CloudFront is designed to be inherently resilient to DDoS attacks and can serve as an additional barrier of defense from attacks on the infrastructure that serves your web content. CloudFront also has a built-in capability that lets you simplify the process of encrypting your data in transit with SSL/TLS. Along with AWS Certificate Manager (ACM), CloudFront gives us the capability of creating a free SSL certificate for our domain and attaching it to the CloudFront distribution. This free certificate can also be automatically renewed and re-applied, so we never have to worry about our SSL certificates expiring again.

CloudFront also offers the ability to restrict content to our data. There are several ways that access can be controlled with CloudFront:

• Restrict access to your application content with signed URLs or cookies
• Restrict access to content based on geolocation
• Restrict access to S3 buckets using Origin Access Identity (OAI)