Last updated on 2023/09/22 to include changes up to JDK 21.

Last updated on 2023/09/22 to include changes up to JDK 21.

CloudFront signed URLs allow access to a path under a distribution. The backend has access to the private part of a key pair and its public counterpart is added to CloudFront as a trusted key. Then whenever the backend wants to allow a user to access a path it constructs a special URL. Part of this URL is signed with the private key, which makes it unforgable to parties not having the private key.

CloudFront routing is based on path patterns. There are ordered cache behaviors that define a pattern that CloudFront will try to match with the incoming requests’ path in the order they are defined, and there is a default cache behavior that does not have a pattern but catches everything. Since cache behaviors define which origin to forward the request to, this setup allows different backends to live under the same domain.