A company (let's call them "ExampleCorp") hosts their website on a main server, known as the "origin." This could be an AWS S3 bucket, an EC2 instance, or even a non-AWS server.
Enable in distribution → Logs → S3 bucket. Logs are delayed (1–2 hours).
| Symptom | Likely cause | Fix |
|---------|--------------|-----|
| 403 Access Denied | S3 bucket private, no OAC | Add OAC policy to bucket |
| Old content served | TTL too long / no invalidation | Reduce TTL or invalidate |
| 504 Gateway Timeout | Origin too slow | Increase timeout, optimize origin |
| Cross-origin errors (CORS) | Missing CORS headers | Configure CORS on origin + CloudFront behavior |
| HTTPS not working | ACM cert in wrong region | Create cert in us-east-1 | cloudfront net
When a user in London requests the file https://d111111abcdef8.cloudfront.net/logo.png:
All subsequent requests for logo.png from users near London will be served directly from the edge cache, bypassing the origin entirely. A company (let's call them "ExampleCorp") hosts their
After updating origin files, CloudFront still serves old cached copies until TTL expires.
To purge immediately:
aws cloudfront create-invalidation \
--distribution-id E123EXAMPLE \
--paths "/index.html" "/images/*"
⚠️ 1000 paths/month free, then charged. When a user in London requests the file
Best practice: Always use a custom domain (e.g., cdn.yourdomain.com) with CloudFront. This gives you the performance benefits without exposing the cloudfront.net suffix—and it protects you if AWS ever changes their domain naming scheme.