CloudFront multi-tenant distribution reference - Amazon CloudFront
Amazon S3 originAPI Gateway originCustom origin and EC2 instanceElastic Load Balancing originLambda function URL originMediaPackage v1 originMediaPackage v2 originMediaTailor origin
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CloudFront multi-tenant distribution reference

With a multi-tenant distribution, you can have CloudFront configure most distribution settings for you, based on your content origin type. For more information about multi-tenant distributions, see Understand how multi-tenant distributions work.

The following sections describe the default preconfiguration settings for multi-tenant distributions, and the settings that you can customize.

Amazon S3 origin

Following are the origin settings that CloudFront preconfigures for your Amazon S3 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control (console only) – CloudFront sets this up for you. For multi-tenant distributions with no parameters used in the origin domain, CloudFront attempts to add the S3 bucket policy.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

Following are the cache settings that CloudFront preconfigures for your Amazon S3 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Restrict viewer access – No

  • Cache policyCachingOptimized

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Amazon S3 origin in a multi-tenant distribution.

Customizable settings

  • S3 access – CloudFront sets this for you, based on your S3 bucket settings:

    • If your bucket is public – No Origin Access Control (OAC) policy is needed.

    • If your bucket is private – You can choose or create an OAC policy to use.

  • Enable Origin Shield – No

  • Compress objects automatically – Yes

    • If you choose Yes, then the CachingOptimized caching policy is used.

    • If you choose No, then the CachingOptimizedForUncompressedObjects caching policy is used.

API Gateway origin

Following are the origin settings that CloudFront preconfigures for your API Gateway origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Origin Access Control (console only) – CloudFront sets this up for you

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your API Gateway origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyCachingDisabled (Possible values: UseOriginCacheControlHeaders, UseOriginCacheControlHeaders-QueryStrings)

  • Origin request policyAllViewerExceptHostHeader (Possible values: AllViewer, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your API Gateway origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

Custom origin and EC2 instance

Following are the origin settings that CloudFront preconfigures for your custom origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – Match viewer

  • HTTP port – 80

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your custom origin and EC2 instance in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyUseOriginCacheControlHeaders (Possible values: UseOriginCacheControlHeaders-QueryStrings, CachingDisabled, CacheOptimized, CachingOptimizedForUncompressedObjects)

  • Origin request policyAllViewer (Possible values: AllViewerExceptHostHeader, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your custom origin and EC2 instance in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

Elastic Load Balancing origin

Following are the origin settings that CloudFront preconfigures for your Elastic Load Balancing origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your Elastic Load Balancing origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

  • Origin request policyAll Viewer (Possible values: AllViewerExceptHostHeader, AllViewerandCloudFrontHeaders-2022-06)

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Elastic Load Balancing origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

Lambda function URL origin

Following are the origin settings that CloudFront preconfigures for your Lambda function URL origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control – CloudFront sets this up for you and adds the policy

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your Lambda function URL origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyCachingDisabled (Possible values: UseOriginCacheControlHeaders, UseOriginCacheControlHeaders-QueryStrings)

  • Origin request policyAllViewerExceptHostHeader

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

Following are the settings that you can customize for your Lambda function URL origin in a multi-tenant distribution.

Customizable settings

  • Enable Origin Shield – (Default: No)

  • Compress objects automatically – (Default: Yes)

  • Caching – (Default: Cache by Default)

    • If Cache by Default is selected, the UseOriginCacheControlHeaders cache policy is used.

    • If Do Not Cache by Default is selected, the CachingDisabled cache policy is used.

  • Include query string in cache – (Default: Yes, if Cache by Default is already selected)

    • If Do Not Cache by Default is already selected and you then choose to include the query string in the cache, the UseOriginCacheControlHeaders-QueryStrings cache policy is used.

MediaPackage v1 origin

Following are the origin settings that CloudFront preconfigures for your MediaPackage v1 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – You provide this by entering your MediaPackage URL.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaPackage v1 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyElemental-MediaPackage

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

MediaPackage v2 origin

Following are the origin settings that CloudFront preconfigures for your MediaPackage v2 origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Origin Access Control – CloudFront sets this up for you and adds the policy

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – None

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaPackage v2 origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policyElemental-MediaPackage

  • Origin request policy – None

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No

MediaTailor origin

Following are the origin settings that CloudFront preconfigures for your MediaTailor origin in a multi-tenant distribution.

Origin settings (preconfigured)

  • Protocol – HTTPS only

  • HTTPS port – 443

  • Minimum origin SSL protocol – TLSv1.2

  • Origin path – You provide this by entering your MediaPackage URL.

  • Add custom header – None

  • Enable Origin Shield – No

  • Connection attempts – 3

  • Response timeout – 30

  • Keep-alive timeout – 5

Following are the cache settings that CloudFront preconfigures for your MediaTailor origin in a multi-tenant distribution.

Cache settings (preconfigured)

  • Compress objects automatically – Yes

  • Viewer protocol policy – Redirect to HTTPS

  • Allowed HTTP methodGET, HEAD

  • Cache HTTP methods – No

  • Allow gRPC requests over HTTP/2 – No

  • Restrict viewer access – No

  • Cache policy – None

  • Origin request policyElemental-MediaTailor-PersonalizedManifests

  • Response header policy – None

  • Smooth Streaming – No

  • Field level encryption – No

  • Enable real-time logs – No

  • Functions – No