How to configure HTTP redirects in CloudFront

The new CloudFront SaaS Manager has been launched, however it's not immediately obvious from the public documentation, what the options are to add HTTP redirects (301 or 302) to your CloudFront distribution in order to support the new AWS Certificate Manager (ACM) 'HTTP validation' method. The ACM documentation mentions "For each domain, set up an HTTP redirect from the Redirect From URL to the Redirect To URL. You can do this through your CloudFront distribution configuration." - but how exactly to do this?

Let's say you need to create a single ACM HTTP validation redirect as follows:

redirectFrom: http://example.com/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt

redirectTo: https://validation.us-east-1.acm-validations.aws/123456789012/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt

First, (for the ACM HTTP Validation use-case) you'll need to create a new CloudFront cache behaviour for path pattern '/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt' (or '/.well-known/pki-validation/*' if you need to cover multiple domains), on the distribution for 'example.com', using 'HTTP and HTTPS' viewer protocol policy, and then choose from the following options:

1. If already using or planning to use AWS WAF associated with CloudFront, write a WAF rule to return a custom response so that request is never sent to the origin (the origin is irrelevant in this option) - see [1] below for rule details - this is my personal choice, however if you are approaching WebACL Capacity Unit (WCU) limits (keeping in mind that AWS WAF request costs increase when a WebACL consumes more than 1500 WCU), you may want to choose another option
2. Return the redirect from your 'origin'. Either use an origin Application Load Balancer (ALB) Listener rule or Apache mod_rewrite on your target instance to return a fixed response (HTTP 301/302). If using this option set the cache behaviour 'minimumTTL' to a non-zero value, so that the redirect response is cached in CDN and cannot become a DDoS vector. Using non-zero 'minimumTTL' rather than 'Cache-Control' response header to control this means that request collapsing is enabled.
3. Use an S3 origin to redirects requests for object '/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt' - see S3 redirect documentation - this is a scalable option if you need to support many redirects.
4. Use CloudFront functions (CFF) to return a fixed response - sample code - potential additional cost involved with this option however if you already have a CFF on your existing cache behaviour, this is not a concern

The option you choose from the above are all viable and your preferred option will depend on individual circumstances/preferences.

[1] AWS WAF rule - the cache behaviour 'origin' setting used is irrelevant for this option as request will never reach origin, as long as the 'uri_path' used in the WAF rule, matches the cache behaviour, so if the uri_path in cache behaviour ends with '*', there should be a rule matching that (so use 'starts_with' instead of 'exactly_matches')

Rule name: acm_http_validation
Rule type: regular
Scope-down: uri_path exactly_matches '/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt'
Action: Block
Custom code: 302
Custom header: key:Location value:https://validation.us-east-1.acm-validations.aws/123456789012/.well-known/pki-validation/leabe938a4fe077b31e1ff62b781c123.txt