How it works
- Users worldwide access content via public CloudFront URLs.
- Requests are routed to the nearest CloudFront edge location (e.g., Los Angeles, São Paulo, Mumbai, Melbourne).
- Edge locations communicate privately over the AWS backbone network with the origin S3 bucket.
Security
- Direct public access to the S3 bucket is blocked.
- Access is restricted to CloudFront using:
- Origin Access Control (OAC) – preferred modern method
- S3 bucket policies that allow only CloudFront’s access identity
- Ensures content can only be fetched securely via CloudFront, not directly from S3.
CloudFront vs. S3 Cross-Region Replication
Feature | CloudFront | S3 Cross-Region Replication |
Purpose | Global caching of static/dynamic content | Replication of bucket contents to other AWS Regions |
Scope | Global Edge Network | Specific regions you configure |
Latency | Low (served from nearest edge) | Depends on client’s distance to replicated region |
Content | Cached for a TTL (e.g., 1 day) | Continuous replication in near real-time |
Access | Read from edge locations | Read from S3 buckets in different regions |
Best For | Static content that must be available everywhere | Dynamic content requiring low latency in a few specific regions |