Amazon CloudFront is a fully managed content delivery network (CDN) from AWS. It caches your content at edge locations worldwide, delivering files to users from the nearest server for faster load times and lower latency.
CloudFront accelerates content delivery by caching files at edge locations around the world, with built-in security, monitoring, and serverless compute at the edge.
Over 600 edge locations and 13 regional edge caches across six continents. Content is served from the location nearest to each user for minimal latency.
Run serverless functions at edge locations to transform requests and responses in real time. Enable A/B testing, header manipulation, URL rewrites, and authentication at the edge.
Native integration with AWS Shield, AWS WAF, and ACM for SSL/TLS. Signed URLs and signed cookies for private content. Field-level encryption for sensitive data.
Granular cache behaviors per path pattern. Control TTLs, query string forwarding, cookie handling, and header-based caching independently for each content type.
Use S3 buckets, EC2 instances, Elastic Load Balancers, API Gateway, or any custom HTTP/HTTPS endpoint as origins. Origin groups enable automatic failover.
CloudWatch metrics for every distribution, real-time access logs to S3 or Kinesis, and CloudFront Functions for lightweight edge compute at sub-millisecond startup.
CloudFront sits between your users and your origin servers, caching content at edge locations so files travel a shorter distance to reach the end user.
A user requests a file (webpage, image, API response). DNS routes the request to the nearest CloudFront edge location for the lowest latency.
The edge location checks its local cache. If the file is cached and still valid (not expired), CloudFront returns it immediately without contacting the origin.
On a cache miss, CloudFront fetches the file from your origin (S3, EC2, or any HTTP server), caches it at the edge, and returns it to the user.
CloudFront integrates natively with many AWS services as content origins and for edge compute:
The most common origin. Serve static websites, media assets, and application bundles directly from S3 buckets through CloudFront.
Run serverless functions at edge locations to intercept and transform requests and responses between users and origins.
Use EC2 instances or Application Load Balancers as custom origins for dynamic content generation.
Place CloudFront in front of your API Gateway endpoints for caching, geographic routing, and DDoS protection.
Deliver live and on-demand video content using MediaStore or MediaPackage as origins for streaming workflows.
Every distribution emits metrics automatically: request counts, error rates, cache hit ratios, and Lambda@Edge execution data.
The Serverless Framework lets you define CloudFront distributions as resources and deploy Lambda@Edge functions triggered by CloudFront events. Define everything in serverless.yml:
service: my-cdn
provider:
name: aws
runtime: nodejs22.x
functions:
# Lambda@Edge function for viewer requests
originRequest:
handler: edge.handler
events:
- cloudFront:
eventType: origin-request
origin:
DomainName: my-bucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: ""
# Viewer response manipulation
viewerResponse:
handler: headers.handler
events:
- cloudFront:
eventType: viewer-response
origin:
DomainName: my-bucket.s3.amazonaws.com
S3OriginConfig:
OriginAccessIdentity: ""The framework handles all CloudFormation resource creation: CloudFront distribution configuration, Lambda@Edge function deployment to edge locations, IAM roles, and origin access identities. It also supports custom cache behaviors, custom domains, and SSL certificate configuration.
CloudFront distributions scale automatically with demand. Whether you receive a hundred requests per day or a hundred million, CloudFront handles the load without configuration changes. There are no capacity planning decisions and no servers to provision. Traffic spikes from product launches, marketing campaigns, or viral content are absorbed transparently.
Serverless applications rely heavily on static assets: HTML pages, CSS, JavaScript bundles, and media files. CloudFront ensures these assets load fast regardless of where your users are located. Paired with S3 for storage and Lambda for dynamic logic, CloudFront completes the serverless stack by handling global content delivery with zero infrastructure management.
Creating a CloudFront distribution with an S3 or HTTP origin takes minutes. Once configured, there is nothing to maintain: no patches, no capacity monitoring, no certificate renewals (when using ACM). This frees your team to focus on application logic instead of infrastructure operations.
Define different caching policies for different path patterns within the same distribution. Cache static assets aggressively with long TTLs while keeping API responses uncached or cached briefly. Control cache keys based on headers, cookies, and query strings to balance performance with content freshness.
CloudFront is the right choice for most content delivery needs, but these constraints are worth understanding upfront.
CloudFront is pay-per-use, which is great for low traffic but can grow rapidly. Data transfer to end users is the primary cost driver, and pricing varies significantly by region. South America and Australia are notably more expensive than US and Europe.
As a fully managed service, you cannot inspect or tune the underlying caching infrastructure. You cannot control connection pooling, buffer sizes, or cache eviction algorithms. For the vast majority of use cases this is fine, but niche performance optimization is not possible.
Distribution configuration changes take several minutes to propagate across all edge locations. Cache invalidations also take time and cost $0.005 per path after the first 1,000 per month. Plan deployments accordingly.
Functions running on viewer events are limited to 128 MB memory and a 5-second timeout. Origin event functions allow 30-second timeouts. Response sizes are capped at 40 KB for viewer triggers and 1 MB for origin triggers.
Data transfer costs differ substantially across regions. Serving content to users in South America or Australia can cost two to four times more than US delivery. Use price classes to limit which regions your distribution serves if cost control is a priority.
CloudFront pricing is based on data transfer out, HTTP/HTTPS requests, and optional features like invalidations and Lambda@Edge execution.
1 TB
Data transfer out / month
10M
HTTP/HTTPS requests / month
2M
CloudFront Function invocations / month
| Service | Price (US region) |
|---|---|
| Data transfer (first 10 TB) | $0.085 / GB |
| Data transfer (10-50 TB) | $0.080 / GB |
| Data transfer (50-150 TB) | $0.060 / GB |
| Data transfer (150+ TB) | $0.040 / GB |
| HTTP requests | $0.0075 / 10K requests |
| HTTPS requests | $0.0100 / 10K requests |
| Invalidation requests | $0.005 / path (1,000 free/month) |
| Lambda@Edge requests | $0.60 / 1M requests |
30 days x 10,000 users x 20 MB = ~5.9 TB transfer = ~$498/month
30 days x 10,000 users x 100 requests = 30M HTTPS requests = ~$30/month
Total: approximately $528/month. Use price classes to restrict expensive regions and reduce costs.
CloudFront offers three price classes that let you control costs by limiting which edge locations serve your content. Restricting to fewer regions lowers your per-GB rate but increases latency for excluded regions.
All edge locations worldwide. Highest performance and broadest coverage, but includes the most expensive regions (South America, Australia).
US, Canada, Europe, Asia, Middle East, and Africa. Excludes South America and Australia. A good balance of global reach and cost control.
US, Canada, and Europe only. The lowest-cost option. Best when your audience is concentrated in North America and Europe.
See the official CloudFront pricing page for current regional rates.
Use CloudFront when you need fast global delivery of static assets (HTML, CSS, JS, images, video), want to reduce load on your origin servers, need DDoS protection and SSL termination at the edge, or are building serverless applications with S3 and Lambda that require low-latency content delivery worldwide.
Consider alternatives when all your users are in a single region close to your S3 bucket (serve directly from S3 instead), you need a flat-rate pricing model (consider Cloudflare), or your content is mostly private and rarely accessed (the caching benefit is minimal). For latency-sensitive files that do not require global distribution, serving directly from Amazon S3 is simpler and cheaper.
CloudFront is the default CDN for AWS-centric architectures, but other options may fit your requirements better depending on your stack, budget, and traffic patterns.
Free tier with unlimited bandwidth, integrated DDoS protection and WAF, and a simpler configuration model. Best for general web acceleration when you want strong defaults without per-GB billing.
Tight integration with Google Cloud load balancers, Cloud Storage, and Compute Engine. Best if your infrastructure already runs on Google Cloud and you want a single-vendor CDN.
Enterprise-grade CDN with the largest edge network globally. Extensive media delivery and streaming optimization. Best for organizations delivering video and media at massive scale.
Developer-friendly edge compute platform with VCL and Wasm support. Instant cache purging and real-time log streaming. Best for teams that need programmable content manipulation at the edge.
No CDN layer needed for infrequently accessed content. Serve files directly from S3 when traffic is low and users are in the same region. Best for internal tools or low-traffic sites where caching overhead is unnecessary.
Default quotas for CloudFront resources. Most limits are adjustable through an AWS Support request.
| Resource | Default Limit |
|---|---|
| Distributions per account | 200 (adjustable) |
| Alternate domain names (CNAMEs) | 100 per distribution |
| Origins per distribution | 25 |
| Cache behaviors per distribution | 25 |
| Max file size (single GET) | 30 GB |
| Lambda@Edge memory (viewer events) | 128 MB |
| Lambda@Edge timeout (viewer events) | 5 seconds |
| Lambda@Edge response body (viewer events) | 40 KB |
| Lambda@Edge memory (origin events) | 3,008 MB |
| Lambda@Edge timeout (origin events) | 30 seconds |
| Lambda@Edge response body (origin events) | 1 MB |
| CloudFront Functions max size | 10 KB |
| CloudFront Functions max execution | 1 ms |
| CloudFront Functions max memory | 2 MB |
| Custom request/response headers | 10 |
| Invalidation paths in progress | 3,000 |
| Invalidation cost | $0.005/path after first 1,000 free/month |
Common questions about Amazon CloudFront.
Deploy a CloudFront distribution with Lambda@Edge in minutes using the Serverless Framework.