag' --output text)
   
   # Delete the distribution
   aws cloudfront delete-distribution --id $DISTRIBUTION_ID --if-match $ETAG
   ```

**To delete an S3 bucket (AWS CLI)**
+ Delete the S3 bucket and its contents. Replace the example bucket name with your own.

  ```
  # Delete the bucket contents
  aws s3 rm s3://amzn-s3-demo-bucket --recursive
  
  # Delete the bucket
  aws s3 rb s3://amzn-s3-demo-bucket
  ```

To clean up the local files created for this tutorial, run the following commands:

```
# Clean up local files
rm -f distribution-config.json bucket-policy.json temp_disabled_config.json
rm -rf ~/cloudfront-demo
```

Optionally, you can delete the OAC that you created for this tutorial.

```
# Get the OAC ETag
OAC_ETAG=$(aws cloudfront get-origin-access-control --id $OAC_ID --query 'ETag' --output text)

# Delete the OAC
aws cloudfront delete-origin-access-control --id $OAC_ID --if-match $OAC_ETAG
```

# Get started with a secure static website
<a name="getting-started-secure-static-website-cloudformation-template"></a>

You can get started with Amazon CloudFront by using the solution described in this topic to create a secure static website for your domain name. A *static website* uses only static files—like HTML, CSS, JavaScript, images, and videos—and doesn’t need servers or server-side processing. With this solution, your website gets the following benefits:
+ **Uses the durable storage of [Amazon Simple Storage Service (Amazon S3)](https://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html)** – This solution creates an Amazon S3 bucket to host your static website’s content. To update your website, just upload your new files to the S3 bucket.
+ **Is sped up by the Amazon CloudFront content delivery network** – This solution creates a CloudFront distribution to serve your website to viewers with low latency. The distribution is configured with [origin access control](private-content-restricting-access-to-s3.md) (OAC) to make sure that the website is accessible only through CloudFront, not directly from S3.
+ **Is secured by HTTPS and security headers** – This solution creates an SSL/TLS certificate in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html), and attaches it to the CloudFront distribution. This certificate enables the distribution to serve your domain’s website securely with HTTPS.
+ **Is configured and deployed with [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)** – This solution uses an CloudFormation template to set up all the components, so you can focus more on your website’s content and less on configuring components.

This solution is open source on GitHub. To view the code, submit a pull request, or open an issue, go to [https://github.com/aws-samples/amazon-cloudfront-secure-static-site](https://github.com/aws-samples/amazon-cloudfront-secure-static-site).

**Topics**
+ [

## Solution overview
](#cloudformation-website-overview)
+ [

## Deploy the solution
](#deploy-secure-static-website-cloudformation)

## Solution overview
<a name="cloudformation-website-overview"></a>

The following diagram shows an overview of how this static website solution works:

![\[Overview diagram of a secure static website with CloudFront\]](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/images/cloudfront-secure-static-website-overview-github.png)


1. The viewer requests the website at www.example.com.

1. If the requested object is cached, CloudFront returns the object from its cache to the viewer.

1. If the object is not in the CloudFront cache, CloudFront requests the object from the origin (an S3 bucket).

1. S3 returns the object to CloudFront.

1. CloudFront caches the object.

1. The objects is returned to the viewer. Subsequent requests for the object that come to the same CloudFront edge location are served from the CloudFront cache.

## Deploy the solution
<a name="deploy-secure-static-website-cloudformation"></a>

To deploy this secure static website solution, you can choose from either of the following options:
+ Use the CloudFormation console to deploy the solution with default content, then upload your website content to Amazon S3.
+ Clone the solution to your computer to add your website content. Then, deploy the solution with the AWS Command Line Interface (AWS CLI).

**Note**  
You must use the US East (N. Virginia) Region to deploy the CloudFormation template. 

**Topics**
+ [

### Prerequisites
](#deploy-website-cloudformation-prerequisites)
+ [

### Use the CloudFormation console
](#deploy-website-cloudformation-console)
+ [

### Clone the solution locally
](#deploy-website-cloudformation-clone)
+ [

### Finding access logs
](#deploy-website-cloudformation-logs)

### Prerequisites
<a name="deploy-website-cloudformation-prerequisites"></a>

To use this solution, you must have the following prerequisites:
+ A registered domain name, such as example.com, that’s pointed to an Amazon Route 53 hosted zone. The hosted zone must be in the same AWS account where you deploy this solution. If you don’t have a registered domain name, you can [register one with Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html). If you have a registered domain name but it’s not pointed to a Route 53 hosted zone, [configure Route 53 as your DNS service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html).
+ AWS Identity and Access Management (IAM) permissions to launch CloudFormation templates that create IAM roles, and permissions to create all the AWS resources in the solution. For more information, see [Controlling access with AWS Identity and Access Management](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html) in the *AWS CloudFormation User Guide*.

You are responsible for the costs incurred while using this solution. For more information about costs, see [the pricing pages for each AWS service](https://aws.amazon.com/pricing/).

### Use the CloudFormation console
<a name="deploy-website-cloudformation-console"></a>

**To deploy using the CloudFormation console**

1. [Launch this solution in the CloudFormation console](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=amazon-cloudfront-secure-static-site-templates-main&templateURL=https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-static-site/latest/main.yaml). If necessary, sign in to your AWS account.

1. The **Create stack** wizard opens in the CloudFormation console, with prepopulated fields that specify this solution’s CloudFormation template.

   At the bottom of the page, choose **Next**.

1. On the **Specify stack details** page, enter values for the following fields:
   + **SubDomain** – Enter the subdomain to use for your website. For example, if the subdomain is *www*, your website is available at *www.example.com.* (Replace example.com with your domain name, as explained in the following bullet.)
   + **DomainName** – Enter your domain name, such as *example.com*. This domain must be pointed to a Route 53 hosted zone.
   + **HostedZoneId** – The Route 53 hosted zone ID of your domain name.
   + **CreateApex** – (Optional) Create an alias to the domain apex (example.com) in your CloudFront configuration.

1. When finished, choose **Next**.

1. (Optional) On the **Configure stack options** page, [add tags and other stack options](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html).

1. When finished, choose **Next**.

1. On the **Review** page, scroll to the bottom of the page, then select the two boxes in the **Capabilities** section. These capabilities allow CloudFormation to create an IAM role that allows access to the stack’s resources, and to name the resources dynamically.

1. Choose **Create stack**.

1. Wait for the stack to finish creating. The stack creates some nested stacks, and can take several minutes to finish. When it’s finished, the **Status** changes to **CREATE\$1COMPLETE**.

   When the status is **CREATE\$1COMPLETE**, go to https://*www.example.com* to view your website (replace www.example.com with the subdomain and domain name that you specified in step 3). You should see the website’s default content:  
![\[This solution’s static website default content. It says: “I am a static website!”\]](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/images/cloudfront-secure-static-website-content.png)

**To replace the website’s default content with your own**

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Choose the bucket whose name begins with **amazon-cloudfront-secure-static-site-s3bucketroot-**.
**Note**  
Make sure to choose the bucket with **s3bucketroot** in its name, not **s3bucketlogs**. The bucket with **s3bucketroot** in its name contains the website content. The one with **s3bucketlogs** contains only log files.

1. Delete the website’s default content, then upload your own.
**Note**  
If you viewed your website with this solution’s default content, then it’s likely that some of the default content is cached in a CloudFront edge location. To make sure that viewers see your updated website content, *invalidate* the files to remove the cached copies from CloudFront edge locations. For more information, see [Invalidate files to remove content](Invalidation.md).

### Clone the solution locally
<a name="deploy-website-cloudformation-clone"></a>

**Prerequisites**

To add your website content before deploying this solution, you must package the solution’s artifacts locally, which requires Node.js and npm. For more information, see [https://www.npmjs.com/get-npm](https://www.npmjs.com/get-npm).

**To add your website content and deploy the solution**

1. Clone or download the solution from [https://github.com/aws-samples/amazon-cloudfront-secure-static-site](https://github.com/aws-samples/amazon-cloudfront-secure-static-site). After you clone or download it, open a command prompt or terminal and navigate to the `amazon-cloudfront-secure-static-site` folder.

1. Run the following command to install and package the solution’s artifacts:

   ```
   make package-static
   ```

1. Copy your website’s content into the `www` folder, overwriting the default website content.

1. Run the following AWS CLI command to create an Amazon S3 bucket to store the solution’s artifacts. Replace *amzn-s3-demo-bucket-for-artifacts* with your own bucket name.

   ```
   aws s3 mb s3://amzn-s3-demo-bucket-for-artifacts --region us-east-1
   ```

1. Run the following AWS CLI command to package the solution’s artifacts as a CloudFormation template. Replace *amzn-s3-demo-bucket-for-artifacts* with the name of the bucket that you created in the previous step.

   ```
   aws cloudformation package \
       --region us-east-1 \ 
       --template-file templates/main.yaml \
       --s3-bucket amzn-s3-demo-bucket-for-artifacts \
       --output-template-file packaged.template
   ```

1. Run the following command to deploy the solution with CloudFormation, replacing the following values:
   + *your-CloudFormation-stack-name* – Replace with a name for the CloudFormation stack.
   + *example.com* – Replace with your domain name. This domain must be pointed to a Route 53 hosted zone in the same AWS account.
   + *www* – Replace with the subdomain to use for your website. For example, if the subdomain is *www*, your website is available at www.example.com.
   + *hosted-zone-ID* – Replace with the Route 53 hosted zone ID of your domain name.

   ```
   aws cloudformation deploy \
       --region us-east-1 \
       --stack-name your-CloudFormation-stack-name \
       --template-file packaged.template \
       --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
       --parameter-overrides DomainName=example.com SubDomain=www HostedZoneId=hosted-zone-ID
   ```

   1. (Optional) To deploy the stack with a domain apex, run the following command instead.

     ```
     aws --region us-east-1 cloudformation deploy \
         --stack-name your-CloudFormation-stack-name \
         --template-file packaged.template \
         --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
         --parameter-overrides  DomainName=example.com SubDomain=www HostedZoneId=hosted-zone-ID CreateApex=yes
     ```

1. Wait for the CloudFormation stack to finish creating. The stack creates some nested stacks, and can take several minutes to finish. When it’s finished, the **Status** changes to **CREATE\$1COMPLETE**.

   When the status changes to **CREATE\$1COMPLETE**, go to https://www.example.com to view your website (replace www.example.com with the subdomain and domain name that you specified in the previous step). You should see your website’s content.

### Finding access logs
<a name="deploy-website-cloudformation-logs"></a>

This solution enables [access logs](AccessLogs.md) for the CloudFront distribution. Complete the following steps to locate the distribution’s access logs.

**To locate the distribution’s access logs**

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Choose the bucket whose name begins with **amazon-cloudfront-secure-static-site-s3bucketlogs-**.
**Note**  
Make sure to choose the bucket with **s3bucketlogs** in its name, not **s3bucketroot**. The bucket with **s3bucketlogs** in its name contains log files. The one with **s3bucketroot** contains the website content.

1. The folder named **cdn** contains the CloudFront access logs.