Topics / ☁️AWS Cloud Practitioner

Amazon CloudFront — CDN & Edge Delivery

By Pritesh Yadav 19 min read

Amazon CloudFront is AWS's content delivery network (CDN): it caches copies of your content at hundreds of edge locations close to users, so requests travel a short distance instead of all the way back to your origin server. This cuts latency for global visitors and offloads traffic from your origin (an S3 bucket, an Application Load Balancer, or any custom web server). For the CLF-C02 exam the danger is mixing CloudFront up with look-alike services — S3 Transfer Acceleration, Global Accelerator, Route 53, and ELB — and misunderstanding caching, TTL, signed URLs, and how it pairs with WAF and Shield.

Most confused here: CloudFront = cache content at the edge to serve users faster; S3 Transfer Acceleration = speed up uploads TO a bucket; Global Accelerator = anycast IP routing for non-cacheable/TCP-UDP traffic; Route 53 = DNS; ELB = spread traffic across servers in one region. Also: edge location ≠ Region, TTL controls cache freshness, and signed URLs/cookies restrict access.

Q1 A media company serves the same set of product images and videos to users across North America, Europe, and Asia from a single S3 bucket in us-east-1. Asian users complain pages load slowly. Which service most directly fixes this by serving cached copies closer to users?

  1. Amazon Route 53 latency-based routing
  2. Amazon CloudFront
  3. S3 Transfer Acceleration
  4. Elastic Load Balancing
Answer: B
Why B is correct: CloudFront is a CDN. It stores cached copies of the images and videos at edge locations around the world, so an Asian user is served from a nearby edge instead of reaching across the planet to us-east-1. That is exactly the "same content, global audience, reduce latency" use case.
Why the other options are wrong:
  • A — Route 53 is DNS; latency-based routing only points a user to the nearest endpoint you actually have. With one bucket in one Region there is no closer endpoint, so it cannot help here.
  • C — Transfer Acceleration speeds up uploads INTO a bucket over long distances; it does not cache or accelerate downloads to global viewers.
  • D — ELB only distributes traffic across servers within a Region; it does nothing to move content closer to far-away users.
Common trap: Candidates pick Route 53 because it has "latency" in its routing option, but DNS only chooses among endpoints that exist — it never caches content. CloudFront is the one that creates nearby copies.

Q2 A global team uploads very large video files from offices in Australia and Brazil into an S3 bucket located in Ireland, and the uploads are slow. Which AWS feature is purpose-built to speed up these long-distance uploads?

  1. S3 Transfer Acceleration
  2. Amazon CloudFront
  3. AWS Global Accelerator
  4. Amazon Route 53
Answer: A
Why A is correct: S3 Transfer Acceleration routes uploads through the nearest CloudFront edge location and then over Amazon's fast internal network to the bucket. It is specifically designed to speed up transfers of data INTO (or out of) a single S3 bucket over long distances.
Why the other options are wrong:
  • B — CloudFront caches content for delivery to viewers (downloads). It is not the tool you enable to accelerate the act of uploading source files into a bucket.
  • C — Global Accelerator improves routing for application traffic via anycast IPs (TCP/UDP), typically to ALBs/NLBs/EC2 — not for accelerating S3 bucket uploads.
  • D — Route 53 is DNS; it resolves names to addresses and does nothing to make file transfers faster.
Common trap: Because Transfer Acceleration uses CloudFront edge locations under the hood, people answer "CloudFront." But the named feature for fast S3 uploads is S3 Transfer Acceleration, not CloudFront itself.

Q3 A real-time multiplayer game uses non-cacheable TCP and UDP traffic and needs consistent, low-latency routing to backend servers, plus static anycast IP addresses. The content cannot be cached. Which service fits best?

  1. Amazon CloudFront
  2. S3 Transfer Acceleration
  3. AWS Global Accelerator
  4. Amazon Route 53
Answer: C
Why C is correct: AWS Global Accelerator gives you static anycast IP addresses and routes user traffic over the AWS global network to the optimal endpoint. It works for TCP and UDP traffic that cannot be cached — exactly what a real-time game needs.
Why the other options are wrong:
  • A — CloudFront is a caching CDN optimized for cacheable web/HTTP content. Real-time, non-cacheable game traffic is not a caching workload.
  • B — Transfer Acceleration only speeds up transfers to/from an S3 bucket; it is not a general traffic-routing service for game servers.
  • D — Route 53 is DNS-based and resolves at name-lookup time; it does not provide static anycast IPs or continuous optimized packet routing.
Common trap: CloudFront and Global Accelerator both "use the AWS global network for speed." The split: cacheable HTTP content → CloudFront; non-cacheable TCP/UDP needing static IPs → Global Accelerator.

Q4 A developer wants only paying subscribers to be able to download premium PDF files served through CloudFront, and the link should expire after a set time. Which CloudFront feature provides this?

  1. Origin Access Control on the S3 bucket
  2. Signed URLs (or signed cookies)
  3. A higher cache TTL on the distribution
  4. AWS WAF rate-based rules
Answer: B
Why B is correct: CloudFront signed URLs and signed cookies grant time-limited, controlled access to specific content. You generate a link that is valid only for authorized users and only until it expires, which is exactly how you gate premium downloads.
Why the other options are wrong:
  • A — Origin Access Control locks the S3 bucket so it is reachable only through CloudFront (not directly). It protects the origin but does not decide which end users may download a file.
  • C — TTL controls how long content stays cached before checking the origin; it has nothing to do with who is allowed to access it.
  • D — WAF rate-based rules block abusive request floods; they do not provide per-user, time-limited access to a specific file.
Common trap: Origin Access Control and signed URLs both sound like "security." OAC restricts the path between CloudFront and the origin; signed URLs/cookies restrict which viewers can fetch the content.

Q5 A team updates a CSS file in their S3 origin, but users keep receiving the old version through CloudFront for hours. Which setting most directly controls how long CloudFront keeps serving the cached copy before it checks the origin again?

  1. The Time to Live (TTL) for the cache behavior
  2. The number of edge locations in the distribution
  3. The Route 53 record's DNS TTL
  4. The S3 bucket's storage class
Answer: A
Why A is correct: The cache TTL tells CloudFront how long an object may be served from the edge cache before it is treated as stale and re-fetched/validated from the origin. A long TTL means users keep getting the old file until that time passes (or you invalidate the cache).
Why the other options are wrong:
  • B — You do not choose how many edge locations exist; CloudFront uses its global edge network automatically. Edge count is unrelated to cache freshness.
  • C — The DNS TTL in Route 53 controls how long a name-to-address mapping is cached, not how long CloudFront caches your CSS file.
  • D — S3 storage class (Standard, Glacier, etc.) affects cost/retrieval of stored objects, not CloudFront's caching duration.
Common trap: There are two different "TTLs." CloudFront cache TTL controls content freshness at the edge; Route 53 DNS TTL controls how long a DNS answer is cached. The exam loves to swap them.

Q6 Which statement best describes the relationship between CloudFront edge locations and AWS Regions?

  1. Edge locations are the same thing as Availability Zones inside a Region
  2. Each Region contains exactly one edge location
  3. Edge locations replace the need for an origin entirely
  4. Edge locations are separate, far more numerous sites used to cache and deliver content closer to users than Regions are
Answer: D
Why D is correct: Edge locations are a separate, much larger network of sites (in many more cities than there are Regions) whose job is to cache and deliver content near end users. They sit closer to people than Regions/AZs, which is what makes a CDN fast.
Why the other options are wrong:
  • A — Availability Zones are isolated data centers inside a Region for high availability; edge locations are a different concept focused on content delivery.
  • B — There is no one-edge-per-Region rule; edge locations vastly outnumber Regions and exist in many cities.
  • C — Edge locations cache content but still need an origin (S3, ALB, custom server) to fetch the original/uncached content from.
Common trap: Mixing up edge locations with Availability Zones. AZs = isolation/high availability within a Region; edge locations = proximity/caching for delivery.

Q7 A company wants to add a managed firewall that inspects incoming HTTP/HTTPS requests for SQL injection and cross-site scripting at the CloudFront edge, before traffic reaches the application. Which service should they attach to the CloudFront distribution?

  1. AWS Shield Standard
  2. AWS WAF (Web Application Firewall)
  3. Amazon GuardDuty
  4. AWS Config
Answer: B
Why B is correct: AWS WAF is a web application firewall that filters HTTP/HTTPS requests using rules for things like SQL injection and cross-site scripting. It integrates directly with CloudFront so malicious requests are blocked at the edge before reaching the origin.
Why the other options are wrong:
  • A — Shield defends against DDoS (volumetric/flooding) attacks. Shield Standard is automatic, but it does not inspect request content for SQL injection or XSS — that is WAF's job.
  • C — GuardDuty is a threat-detection service that analyzes logs/activity for suspicious behavior; it does not sit inline filtering web requests.
  • D — AWS Config tracks and audits resource configuration changes; it is a compliance/inventory tool, not a request firewall.
Common trap: Confusing WAF with Shield. Application-layer request filtering (SQLi/XSS rules) = WAF; DDoS protection = Shield. Both can pair with CloudFront, but they do different jobs.

Q8 When you create a CloudFront distribution, you must point it at one or more "origins." Which of the following is a valid CloudFront origin?

  1. An Amazon Route 53 hosted zone
  2. An Amazon VPC security group
  3. An Amazon S3 bucket, an Application Load Balancer, or a custom HTTP server
  4. An IAM role
Answer: C
Why C is correct: A CloudFront origin is the source of the original content. Common valid origins are an S3 bucket (for static files), an Application Load Balancer in front of your app, or any custom web/HTTP server (on-premises or in AWS). CloudFront fetches from the origin on a cache miss and caches the result.
Why the other options are wrong:
  • A — Route 53 is a DNS service; a hosted zone holds DNS records, it does not serve content, so it cannot be an origin.
  • B — A security group is a virtual firewall controlling network access; it is not a content source.
  • D — An IAM role grants permissions; it serves no content and cannot be an origin.
Common trap: Thinking Route 53 is an origin because it is "in front of" your site. DNS only resolves the name; CloudFront still needs a real content source like S3, an ALB, or a custom server.

Q9 A web app has static assets (images, JS, CSS) that rarely change and dynamic API responses personalized per user. How can CloudFront help with BOTH types of content?

  1. CloudFront can only serve static content, so dynamic requests must bypass it entirely
  2. CloudFront caches static content at the edge and can also accelerate dynamic content by routing it over the AWS network with little or no caching
  3. CloudFront caches everything for the same fixed duration regardless of content type
  4. CloudFront converts dynamic content into static content automatically
Answer: B
Why B is correct: CloudFront caches cacheable static assets at the edge for big latency wins, and for dynamic, per-user responses it can still help by routing those requests over the optimized AWS backbone to the origin with short or zero TTL. You can configure different cache behaviors for different paths.
Why the other options are wrong:
  • A — CloudFront is not static-only; it handles dynamic content too, just with little or no caching, so dynamic traffic does not need to bypass it.
  • C — You can set different TTLs and cache behaviors per path/pattern; it is not one fixed duration for everything.
  • D — CloudFront does not transform dynamic content into static content; it just delivers it efficiently.
Common trap: Believing a CDN is for static files only. CloudFront accelerates dynamic content too — the difference is dynamic paths use short/zero TTL while static paths cache aggressively.

Q10 A startup hosts a static website in an S3 bucket and wants to (1) reduce global latency and (2) stop users from reaching the bucket directly, forcing all traffic through CloudFront. Which combination addresses both goals?

  1. Enable S3 Transfer Acceleration and make the bucket public
  2. Use Route 53 failover routing to the bucket
  3. Move the bucket to a different Region closer to most users
  4. Put CloudFront in front of the bucket and restrict the bucket so it is accessible only via CloudFront
Answer: D
Why D is correct: CloudFront in front of the bucket caches content at edge locations to cut global latency, and restricting the bucket so only CloudFront can read it (via Origin Access Control) forces all viewer traffic through the distribution. That satisfies both the speed and the "no direct bucket access" requirements.
Why the other options are wrong:
  • A — Transfer Acceleration speeds uploads, not global downloads, and making the bucket public does the opposite of blocking direct access.
  • B — Route 53 failover routing is for availability/DNS, not caching or restricting direct bucket access.
  • C — Moving the bucket to one Region helps users near that Region but not a truly global audience, and it still does not block direct access.
Common trap: Picking a single-Region move for "global" users. One bucket helps one area; a CDN serves the whole world. The "lock the bucket to CloudFront only" half is what Origin Access Control provides.

Q11 An online store experiences traffic spikes when a sale launches. After putting CloudFront in front of the origin, the origin server's load drops noticeably even though total visitor numbers are unchanged. Why?

  1. Many requests are served from cached copies at edge locations, so fewer requests reach the origin
  2. CloudFront automatically scales the origin servers up
  3. CloudFront blocks repeat visitors to reduce load
  4. CloudFront compresses the database to handle more queries
Answer: A
Why A is correct: When content is cached at the edge, repeated requests for the same objects are answered by CloudFront directly and never travel to the origin. This "origin offload" means the origin handles only cache misses, so its load falls even with the same number of visitors.
Why the other options are wrong:
  • B — CloudFront does not scale your origin servers; that would be Auto Scaling. CloudFront simply serves cached responses without hitting the origin.
  • C — CloudFront does not block repeat visitors; it serves them faster from cache.
  • D — CloudFront does not compress or manage your database; it caches and delivers content.
Common trap: Assuming CloudFront helps only by being "faster." A big benefit is origin offload — caching absorbs repeated requests so the backend does far less work during spikes.

Q12 A company already uses an Application Load Balancer to spread traffic across EC2 instances in one Region. They add CloudFront in front of it. What does CloudFront add that the ALB alone did not provide?

  1. It distributes requests across the EC2 instances
  2. It performs DNS resolution for the domain name
  3. It caches content at global edge locations to reduce latency for distant users
  4. It replaces the need for the ALB
Answer: C
Why C is correct: An ALB balances load among servers within one Region but does nothing about geographic distance. CloudFront adds a global caching layer at the edge, so far-away users get cached content nearby — reducing latency that the ALB by itself cannot address.
Why the other options are wrong:
  • A — Distributing requests across EC2 instances is the ALB's job, not CloudFront's; CloudFront uses the ALB as its origin.
  • B — DNS resolution is Route 53's role, not CloudFront's; CloudFront delivers content, it does not resolve domain names.
  • D — CloudFront does not replace the ALB; they complement each other — CloudFront at the edge, ALB balancing the backend.
Common trap: Treating ELB and CloudFront as interchangeable. ELB = balance traffic across servers in a Region; CloudFront = cache/deliver content globally at the edge. They solve different problems and often work together.

Q13 Which scenario is the WEAKEST fit for using Amazon CloudFront?

  1. Delivering frequently downloaded software installers to users worldwide
  2. Serving a popular static marketing website to a global audience
  3. A purely internal database that is queried only by application servers inside the same Region, with no external content delivery
  4. Streaming video to viewers across many countries
Answer: C
Why C is correct: CloudFront delivers content to viewers over HTTP/HTTPS and shines when the same content is requested by many distributed users. An internal database queried only by app servers in one Region has no global audience and no cacheable web content, so CloudFront adds no value.
Why the other options are wrong:
  • A — Distributing software installers worldwide is a classic CDN use case — cache once, serve many users from the edge.
  • B — A global static website is exactly what CloudFront is built to accelerate.
  • D — Video streaming to many countries benefits strongly from edge caching and CloudFront's media delivery features.
Common trap: Assuming CloudFront speeds up everything. It accelerates content delivery to viewers; it does not accelerate internal database queries — that is a different layer (caching like ElastiCache or read replicas).

Q14 A team needs to push an urgent fix: an outdated file is still being served from CloudFront's cache and they cannot wait for the TTL to expire. What is the appropriate way to force CloudFront to serve the new version immediately?

  1. Delete and recreate the entire distribution
  2. Lower the Route 53 DNS TTL
  3. Switch the origin from S3 to an ALB
  4. Create a cache invalidation for the affected file path(s)
Answer: D
Why D is correct: A CloudFront invalidation removes the specified objects from the edge caches before their TTL expires, forcing CloudFront to fetch fresh copies from the origin on the next request. This is the standard way to push an urgent content update without waiting for cache expiry.
Why the other options are wrong:
  • A — Deleting and recreating the distribution is drastic, slow, and unnecessary; it also changes the distribution domain and breaks links.
  • B — DNS TTL controls how long the domain's address is cached by resolvers; it has nothing to do with the cached file content at the edge.
  • C — Changing the origin type does not clear already-cached objects; the stale copies remain until invalidated or expired.
Common trap: Reaching for DNS TTL to fix stale content. DNS TTL and cache TTL are different; to clear stale edge content you invalidate the cache, not touch DNS.

Q15 A solutions team wants users to be automatically directed to the closest healthy regional endpoint of a multi-Region application, based on DNS resolution and health checks. Which AWS service performs this routing decision?

  1. Amazon Route 53
  2. Amazon CloudFront
  3. Elastic Load Balancing
  4. S3 Transfer Acceleration
Answer: A
Why A is correct: Route 53 is AWS's DNS service. With routing policies such as latency-based or geolocation routing plus health checks, it resolves a domain name to the closest healthy endpoint among your multiple Regions. The decision happens at DNS lookup time.
Why the other options are wrong:
  • B — CloudFront caches and delivers content at the edge; it is not the service that resolves domain names to regional endpoints.
  • C — ELB distributes traffic among targets within a single Region; it does not route users across Regions via DNS.
  • D — Transfer Acceleration only speeds up S3 transfers; it makes no DNS routing decisions.
Common trap: Confusing Route 53 with CloudFront. "Send users to the nearest endpoint by DNS" = Route 53. "Cache and deliver content near users" = CloudFront. Both improve global experience but at different layers.

Q16 Which statement about AWS Shield and CloudFront is accurate for the CLF-C02 exam?

  1. Shield only works after you manually install an agent on each edge location
  2. Shield replaces the need for CloudFront caching
  3. Shield filters HTTP requests for SQL injection at the application layer
  4. AWS Shield Standard provides automatic, no-cost protection against common DDoS attacks for CloudFront, while Shield Advanced adds enhanced protection for a fee
Answer: D
Why D is correct: AWS Shield Standard is automatically included at no extra charge and defends services like CloudFront against common, most-frequent DDoS (flooding) attacks. Shield Advanced is a paid tier adding larger-scale protection, 24/7 response support, and cost protection.
Why the other options are wrong:
  • A — Shield is a managed AWS service; there is no agent to install on edge locations — protection is built in.
  • B — Shield is DDoS protection; it does not provide caching and cannot replace CloudFront's content-delivery role.
  • C — Inspecting requests for SQL injection at the application layer is AWS WAF's job, not Shield's. Shield handles DDoS, WAF handles request filtering.
Common trap: Swapping Shield and WAF duties. Shield = DDoS/volumetric defense (Standard is free and automatic); WAF = application-layer rule filtering (SQLi/XSS). Knowing which does which is a frequent exam target.

Continue reading

☁️ AWS Cloud Practitioner

Cloud Concepts, Value Proposition & Cloud Economics

☁️ AWS Cloud Practitioner

AWS Well-Architected Framework & the Six Pillars

☁️ AWS Cloud Practitioner

The Shared Responsibility Model