StackServicesCloudFront

CloudFront

Last updated: Apr 24, 2026

Rationale

Amazon CloudFront is the content delivery network we use in front of every public HTTPS endpoint at *.fluidattacks.com, directly fronting our AWS origins (S3 buckets and Lambda Function URLs) and sitting behind Cloudflare as the second tier of the public hosting chain.

The main reasons why we chose it over other alternatives are:

  • It supports Origin Access Control (OAC), which lets the origin (S3 bucket or Lambda Function URL) cryptographically reject requests that did not come through the distribution — see Public hosting.
  • It integrates natively with AWS Certificate Manager, auto-issuing and rotating TLS certificates for custom domains at no additional cost.
  • It supports CloudFront Functions, sub-millisecond edge functions for viewer-request rewrites and access control. We use them to enforce that every request entering the distribution originated from Cloudflare, rejecting direct *.cloudfront.net hits.
  • It supports CloudWatch Logs Delivery V2 for access logs, written as JSON to a central S3 logging bucket without requiring any distribution-embedded logging configuration.
  • It enforces modern TLS policies at the viewer (TLS 1.3) and supports path-based routing between multiple origins within a single distribution, allowing us to serve static assets from S3 and server-rendered content from a Lambda Function URL on the same hostname.
  • Resources can be written as code using Terraform.
  • It bills per request and per gigabyte transferred with no base fee, aligning cost with usage for low-traffic consumers.
  • It complies with several certifications from ISO and CSA.

Alternatives

Below are the alternatives we evaluated before choosing Amazon CloudFront, ordered from most to least interesting based on our specific needs.

Cloudflare alone, without an AWS-side CDN

Cloudflare is our edge provider (WAF, bot management, DDoS shield, proxied DNS), and we continue to use it in front of CloudFront.

  • It is unmatched at the edge and we are not replacing it — CloudFront sits behind it, not in place of it.
  • Relying on Cloudflare alone would leave our AWS origins (S3 buckets, Lambda Function URLs) reachable directly over the Internet, with no cryptographic origin restriction.
  • It does not provide an equivalent of Origin Access Control for AWS services, which is what gives us the AWS-native cryptographic gate on the origin layer.

Fastly, Akamai and other third-party CDNs

Fastly and Akamai are third-party CDN providers.

  • They provide comparable edge capabilities to CloudFront.
  • They do not integrate with AWS origin primitives the way CloudFront does. There is no equivalent of Origin Access Control for cryptographically restricting access to an S3 bucket or a Lambda Function URL from an external CDN.
  • Adopting one would force us back to a shared-secret or IP-allowlist model for origin protection, which the current architecture deliberately avoids.

AWS Global Accelerator

AWS Global Accelerator provides static anycast IPs and TCP/UDP acceleration.

  • It is not a CDN and does not cache content or provide HTTP-layer features like path-based routing or viewer-request edge functions.
  • It serves a different use case (improving TCP/UDP latency for global workloads).
  • It cannot replace CloudFront for our public hosting pattern.

AWS Elastic Load Balancing

AWS Elastic Load Balancing fronts compute on EC2, ECS, or EKS.

  • It is not a CDN and does not terminate HTTPS with managed certificates at the edge.
  • We use it internally for load-balancing our Kubernetes workloads, but not as a public-facing edge.
  • It cannot front S3 or Lambda Function URLs with cryptographic origin restriction.

Usage

We use Amazon CloudFront as the distribution layer in front of every public HTTPS endpoint at *.fluidattacks.com. Each consumer gets its own distribution, configured with one or two origins (S3 for static assets, Lambda Function URL for dynamic content, or both with path-based routing), all protected via Origin Access Control. The full architecture is described in Public hosting.

Other dependencies

Cloudflare

Learn about Cloudflare, a Software as a Service provider employed by Fluid Attacks for various infrastructure solutions.

CloudWatch

Learn about CloudWatch, an AWS service employed by Fluid Attacks to monitor its entire cloud infrastructure.

On this page

RationaleAlternativesCloudflare alone, without an AWS-side CDNFastly, Akamai and other third-party CDNsAWS Global AcceleratorAWS Elastic Load BalancingUsageOther dependencies