Questions tagged with Amazon CloudFront

Hello, I have a web site set up in AWS ECS containers using CloudFront and ALB for traffic with URL mydomain.com which is up and running. However, the way another domain www.mydomain.com is currently setup for redirecting to mydomain.com is as an empty S3 bucket to redirect to mydomain.com but when I hit www.mydomain.com in the browser I get: "Error. Failed to contact origin". Both domains have CloudFront distributions each and in Route 53 each has an A record to direct to its own CloudFront distribution. Can Anyone tell me where the configuration is going wrong? Many thanks in advance.lg...

Hello, I am creating live streaming using medialive and mediapckage. It is said that the live must be distributed using cloudfront. In the aws console cloudfront is being created by cjecking the checkbox, but i was not able to find any api for creating cloudfront or enabling cloudfront by coding. I am using javascript sdk.lg...

Hi all, In our **AWS Organization** We've a **LogArchive Centralized Account** used by our **Security Team** where We usually send all CloudWatch logs from all of our Application Accounts "The Accounts where we deploy our Applications Workloads". We are looking forward to doing the same with **CloudFront Real-Time logs** , We need to send all of them to this **Centralized Log Account**. I tried quickly using the CLI to setup the **Real-Time Logs** Configuration for one of our **CloudFront Distributions** pointing to a **Kinesis Data Stream **and a **IAM Role** in the** LogArchive Account** : * **CLI Command :** ``` aws cloudfront create-realtime-log-config --cli-input-json "file://rtl-config.json" ``` * **JSON Input :** ``` { "EndPoints": [ { "StreamType": "Kinesis", "KinesisStreamConfig": { "RoleARN": "arn:aws:iam::LogAccountID:role/CloudFrontRealtimeLogConfigRole", "StreamARN": "arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream" } } ], "Fields": [ "c-country" ], "Name": "demorealtime", "SamplingRate": 1 } ``` * **IAM Role Trust RelationShip in the LogArchive Account :** ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "ApplicationAccountID" } } } ] } ``` * **Test Results :** ``` An error occurred (AccessDenied) when calling the CreateRealtimeLogConfig operation: Cross-account pass role is not allowed. ``` So, I was wondering if there is a direct way to send all **CloudFront Real-Time Logs **to a Cross-Account** Kinesis Data Stream/Firehose** ? Thankslg...

Hello, I'm new using AWS and don't have much experience with session cookies. I've built a web app using the Remix grunge-stack and deployed it to CloudFormation. The app sets the session cookie on user login and register. The web app itself is then embedded into an Iframe inside a different widget wrapper app same style they do at https://www.intercom.com/. The widget wrapper itself is then hosted inside an S3 bucket as a static bundled JavaScript file and distributed via CloudFront to be embedded on any website. All this works except for the session Cookie being passed between the apps. The session Cookie is created through the web-app when tested as a stand alone, however, it is not set when interacting through the CloudFront widget. I've tried playing around with the CORS permissions and stuff but I've had no luck. Is what I'm trying to achieve possible and if so what am I missing? Any help would be greatly appreciated, Thanks!lg...

I am setting up an S3 bucket to host up static files through CloudFront (which I have done multiple times). I noticed when I set up the "Origin domain" as the S3 bucket I had configured, I received a message that said: > This S3 bucket has static web hosting enabled. If you plan to use this distribution as a website, we recommend using the S3 website endpoint rather than the bucket endpoint. There was a button to "Use website endpoint." Given that this seemed to be the right advice, I clicked "Use website endpoint" and went on with configuration. However, I could not access the actual site. After working on it a bit, I went back to this setting and disabled the use of the website endpoint. This changed the Origin access settings (see screenshot below). I was able to select "Origin access control settings (recommended)" option and everything worked perfectly immediately.  My confusion - why does the "Use website endpoint" not offer this option when its selected. It seems like it is needed. I have not seen any other information on anything else I need to configure if I choose this option.lg...

Hi, I am creating a video-on-demand streaming data pipeline, where I am using an event-based tracking system to track how much the user has watched the video. In order to verify this data, we will need to track the user's CloudFront access logs, and we would want to add the real-time logs to AWS-MSK (Kafka), how to send the real-time logs of CloudFront to AWS-MSK (Kafka) ?lg...

I have a cloudfront distribution that is listed in the associated resources of one of my certificates. However, this distribution does not show up in the cloudfront distribution console, nor when I try to get it's config using AWS CLI:  This distribution is causing issues in that when I update my website, it redirects traffic to previous versions of the website. I'd like to have this distribution deleted, but as I can't see it in the console, nor access it via the CLI, I have no way to do this. Is there another way to delete this distribution?lg...

Hi, I used some test certificates for a distribution. Now these certificates are no longer in use and distribution is disabled. I've also removed all DNS referrals although in theory this shouldn't affect it. As indicated in the guides I should be able to delete the certificates if they are no longer in use, but no menu appears to be able to do so. Guide references: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-deleting-distribution-certificates Thankslg...

I get the following message in the Chrome dev tools console when submitting a contact form on the /about.html section my portfolio web site: > Access to XMLHttpRequest at 'https://123abc.execute-api.us-east-1.amazonaws.com/prod/contact' from origin 'https://myportfoliositeabc123.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://myportfoliositeabc123.net/' that is not equal to the supplied origin. I don't know how to troubleshoot this properly, any help is appreciated. Also where is the 'Access-Control-Allow-Origin' header has a value set? It is in the S3 bucket permissions > CORS, correct? Essentially, this is happening, and I'm not sure how to fix it in AWS (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin) Here is a description of the AWS stack: 1. **Context**, I am using an S3 bucket as static website using CloudFront and Route 53, this stuff works fine, has for years. When I added the form, I did the following to allow the HTTP POST request: 2. **Cloudfront**, On the site's distribution I added a behavior with all settings default except: - Path pattern: /contact (I am using this bc this is the API Gateway resource path ending) - Origin and origin groups: S3-Website-myportfoliositeabc123.net.s3-website... (Selected correct origin) - Viewer protocol policy: HTTP and HTTPS - Allowed HTTP methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE > Cache HTTP methods GET and HEAD methods are cached by default: Checked OPTIONS box - Origin request policy - optional: CORS-S3Origin - Response headers policy - optional: CORS-With-Preflight 3. **API Gateway**, Created a REST API with all default settings except: - Created a resource: /contact - Created a method: POST - For /contact, Resource Actions > Enable CORS: > - Methods: OPTIONS and POST both checked > - Access-Control-Allow-Origin: 'https://myportfoliositeabc123.net' (no ending slash) > - Clicked "Enable CORS and Replace existing headers" > - Results are all checked green: ✔ Add Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin Method Response Headers to OPTIONS method ✔ Add Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin Integration Response Header Mappings to OPTIONS method ✔ Add Access-Control-Allow-Origin Method Response Header to POST method ✔ Add Access-Control-Allow-Origin Integration Response Header Mapping to POST method - Created a stage called "prod", ensured it had the /contact resource, and deployed. - At the /contact - POST - Method Execution, The test works as expected (triggers Lambda func that uses SES to send email, which I do actually receive). *The only thing I feel unsure about with API Gateway is after I enable the CORS, I can't seem to find a place where that setting has been saved, and if I click again on enable CORS, it is back to the default form ( with Access-Control-Allow-Origin: '*')* 4. **Amazon SES**, set up 2 verified identities for sending/receiving emails via lamda. 5. **Lamda**, set up a basic javascript function with default settings, the REST API is listed as a trigger, and does actually work as previously mentioned. The function code is: ```lang-js var AWS = require('aws-sdk'); var ses = new AWS.SES({ region: "us-east-1" }); var RECEIVER = 'myemail@email.com'; var SENDER = 'me@myportfoliositeabc123.net'; var response = { "statusCode": 200, "headers": { "Content-Type": "application/json", "Access-Control-Allow-Origin": "*" }, "isBase64Encoded": false, "body": "{ \"result\": \"Success\"\n}" } exports.handler = async function (event, context) { console.log('Received event:', event); var params = { Destination: { ToAddresses: [ RECEIVER ] }, Message: { Body: { Text: { Data: 'first name: ' + event.fname + 'last name: ' + event.lname + '\nemail: ' + event.email + '\nmessage: ' + event.message, Charset: 'UTF-8' } }, Subject: { Data: 'Website Query Form: ' + event.name, Charset: 'UTF-8' } }, Source: SENDER }; return ses.sendEmail(params).promise(); }; ``` *The only thing i can think of here is to maybe update the response to have "headers": {"Access-Control-Allow-Origin": "https://myportfoliositeabc123.net"}* **S3** bucket that holds the site contents, in permissions > CORS, I have the following JSON to allow a post of the contact form (notice no slash): ```lang-json [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "POST" ], "AllowedOrigins": [ "https://myportfoliositeabc123.net" ], "ExposeHeaders": [] } ] ``` 6. **Permissions/Roles**, Established Roles and permissions per - AWS guide: create dynamic contact forms for s3 static websites using aws lambda amazon api gateway and amazon ses - video titled: "Webinar: Dynamic Contact Forms for S3 Static Websites Using AWS Lambda, API Gateway & Amazon SES"   lg...

In August 2022 it [was announced](https://aws.amazon.com/blogs/aws/new-http-3-support-for-amazon-cloudfront/) support for HTTP/3 for Cloudfront. I spent some time enabling it and testing it yesterday for [our website](https://goto.archi) and it does not serve HTTP/3. I could only get HTTP/2 both on Chrome and on the [http/3 test website from geekflare](https://geekflare.com/tools/http3-test). Anybody else experiencing the same errors.lg...

 I made this extremely simplified schema of my app. I am struggling to find a solution to prevent users from accessing resources they don't "own", obviously my apis can access to database, and check if a user can acces to a specific file, but how can i do it on cloudfront? I read about signed cookies, but in all examples i found they grant access to whole cloudfront distribution. I also read about signed url, but being the distribution used also for streaming hls content i can't create a signed url for each single "micro" file of each single stream. any idea? thank youlg...

hello, i have already set up cloudfront ditributions accessing to public s3e buckets and now i am trying to follow the "option 1" of this post https://aws.amazon.com/it/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/ to allow the access to my s3 only from a cloudfront distribution. after having completed all the steps if i try to get any resource, for example https://d3ivmkao0hsjcl.cloudfront.net/FILE_ESERCIZI/1/Air_bike_13_MP4_1000_18MG_1000p.m3u8, i obtain this error ``` <Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> <AWSAccessKeyId>ASIA5EJGWF5XU7GEHKG2</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20230127T103516Z 20230127/eu-central-1/s3/aws4_request b86c5fb2ebeff3ad8b3099231cf7b9619898941e67243b97eafb983c89a12349</StringToSign> <SignatureProvided>c7c649388d0dc4a9959e84e47d15eb9ba6c547728a97d710cf5e39b86e84f412</SignatureProvided> <StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 33 30 31 32 37 54 31 30 33 35 31 36 5a 0a 32 30 32 33 30 31 32 37 2f 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 62 38 36 63 35 66 62 32 65 62 65 66 66 33 61 64 38 62 33 30 39 39 32 33 31 63 66 37 62 39 36 31 39 38 39 38 39 34 31 65 36 37 32 34 33 62 39 37 65 61 66 62 39 38 33 63 38 39 61 31 32 33 34 39</StringToSignBytes> <CanonicalRequest>GET /FILE_ESERCIZI/1/Air_bike_13_MP4_1000_18MG_1000p.m3u8 host:d3ivmkao0hsjcl.cloudfront.net x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20230127T103516Z x-amz-security-token:IQoJb3JpZ2luX2VjEMv//////////wEaCXVzLWVhc3QtMSJIMEYCIQCys+hSN+dHpTt70PlOmbDN49btdyspVqfRxXKlXjVroAIhANz2DeVBwy4bbTCHocJn6sUCiPTU+fkNtkPdogF3CrkhKt8CCEMQABoMOTAyNTYxMTQ4NzgzIgz0l+2qmyNCySNEYC8qvAJz5zAg8pASCaElSFn4oTQjV4ceO5ueUObcbcpW7o3WTV7Ka904W7Woemw0kW3qfQ9FCuT5fG5AZrHMLNipyWKsJx7rXkv3YeoVj0LFKS5McZFrliG6TpC9p6YPfz3LteM2biURYvha6Qvq1tMThZG/Sz4qBcT7Q4LzYRuEAqY4rMAvBv0WKwZgxgZjevKlqjd9fndfs5vS7KMGZhXLwujT2XwNKt3PNMb64F5v/RGBXp6SgOngFlERdXjoXkdSqXCJWUUF7dBXHiNvWSyrFNZo5vDmfJPAy320BNfBma4IOLQZXpdKOQ51zjTVb01C6mFQHKdomWpkku981KknubBBZE5wOvn9f4SnDr+P2x/azo2Pl95YabGUqe06VL2nXvbfiHukIARyEwT+/Bco/L+spkkzQwyospGx8ANRMIvHzp4GOr4BmI4MD2vNWZnBrjUx0AQXW9ggbT7yk/59mUP3yIKXwmXcOeKR0eYSf6K1fgvyiZYKvxqVvIWKwoog5guVoQaMCBNEVJm8X3TaZcDWMfgm64s0nPrJsv1+KOBMmjg14w6o1F3gynEMCImsTNZZ84dK8BNKKw38B/8RweLHMj8r4pWfWhyUXGiDgoADIt3ma4E7vlQVNj0FmvbmIpyYgeueE+lzB2T74IzREhWUbzWuMf9EbR8JG4sw9NmbphkrQw== x-amz-source-account:374453910143 x-amz-source-arn:arn:aws:cloudfront::374453910143:distribution/E35XBYXZDKV4SS host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-source-account;x-amz-source-arn e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest> <CanonicalRequestBytes>47 45 54 0a 2f 46 49 4c 45 5f 45 53 45 52 43 49 5a 49 2f 31 2f 41 69 72 5f 62 69 6b 65 5f 31 33 5f 4d 50 34 5f 31 30 30 30 5f 31 38 4d 47 5f 31 30 30 30 70 2e 6d 33 75 38 0a 0a 68 6f 73 74 3a 64 33 69 76 6d 6b 61 6f 30 68 73 6a 63 6c 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 33 30 31 32 37 54 31 30 33 35 31 36 5a 0a 78 2d 61 6d 7a 2d 73 65 63 75 72 69 74 79 2d 74 6f 6b 65 6e 3a 49 51 6f 4a 62 33 4a 70 5a 32 6c 75 58 32 56 6a 45 4d 76 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 77 45 61 43 58 56 7a 4c 57 56 68 63 33 51 74 4d 53 4a 49 4d 45 59 43 49 51 43 79 73 2b 68 53 4e 2b 64 48 70 54 74 37 30 50 6c 4f 6d 62 44 4e 34 39 62 74 64 79 73 70 56 71 66 52 78 58 4b 6c 58 6a 56 72 6f 41 49 68 41 4e 7a 32 44 65 56 42 77 79 34 62 62 54 43 48 6f 63 4a 6e 36 73 55 43 69 50 54 55 2b 66 6b 4e 74 6b 50 64 6f 67 46 33 43 72 6b 68 4b 74 38 43 43 45 4d 51 41 42 6f 4d 4f 54 41 79 4e 54 59 78 4d 54 51 34 4e 7a 67 7a 49 67 7a 30 6c 2b 32 71 6d 79 4e 43 79 53 4e 45 59 43 38 71 76 41 4a 7a 35 7a 41 67 38 70 41 53 43 61 45 6c 53 46 6e 34 6f 54 51 6a 56 34 63 65 4f 35 75 65 55 4f 62 63 62 63 70 57 37 6f 33 57 54 56 37 4b 61 39 30 34 57 37 57 6f 65 6d 77 30 6b 57 33 71 66 51 39 46 43 75 54 35 66 47 35 41 5a 72 48 4d 4c 4e 69 70 79 57 4b 73 4a 78 37 72 58 6b 76 33 59 65 6f 56 6a 30 4c 46 4b 53 35 4d 63 5a 46 72 6c 69 47 36 54 70 43 39 70 36 59 50 66 7a 33 4c 74 65 4d 32 62 69 55 52 59 76 68 61 36 51 76 71 31 74 4d 54 68 5a 47 2f 53 7a 34 71 42 63 54 37 51 34 4c 7a 59 52 75 45 41 71 59 34 72 4d 41 76 42 76 30 57 4b 77 5a 67 78 67 5a 6a 65 76 4b 6c 71 6a 64 39 66 6e 64 66 73 35 76 53 37 4b 4d 47 5a 68 58 4c 77 75 6a 54 32 58 77 4e 4b 74 33 50 4e 4d 62 36 34 46 35 76 2f 52 47 42 58 70 36 53 67 4f 6e 67 46 6c 45 52 64 58 6a 6f 58 6b 64 53 71 58 43 4a 57 55 55 46 37 64 42 58 48 69 4e 76 57 53 79 72 46 4e 5a 6f 35 76 44 6d 66 4a 50 41 79 33 32 30 42 4e 66 42 6d 61 34 49 4f 4c 51 5a 58 70 64 4b 4f 51 35 31 7a 6a 54 56 62 30 31 43 36 6d 46 51 48 4b 64 6f 6d 57 70 6b 6b 75 39 38 31 4b 6b 6e 75 62 42 42 5a 45 35 77 4f 76 6e 39 66 34 53 6e 44 72 2b 50 32 78 2f 61 7a 6f 32 50 6c 39 35 59 61 62 47 55 71 65 30 36 56 4c 32 6e 58 76 62 66 69 48 75 6b 49 41 52 79 45 77 54 2b 2f 42 63 6f 2f 4c 2b 73 70 6b 6b 7a 51 77 79 6f 73 70 47 78 38 41 4e 52 4d 49 76 48 7a 70 34 47 4f 72 34 42 6d 49 34 4d 44 32 76 4e 57 5a 6e 42 72 6a 55 78 30 41 51 58 57 39 67 67 62 54 37 79 6b 2f 35 39 6d 55 50 33 79 49 4b 58 77 6d 58 63 4f 65 4b 52 30 65 59 53 66 36 4b 31 66 67 76 79 69 5a 59 4b 76 78 71 56 76 49 57 4b 77 6f 6f 67 35 67 75 56 6f 51 61 4d 43 42 4e 45 56 4a 6d 38 58 33 54 61 5a 63 44 57 4d 66 67 6d 36 34 73 30 6e 50 72 4a 73 76 31 2b 4b 4f 42 4d 6d 6a 67 31 34 77 36 6f 31 46 33 67 79 6e 45 4d 43 49 6d 73 54 4e 5a 5a 38 34 64 4b 38 42 4e 4b 4b 77 33 38 42 2f 38 52 77 65 4c 48 4d 6a 38 72 34 70 57 66 57 68 79 55 58 47 69 44 67 6f 41 44 49 74 33 6d 61 34 45 37 76 6c 51 56 4e 6a 30 46 6d 76 62 6d 49 70 79 59 67 65 75 65 45 2b 6c 7a 42 32 54 37 34 49 7a 52 45 68 57 55 62 7a 57 75 4d 66 39 45 62 52 38 4a 47 34 73 77 39 4e 6d 62 70 68 6b 72 51 77 3d 3d 0a 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 63 63 6f 75 6e 74 3a 33 37 34 34 35 33 39 31 30 31 34 33 0a 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 72 6e 3a 61 72 6e 3a 61 77 73 3a 63 6c 6f 75 64 66 72 6f 6e 74 3a 3a 33 37 34 34 35 33 39 31 30 31 34 33 3a 64 69 73 74 72 69 62 75 74 69 6f 6e 2f 45 33 35 58 42 59 58 5a 44 4b 56 34 53 53 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 3b 78 2d 61 6d 7a 2d 73 65 63 75 72 69 74 79 2d 74 6f 6b 65 6e 3b 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 63 63 6f 75 6e 74 3b 78 2d 61 6d 7a 2d 73 6f 75 72 63 65 2d 61 72 6e 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes> <RequestId>PRM1GCD8SDC238HH</RequestId> <HostId>juMFHQDRE2n/XXxH7L8GrVb68EYF1+EMM7tVvCo9AcwmYgpSWtNAVj1QKgDW0A084ttTbKrCU2k=</HostId> </Error> ``` any idea? thanks, Robertolg...