{"id":9510,"library":"aws-cdk-aws-cloudfront","title":"AWS CDK CloudFront Construct Library","description":"The `aws-cdk-aws-cloudfront` package provides CDK constructs for defining AWS CloudFront distributions and related resources using Python. It's part of the AWS Cloud Development Kit (CDK) v1 ecosystem, enabling infrastructure-as-code for CloudFront. AWS CDK is actively maintained by Amazon Web Services, with frequent minor releases and security updates, often on a weekly or bi-weekly cadence. The current version covered here is 1.204.0.","status":"active","version":"1.204.0","language":"en","source_language":"en","source_url":"https://github.com/aws/aws-cdk.git","tags":["aws","cdk","cloudfront","iac","infrastructure-as-code","cloud"],"install":[{"cmd":"pip install aws-cdk.core aws-cdk.aws-s3 aws-cdk.aws-cloudfront aws-cdk.aws-cloudfront-origins","lang":"bash","label":"Install core CDK and CloudFront constructs"}],"dependencies":[{"reason":"The foundational CDK library required for all constructs.","package":"aws-cdk.core","optional":false},{"reason":"Commonly used for S3 bucket origins for CloudFront distributions.","package":"aws-cdk.aws-s3","optional":false},{"reason":"Provides helper constructs for common origin types (e.g., S3Origin, HttpOrigin).","package":"aws-cdk.aws-cloudfront-origins","optional":false}],"imports":[{"symbol":"core","correct":"from aws_cdk import core as cdk"},{"symbol":"aws_s3","correct":"from aws_cdk import aws_s3 as s3"},{"note":"Commonly imported as 'cloudfront' for brevity and consistency.","wrong":"import aws_cdk.aws_cloudfront","symbol":"aws_cloudfront","correct":"from aws_cdk import aws_cloudfront as cloudfront"},{"note":"The origins library is a separate package from the core cloudfront constructs.","wrong":"from aws_cdk.aws_cloudfront import origins","symbol":"aws_cloudfront_origins","correct":"from aws_cdk import aws_cloudfront_origins as origins"},{"symbol":"Distribution","correct":"from aws_cdk.aws_cloudfront import Distribution"},{"symbol":"OriginAccessIdentity","correct":"from aws_cdk.aws_cloudfront import OriginAccessIdentity"}],"quickstart":{"code":"import os\nfrom aws_cdk import (\n    core as cdk,\n    aws_s3 as s3,\n    aws_cloudfront as cloudfront,\n    aws_cloudfront_origins as origins,\n)\n\nclass CloudFrontDistroStack(cdk.Stack):\n    def __init__(self, scope: cdk.App, construct_id: str, **kwargs) -> None:\n        super().__init__(scope, construct_id, **kwargs)\n\n        # Create an S3 bucket to serve as the origin for CloudFront\n        bucket = s3.Bucket(\n            self, \"WebsiteBucket\",\n            versioned=False,\n            removal_policy=cdk.RemovalPolicy.DESTROY,\n            auto_delete_objects=True # Be cautious with auto_delete_objects in production\n        )\n\n        # Create an Origin Access Identity (OAI) for CloudFront to securely access S3\n        # In AWS CDK v2, Origin Access Control (OAC) is the recommended alternative.\n        oai = cloudfront.OriginAccessIdentity(\n            self, \"OAI\",\n            comment=\"Allows CloudFront to access S3 bucket\"\n        )\n        # Grant the OAI read permissions to the S3 bucket\n        bucket.grant_read(oai)\n\n        # Create a CloudFront Distribution\n        cloudfront.Distribution(\n            self, \"MyDistribution\",\n            default_behavior=cloudfront.BehaviorOptions(\n                origin=origins.S3Origin(bucket, origin_access_identity=oai),\n                viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS\n            ),\n            default_root_object=\"index.html\" # Assumes an index.html file in your S3 bucket\n        )\n\napp = cdk.App()\nCloudFrontDistroStack(app, \"MyCloudFrontDistroStack\",\n                      env=cdk.Environment(\n                          account=os.environ.get('CDK_DEFAULT_ACCOUNT'),\n                          region=os.environ.get('CDK_DEFAULT_REGION')\n                      )\n)\napp.synth()","lang":"python","description":"This quickstart demonstrates how to create a basic AWS CloudFront distribution in CDK v1. It configures an S3 bucket as the origin and uses an Origin Access Identity (OAI) for secure access. The distribution is set to redirect HTTP requests to HTTPS and specifies `index.html` as the default root object. Remember to configure your AWS credentials and `CDK_DEFAULT_ACCOUNT`/`CDK_DEFAULT_REGION` environment variables."},"warnings":[{"fix":"Refer to the official AWS CDK v2 migration guide. This package is for CDK v1; for v2, use `aws-cdk-lib` and its submodules (e.g., `aws_cdk_lib.aws_cloudfront`).","message":"Migration from AWS CDK v1 to v2 involves significant breaking changes. Package names often change (e.g., `aws_cdk.aws_cloudfront` might become `aws_cdk.aws_cloudfront_alpha` or `aws_cdk.aws_cloudfront` in v2, depending on stability). Construct patterns and parameter names also differ. Projects built with v1 are not directly compatible with v2.","severity":"breaking","affected_versions":"All v1.x versions when migrating to v2.x"},{"fix":"For CDK v1, continue using `cloudfront.OriginAccessIdentity`. For CDK v2, prioritize `aws_cloudfront.CfnOriginAccessControl` or higher-level constructs that integrate OAC.","message":"CDK v1 primarily uses Origin Access Identity (OAI) for secure CloudFront access to S3. AWS now recommends Origin Access Control (OAC) as a more secure and flexible alternative, which is the standard in CDK v2. While OAI works for v1, be aware of this shift for future migrations or greenfield v2 projects.","severity":"gotcha","affected_versions":"All v1.x versions"},{"fix":"Carefully review the default and custom Cache/Origin Request Policies. Test your CloudFront distribution thoroughly for desired caching behavior and ensure all necessary request attributes (headers, cookies, query strings) are forwarded to the origin when required, but not cached unnecessarily.","message":"Incorrect configuration of CloudFront Cache Policies and Origin Request Policies can lead to unexpected caching behavior, missing headers/cookies/query strings at the origin, or security vulnerabilities (e.g., caching sensitive data).","severity":"gotcha","affected_versions":"All v1.x versions"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Ensure the package is installed using pip: `pip install aws-cdk.aws-cloudfront`. Also check that you are using the correct `from aws_cdk import aws_cloudfront as cloudfront` import pattern.","cause":"The Python package `aws-cdk.aws-cloudfront` is not installed in your environment, or the import path is incorrect.","error":"ModuleNotFoundError: No module named 'aws_cdk.aws_cloudfront'"},{"fix":"Use the standard import pattern: `from aws_cdk import aws_cloudfront as cloudfront` and then `cloudfront.Distribution(...)`. Alternatively, `from aws_cdk.aws_cloudfront import Distribution` and use `Distribution(...)` directly.","cause":"This usually means you imported the module incorrectly, or the symbol 'Distribution' is not directly accessible from the imported object. For example, `import aws_cdk.aws_cloudfront` does not expose `Distribution` directly as `aws_cdk.aws_cloudfront.Distribution` without aliasing.","error":"AttributeError: 'module' object has no attribute 'Distribution'"},{"fix":"Ensure you have called `bucket.grant_read(oai)` on your S3 bucket object, and verify that the bucket policy explicitly allows `s3:GetObject` actions for the OAI's ARN.","cause":"The CloudFront Origin Access Identity (OAI) does not have sufficient permissions to read objects from your S3 bucket, or the S3 bucket policy is incorrectly configured.","error":"Access Denied errors when CloudFront tries to access an S3 bucket."}]}