# Get started with CloudFront Get started The topics in this section show you how to get started delivering your content with Amazon CloudFront. The [Set up your Amazon Web Services account](setting-up-cloudfront.md) topic describes prerequisites for the following tutorials, such as creating an Amazon Web Services account and creating a user with administrative access. The basic distribution tutorial shows you how to set up origin access control (OAC) to send authenticated requests to an Amazon S3 origin. The secure static website tutorial shows you how to create a secure static website for your domain name using OAC with an Amazon S3 origin. The tutorial uses an Amazon CloudFront (CloudFront) template for configuration and deployment. **Topics** + [ # Set up your Amazon Web Services account ](setting-up-cloudfront.md) + [ # Get started with a CloudFront standard distribution ](GettingStarted.SimpleDistribution.md) + [ # Get started with a standard distribution (Amazon CLI) ](get-started-cli-tutorial.md) + [ # Get started with a secure static website ](getting-started-secure-static-website-cloudformation-template.md) # Set up your Amazon Web Services account This topic describes preliminary steps, such as creating an Amazon Web Services account, to prepare you to use Amazon CloudFront. **Topics** + [ ## Sign up for an Amazon Web Services account ](#sign-up-for-aws) + [ ## Secure IAM users ](#secure-an-admin) + [ ## Choose how to access CloudFront ](#introduction-accessing-cloudfront) ## Sign up for an Amazon Web Services account If you do not have an Amazon Web Services account, use the following procedure to create one. **To sign up for Amazon Web Services** 1. Open [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choose **Sign Up**. 1. Follow the on-screen instructions. Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [http://www.amazonaws.cn/](http://www.amazonaws.cn/) and choosing **My Account**. ## Secure IAM users After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see [Enable a virtual MFA device for an IAM user (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-iam-user) in the *IAM User Guide*. To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks. For more information about creating and securing IAM users, see the following topics in the *IAM User Guide*: + [Creating an IAM user in your Amazon Web Services account](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_create.html) + [Access management for Amazon resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/access.html) + [Example IAM identity-based policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_examples.html) ## Choose how to access CloudFront You can access Amazon CloudFront in the following ways: + **Amazon Web Services Management Console** – The procedures throughout this guide explain how to use the Amazon Web Services Management Console to perform tasks. + **Amazon SDKs** – If you're using a programming language that Amazon provides an SDK for, you can use an SDK to access CloudFront. SDKs simplify authentication, integrate easily with your development environment, and provide access to CloudFront commands. For more information, see [Using CloudFront with an Amazon SDK](sdk-general-information-section.md). + **CloudFront API** – If you're using a programming language that an SDK isn't available for, see the [Amazon CloudFront API Reference](https://docs.amazonaws.cn/cloudfront/latest/APIReference/Welcome.html) for information about API actions and about how to make API requests. + **Amazon CLI** – The Amazon Command Line Interface (Amazon CLI) is a unified tool for managing Amazon Web Services services. For information about how to install and configure the Amazon CLI, see [Install or update to the latest version of the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/getting-started-install.html) in the *Amazon Command Line Interface User Guide*. + **Tools for Windows PowerShell** – If you have experience with Windows PowerShell, you might prefer to use Amazon Tools for Windows PowerShell. For more information, see [Installing the Amazon Tools for Windows PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/pstools-getting-set-up.html) in the *Amazon Tools for PowerShell User Guide*. # Get started with a CloudFront standard distribution Get started with a standard distributionGetting started with a CloudFront standard distribution Updated tutorial for a standard distribution that uses an Amazon S3 origin with origin access control (OAC). The procedures in this section show you how to use CloudFront to set up a standard distribution that does the following: + Creates an S3 bucket to use as your distribution origin. + Stores the original versions of your objects in an Amazon Simple Storage Service (Amazon S3) bucket. + Uses origin access control (OAC) to send authenticated requests to your Amazon S3 origin. OAC sends requests through CloudFront to prevent viewers from accessing your S3 bucket directly. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md). + Uses the CloudFront domain name in URLs for your objects (for example, `https://d111111abcdef8.cloudfront.net/index.html`). + Keeps your objects in CloudFront edge locations for the default duration of 24 hours (the minimum duration is 0 seconds). Most of this is configured automatically for you when you create a CloudFront distribution. **Topics** + [ ## Prerequisites ](#GettingStartedSignup) + [ ## Create an Amazon S3 bucket ](#GettingStartedCreateBucket) + [ ## Upload the content to the bucket ](#GettingStartedUploadContent) + [ ## Create a CloudFront distribution that uses an Amazon S3 origin with OAC ](#GettingStartedCreateDistribution) + [ ## Access your content through CloudFront ](#GettingStartedAccessingDistributions) + [ ## Clean up ](#GettingStartedDistributionCleanup) + [ ## Enhance your basic distribution ](#GettingStartedDistributionNotes) ## Prerequisites Before you begin, make sure that you’ve completed the steps in [Set up your Amazon Web Services account](setting-up-cloudfront.md). ## Create an Amazon S3 bucket Create bucket An Amazon S3 bucket is a container for files (objects) or folders. CloudFront can distribute almost any type of file for you when an S3 bucket is the source. For example, CloudFront can distribute text, images, and videos. There is no maximum for the amount of data that you can store on Amazon S3. For this tutorial, you create an S3 bucket with the provided sample `hello world` files that you will use to create a basic webpage. **To create a bucket** 1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/). 1. We recommend that you use our Hello World sample for this Getting started. Download the *hello world* webpage: [hello-world-html.zip](samples/hello-world-html.zip). Unzip it and save the `css` folder and `index` file in a convenient location, such as the desktop where you are running your browser. 1. Choose **Create bucket**. 1. Enter a unique **Bucket name** that conforms to the [General purpose buckets naming rules](https://docs.amazonaws.cn/AmazonS3/latest/userguide/bucketnamingrules.html#general-purpose-bucket-names) in the *Amazon Simple Storage Service User Guide*. 1. For **Region**, we recommend choosing an Amazon Web Services Region that is geographically close to you. (This reduces latency and costs.) + Choosing a different Region works, too. You might do this to address regulatory requirements, for example. 1. Leave all other settings at their defaults, and then choose **Create bucket**. ## Upload the content to the bucket Upload content After you create your Amazon S3 bucket, upload the contents of the unzipped `hello world` file to it. (You downloaded and unzipped this file in [Create an Amazon S3 bucket](#GettingStartedCreateBucket).) **To upload the content to Amazon S3** 1. In the **General purpose buckets** section, choose the name of your new bucket. 1. Choose **Upload**. 1. On the **Upload** page, drag the `css` folder and `index` file into the drop area. 1. Leave all other settings at their defaults, and then choose **Upload**. ## Create a CloudFront distribution that uses an Amazon S3 origin with OAC Create distribution For this tutorial, you will create a CloudFront distribution that uses an Amazon S3 origin with origin access control (OAC). OAC helps you securely send authenticated requests to your Amazon S3 origin. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md). **To create a CloudFront distribution with an Amazon S3 origin that uses OAC** 1. Open the CloudFront console at [https://console.amazonaws.cn/cloudfront/v4/home](https://console.amazonaws.cn/cloudfront/v4/home). 1. Choose **Create distribution**. 1. Enter a **Distribution name** for the standard distribution. The name will appear as the value for the `Name` key as a tag. You can change this value later. You can add up to 50 tags for your standard distribution. For more information, see [Tag a distribution](tagging.md). 1. Choose **Single website or app**, **Next**. 1. Choose **Next**. 1. For **Origin type** page, select the **Amazon S3**. 1. For **S3 origin**, choose **Browse S3** and select the S3 bucket that you created for this tutorial. 1. For **Settings**, choose **Use recommended origin settings**. CloudFront will use the default recommended cache and origin settings for your Amazon S3 origin, including setting up Origin Access Control (OAC). For more information about the recommended settings, see [Preconfigured distribution settings reference](template-preconfigured-origin-settings.md). 1. Choose **Next**. 1. On the **Enable security protections** page, choose whether to enable Amazon WAF security protections. 1. Choose **Next**. 1. Choose **Create distribution**. CloudFront updates the S3 bucket policy for you. 1. Review the **Details** section for your new distribution. When your distribution is done deploying, the **Last modified** field changes from **Deploying** to a date and time. 1. Record the domain name that CloudFront assigns to your distribution. It looks similar to the following: `d111111abcdef8.cloudfront.net`. Before using the distribution and S3 bucket from this tutorial in a production environment, make sure to configure it to meet your specific needs. For information about configuring access in a production environment, see [Configure secure access and restrict access to content](SecurityAndPrivateContent.md). ## Access your content through CloudFront Access the content To access your content through CloudFront, combine the domain name for your CloudFront distribution with the main page for your content. (You recorded your distribution domain name in [Create a CloudFront distribution that uses an Amazon S3 origin with OAC](#GettingStartedCreateDistribution).) + Your distribution domain name might look like this: `d111111abcdef8.cloudfront.net`. + The path to the main page of a website is typically `/index.html`. Therefore, the URL to access your content through CloudFront might look like this: `https://d111111abcdef8.cloudfront.net/index.html`. If you followed the previous steps and used the *hello world* webpage, you should see a webpage that says **Hello world\$1**. When you upload more content to this S3 bucket, you can access the content through CloudFront by combining the CloudFront distribution domain name with the path to the object in the S3 bucket. For example, if you upload a new file named `new-page.html` to the root of your S3 bucket, the URL looks like this: `https://d111111abcdef8.cloudfront.net/new-page.html`. ## Clean up If you created your distribution and S3 bucket only as a learning exercise, delete them so that you no longer accrue charges. Delete the distribution first. For more information, see the following links: + [Delete a distribution](HowToDeleteDistribution.md) + [Deleting a bucket](https://docs.amazonaws.cn/AmazonS3/latest/userguide/delete-bucket.html) ## Enhance your basic distribution This Get started tutorial provides a minimal framework for creating a distribution. We recommend that you explore the following enhancements: + You can use the CloudFront private content feature to restrict access to the content in the Amazon S3 buckets. For more information about distributing private content, see [Serve private content with signed URLs and signed cookies](PrivateContent.md). + You can configure your CloudFront distribution to use a custom domain name (for example, `www.example.com` instead of `d111111abcdef8.cloudfront.net`). For more information, see [Use custom URLs](CNAMEs.md). + This tutorial uses an Amazon S3 origin with origin access control (OAC). However, you can't use OAC if your origin is an S3 bucket configured as a [website endpoint](https://docs.amazonaws.cn/AmazonS3/latest/userguide/WebsiteEndpoints.html). If that's the case, you must set up your bucket with CloudFront as a custom origin. For more information, see [Use an Amazon S3 bucket that's configured as a website endpoint](DownloadDistS3AndCustomOrigins.md#concept_S3Origin_website). For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md). # Get started with a standard distribution (Amazon CLI) Get started (Amazon CLI) The procedures in this section show you how to use the Amazon CLI with CloudFront to set up a basic configuration that involves the following: + Creating an Amazon S3 bucket to use as your distribution origin. + Storing the original versions of your objects in the S3 bucket. + Using origin access control (OAC) to send authenticated requests to your Amazon S3 origin. OAC sends requests through CloudFront to prevent viewers from accessing your S3 bucket directly. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md). + Using the CloudFront domain name in URLs for your objects (for example, `https://d111111abcdef8.cloudfront.net/index.html`). + Keeping your objects in CloudFront edge locations for the default duration of 24 hours (the minimum duration is 0 seconds). Most of these options are customizable. For information about how to customize your CloudFront distribution options, see [Create a distribution](distribution-web-creating-console.md). ## Prerequisites Before you begin, make sure that you’ve completed the steps in [Set up your Amazon Web Services account](setting-up-cloudfront.md). Install the Amazon CLI and configure it with your credentials. For more information, see [Getting started with the Amazon CLI](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-getting-started.html) in the *Amazon CLI User Guide*. ## Create an Amazon S3 bucket An Amazon S3 bucket is a container for files (objects) or folders. CloudFront can distribute almost any type of file for you when an S3 bucket is the source. For example, CloudFront can distribute text, images, and videos. There is no maximum for the amount of data that you can store on Amazon S3. For this tutorial, you create an S3 bucket and upload an HTML file that you will use to create a basic webpage. ``` aws s3 mb s3://amzn-s3-demo-bucket/ --region us-east-1 ``` Replace *amzn-s3-demo-bucket* with a globally unique bucket name. For the Amazon Web Services Region, we recommend choosing a Region that is geographically close to you. This reduces latency and costs, but choosing a different Region works, too. For example, you might do this to address regulatory requirements. ## Upload the content to the bucket For this tutorial, download and extract the sample content files for a basic "Hello World" webpage. ``` # Create a temporary directory mkdir -p ~/cloudfront-demo # Download the sample Hello World files curl -o ~/cloudfront-demo/hello-world-html.zip https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/samples/hello-world-html.zip # Extract the zip file unzip ~/cloudfront-demo/hello-world-html.zip -d ~/cloudfront-demo/hello-world ``` This creates a directory with an `index.html` file and a `css` folder. Upload these files to your S3 bucket. ``` aws s3 cp ~/cloudfront-demo/hello-world/ s3://amzn-s3-demo-bucket/ --recursive ``` ## Create an Origin Access Control (OAC) For this tutorial, you will create an origin access control (OAC). OAC helps you securely send authenticated requests to your Amazon S3 origin. For more information about OAC, see [Restrict access to an Amazon S3 origin](private-content-restricting-access-to-s3.md). ``` aws cloudfront create-origin-access-control \ --origin-access-control-config Name="oac-for-s3",SigningProtocol=sigv4,SigningBehavior=always,OriginAccessControlOriginType=s3 ``` Save the OAC ID from the output as an environment variable. Replace the example value with your own OAC ID. You will use this in the next step. ``` OAC_ID="E1ABCD2EFGHIJ" ``` ## Create a standard distribution Create a distribution configuration file named `distribution-config.json`. Replace the example bucket name with your bucket name for the `Id`, `DomainName`, and `TargetOriginId` values. ``` cat > distribution-config.json << EOF { "CallerReference": "cli-example-$(date +%s)", "Origins": { "Quantity": 1, "Items": [ { "Id": "S3-amzn-s3-demo-bucket", "DomainName": "amzn-s3-demo-bucket.s3.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "" }, "OriginAccessControlId": "$OAC_ID" } ] }, "DefaultCacheBehavior": { "TargetOriginId": "S3-amzn-s3-demo-bucket", "ViewerProtocolPolicy": "redirect-to-https", "AllowedMethods": { "Quantity": 2, "Items": ["GET", "HEAD"], "CachedMethods": { "Quantity": 2, "Items": ["GET", "HEAD"] } }, "DefaultTTL": 86400, "MinTTL": 0, "MaxTTL": 31536000, "Compress": true, "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" } } }, "Comment": "CloudFront distribution for S3 bucket", "Enabled": true } EOF ``` Create the standard distribution. ``` aws cloudfront create-distribution --distribution-config file://distribution-config.json ``` Save the distribution ID and domain name from the output as environment variables. Replace the example values with your own. You'll use these later in this tutorial. ``` DISTRIBUTION_ID="EABCD1234XMPL" DOMAIN_NAME="d111111abcdef8.cloudfront.net" ``` Before using the distribution and S3 bucket from this tutorial in a production environment, make sure to configure it to meet your specific needs. For information about configuring access in a production environment, see [Configure secure access and restrict access to content](SecurityAndPrivateContent.md). ## Update your S3 bucket policy Update your S3 bucket policy to allow CloudFront to access the objects. Replace the example bucket name with your bucket name. ``` # Get your AWS account ID ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) # Create the bucket policy cat > bucket-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::$ACCOUNT_ID:distribution/$DISTRIBUTION_ID" } } } ] } EOF # Apply the bucket policy aws s3api put-bucket-policy \ --bucket amzn-s3-demo-bucket \ --policy file://bucket-policy.json ``` ## Confirm distribution deployment After you create your distribution, it will take some time to finish deploying. When the distribution status changes from `InProgress` to `Deployed`, proceed to the next step. ``` aws cloudfront get-distribution --id $DISTRIBUTION_ID --query 'Distribution.Status' ``` Alternatively, you can use the `wait` command to wait for distribution deployment. ``` aws cloudfront wait distribution-deployed --id $DISTRIBUTION_ID ``` ## Access your content through CloudFront To access your content through CloudFront, combine the domain name for your CloudFront distribution with the main page for your content. Replace the example CloudFront domain name with your own. ``` https://d111111abcdef8.cloudfront.net/index.html ``` If you followed the previous steps and created the HTML file, you should see a webpage that says **Hello world\$1**. When you upload more content to this S3 bucket, you can access the content through CloudFront by combining the CloudFront distribution domain name with the path to the object in the S3 bucket. For example, if you upload a new file named `new-page.html` to the root of your S3 bucket, the URL looks like this: `https://d111111abcdef8.cloudfront.net/new-page.html`. ## Clean up If you created your distribution and S3 bucket only as a learning exercise, delete them so that you no longer accrue charges. Disable and delete the distribution first. **To disable and delete a standard distribution (Amazon CLI)** 1. First, disable the distribution. ``` # Get the current configuration and ETag ETAG=$(aws cloudfront get-distribution-config --id $DISTRIBUTION_ID --query 'ETag' --output text) # Create a modified configuration with Enabled=false aws cloudfront get-distribution-config --id $DISTRIBUTION_ID | \ jq '.DistributionConfig.Enabled = false' > temp_disabled_config.json # Update the distribution to disable it aws cloudfront update-distribution \ --id $DISTRIBUTION_ID \ --distribution-config file://<(jq '.DistributionConfig' temp_disabled_config.json) \ --if-match $ETAG ``` 1. Wait for the distribution to be disabled. ``` aws cloudfront wait distribution-deployed --id $DISTRIBUTION_ID ``` 1. Delete the distribution. ``` # Get the current ETag ETAG=$(aws cloudfront get-distribution-config --id $DISTRIBUTION_ID --query 'ETag' --output text) # Delete the distribution aws cloudfront delete-distribution --id $DISTRIBUTION_ID --if-match $ETAG ``` **To delete an S3 bucket (Amazon CLI)** + Delete the S3 bucket and its contents. Replace the example bucket name with your own. ``` # Delete the bucket contents aws s3 rm s3://amzn-s3-demo-bucket --recursive # Delete the bucket aws s3 rb s3://amzn-s3-demo-bucket ``` To clean up the local files created for this tutorial, run the following commands: ``` # Clean up local files rm -f distribution-config.json bucket-policy.json temp_disabled_config.json rm -rf ~/cloudfront-demo ``` Optionally, you can delete the OAC that you created for this tutorial. ``` # Get the OAC ETag OAC_ETAG=$(aws cloudfront get-origin-access-control --id $OAC_ID --query 'ETag' --output text) # Delete the OAC aws cloudfront delete-origin-access-control --id $OAC_ID --if-match $OAC_ETAG ``` # Get started with a secure static website You can get started with Amazon CloudFront by using the solution described in this topic to create a secure static website for your domain name. A *static website* uses only static files—like HTML, CSS, JavaScript, images, and videos—and doesn’t need servers or server-side processing. With this solution, your website gets the following benefits: + **Uses the durable storage of [Amazon Simple Storage Service (Amazon S3)](https://docs.amazonaws.cn/AmazonS3/latest/dev/Welcome.html)** – This solution creates an Amazon S3 bucket to host your static website’s content. To update your website, just upload your new files to the S3 bucket. + **Is sped up by the Amazon CloudFront content delivery network** – This solution creates a CloudFront distribution to serve your website to viewers with low latency. The distribution is configured with [origin access control](private-content-restricting-access-to-s3.md) (OAC) to make sure that the website is accessible only through CloudFront, not directly from S3. + **Is secured by HTTPS and security headers** – This solution creates an SSL/TLS certificate in [Amazon Certificate Manager (ACM)](https://docs.amazonaws.cn/acm/latest/userguide/acm-overview.html), and attaches it to the CloudFront distribution. This certificate enables the distribution to serve your domain’s website securely with HTTPS. + **Is configured and deployed with [Amazon CloudFormation](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html)** – This solution uses an Amazon CloudFormation template to set up all the components, so you can focus more on your website’s content and less on configuring components. This solution is open source on GitHub. To view the code, submit a pull request, or open an issue, go to [https://github.com/aws-samples/amazon-cloudfront-secure-static-site](https://github.com/aws-samples/amazon-cloudfront-secure-static-site). **Topics** + [ ## Solution overview ](#cloudformation-website-overview) + [ ## Deploy the solution ](#deploy-secure-static-website-cloudformation) ## Solution overview The following diagram shows an overview of how this static website solution works: ![\[Overview diagram of a secure static website with CloudFront\]](http://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/images/cloudfront-secure-static-website-overview-github.png) 1. The viewer requests the website at www.example.com. 1. If the requested object is cached, CloudFront returns the object from its cache to the viewer. 1. If the object is not in the CloudFront cache, CloudFront requests the object from the origin (an S3 bucket). 1. S3 returns the object to CloudFront. 1. CloudFront caches the object. 1. The objects is returned to the viewer. Subsequent requests for the object that come to the same CloudFront edge location are served from the CloudFront cache. ## Deploy the solution To deploy this secure static website solution, you can choose from either of the following options: + Use the Amazon CloudFormation console to deploy the solution with default content, then upload your website content to Amazon S3. + Clone the solution to your computer to add your website content. Then, deploy the solution with the Amazon Command Line Interface (Amazon CLI). **Note** You must use the US East (N. Virginia) Region to deploy the CloudFormation template. **Topics** + [ ### Prerequisites ](#deploy-website-cloudformation-prerequisites) + [ ### Use the Amazon CloudFormation console ](#deploy-website-cloudformation-console) + [ ### Clone the solution locally ](#deploy-website-cloudformation-clone) + [ ### Finding access logs ](#deploy-website-cloudformation-logs) ### Prerequisites To use this solution, you must have the following prerequisites: + A registered domain name, such as example.com, that’s pointed to an Amazon Route 53 hosted zone. The hosted zone must be in the same Amazon Web Services account where you deploy this solution. If you don’t have a registered domain name, you can [register one with Route 53](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/registrar.html). If you have a registered domain name but it’s not pointed to a Route 53 hosted zone, [configure Route 53 as your DNS service](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/dns-configuring.html). + Amazon Identity and Access Management (IAM) permissions to launch CloudFormation templates that create IAM roles, and permissions to create all the Amazon resources in the solution. For more information, see [Controlling access with Amazon Identity and Access Management](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-iam-template.html) in the *Amazon CloudFormation User Guide*. You are responsible for the costs incurred while using this solution. For more information about costs, see [the pricing pages for each Amazon Web Services service](http://www.amazonaws.cn/pricing/). ### Use the Amazon CloudFormation console **To deploy using the CloudFormation console** 1. [Launch this solution in the Amazon CloudFormation console](https://console.amazonaws.cn/cloudformation/home?region=us-east-1#/stacks/new?stackName=amazon-cloudfront-secure-static-site-templates-main&templateURL=https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-static-site/latest/main.yaml). If necessary, sign in to your Amazon Web Services account. 1. The **Create stack** wizard opens in the CloudFormation console, with prepopulated fields that specify this solution’s CloudFormation template. At the bottom of the page, choose **Next**. 1. On the **Specify stack details** page, enter values for the following fields: + **SubDomain** – Enter the subdomain to use for your website. For example, if the subdomain is *www*, your website is available at *www.example.com.* (Replace example.com with your domain name, as explained in the following bullet.) + **DomainName** – Enter your domain name, such as *example.com*. This domain must be pointed to a Route 53 hosted zone. + **HostedZoneId** – The Route 53 hosted zone ID of your domain name. + **CreateApex** – (Optional) Create an alias to the domain apex (example.com) in your CloudFront configuration. 1. When finished, choose **Next**. 1. (Optional) On the **Configure stack options** page, [add tags and other stack options](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html). 1. When finished, choose **Next**. 1. On the **Review** page, scroll to the bottom of the page, then select the two boxes in the **Capabilities** section. These capabilities allow CloudFormation to create an IAM role that allows access to the stack’s resources, and to name the resources dynamically. 1. Choose **Create stack**. 1. Wait for the stack to finish creating. The stack creates some nested stacks, and can take several minutes to finish. When it’s finished, the **Status** changes to **CREATE\$1COMPLETE**. When the status is **CREATE\$1COMPLETE**, go to https://*www.example.com* to view your website (replace www.example.com with the subdomain and domain name that you specified in step 3). You should see the website’s default content: ![\[This solution’s static website default content. It says: “I am a static website!”\]](http://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/images/cloudfront-secure-static-website-content.png) **To replace the website’s default content with your own** 1. Open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/). 1. Choose the bucket whose name begins with **amazon-cloudfront-secure-static-site-s3bucketroot-**. **Note** Make sure to choose the bucket with **s3bucketroot** in its name, not **s3bucketlogs**. The bucket with **s3bucketroot** in its name contains the website content. The one with **s3bucketlogs** contains only log files. 1. Delete the website’s default content, then upload your own. **Note** If you viewed your website with this solution’s default content, then it’s likely that some of the default content is cached in a CloudFront edge location. To make sure that viewers see your updated website content, *invalidate* the files to remove the cached copies from CloudFront edge locations. For more information, see [Invalidate files to remove content](Invalidation.md). ### Clone the solution locally **Prerequisites** To add your website content before deploying this solution, you must package the solution’s artifacts locally, which requires Node.js and npm. For more information, see [https://www.npmjs.com/get-npm](https://www.npmjs.com/get-npm). **To add your website content and deploy the solution** 1. Clone or download the solution from [https://github.com/aws-samples/amazon-cloudfront-secure-static-site](https://github.com/aws-samples/amazon-cloudfront-secure-static-site). After you clone or download it, open a command prompt or terminal and navigate to the `amazon-cloudfront-secure-static-site` folder. 1. Run the following command to install and package the solution’s artifacts: ``` make package-static ``` 1. Copy your website’s content into the `www` folder, overwriting the default website content. 1. Run the following Amazon CLI command to create an Amazon S3 bucket to store the solution’s artifacts. Replace *amzn-s3-demo-bucket-for-artifacts* with your own bucket name. ``` aws s3 mb s3://amzn-s3-demo-bucket-for-artifacts --region us-east-1 ``` 1. Run the following Amazon CLI command to package the solution’s artifacts as a CloudFormation template. Replace *amzn-s3-demo-bucket-for-artifacts* with the name of the bucket that you created in the previous step. ``` aws cloudformation package \ --region us-east-1 \ --template-file templates/main.yaml \ --s3-bucket amzn-s3-demo-bucket-for-artifacts \ --output-template-file packaged.template ``` 1. Run the following command to deploy the solution with CloudFormation, replacing the following values: + *your-CloudFormation-stack-name* – Replace with a name for the CloudFormation stack. + *example.com* – Replace with your domain name. This domain must be pointed to a Route 53 hosted zone in the same Amazon Web Services account. + *www* – Replace with the subdomain to use for your website. For example, if the subdomain is *www*, your website is available at www.example.com. + *hosted-zone-ID* – Replace with the Route 53 hosted zone ID of your domain name. ``` aws cloudformation deploy \ --region us-east-1 \ --stack-name your-CloudFormation-stack-name \ --template-file packaged.template \ --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \ --parameter-overrides DomainName=example.com SubDomain=www HostedZoneId=hosted-zone-ID ``` 1. (Optional) To deploy the stack with a domain apex, run the following command instead. ``` aws --region us-east-1 cloudformation deploy \ --stack-name your-CloudFormation-stack-name \ --template-file packaged.template \ --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \ --parameter-overrides DomainName=example.com SubDomain=www HostedZoneId=hosted-zone-ID CreateApex=yes ``` 1. Wait for the CloudFormation stack to finish creating. The stack creates some nested stacks, and can take several minutes to finish. When it’s finished, the **Status** changes to **CREATE\$1COMPLETE**. When the status changes to **CREATE\$1COMPLETE**, go to https://www.example.com to view your website (replace www.example.com with the subdomain and domain name that you specified in the previous step). You should see your website’s content. ### Finding access logs This solution enables [access logs](AccessLogs.md) for the CloudFront distribution. Complete the following steps to locate the distribution’s access logs. **To locate the distribution’s access logs** 1. Open the Amazon S3 console at [https://console.amazonaws.cn/s3/](https://console.amazonaws.cn/s3/). 1. Choose the bucket whose name begins with **amazon-cloudfront-secure-static-site-s3bucketlogs-**. **Note** Make sure to choose the bucket with **s3bucketlogs** in its name, not **s3bucketroot**. The bucket with **s3bucketlogs** in its name contains log files. The one with **s3bucketroot** contains the website content. 1. The folder named **cdn** contains the CloudFront access logs.