Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | CloudFront does not use API keys in the traditional sense. Access control is managed via IAM. | |
| Authentication & Authorization | IAM Integration | True | Access control is managed through AWS Identity and Access Management (IAM) which grants permissions to interact with CloudFront resources. | |
| Authentication & Authorization | MFA | True | MFA is not directly integrated into CloudFront, but it's a standard AWS feature that can be enabled for the IAM users managing it. | Requires configuration at the AWS IAM level. |
| Authentication & Authorization | Service Account Support | True | IAM users and roles can access CloudFront programmatically. The principle of least privilege should be applied when configuring IAM permissions. | |
| Authentication & Authorization | Standard Protocols | True | CloudFront supports HTTPS which utilizes TLS/SSL which is based on standard protocols. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides extensive compliance documentation for its services, which includes information about CloudFront. | |
| Compliance & Certifications | Industry Certifications | True | AWS CloudFront is compliant with a variety of industry standards and regulations, such as ISO 27001, SOC 2, and others; details are available on the AWS compliance site. | Specific certifications vary. |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | Data masking/redaction is not a feature of CloudFront. This must be handled at the origin server before content is uploaded. | |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | False | CloudFront does not have built-in DLP capabilities. Sensitive data protection needs to be handled at the origin server and during content creation. | |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Data transfer is controlled by selecting edge locations. AWS offers tools for managing data transfer across regions, though direct CloudFront-specific controls within a single region are limited. Transfer is inherent to its operation. | Granularity is limited by edge location selection. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides documentation specifying edge location details. While CloudFront doesn't directly reveal the exact server holding a specific file, the region of the edge location is transparent. | |
| Data Residency & Sovereignty | Region Selection | True | CloudFront allows selection of edge locations for content distribution. While not directly equivalent to Google Cloud regions, these locations offer geographic distribution options to meet data residency needs in many cases. | |
| Encryption | Encryption at Rest | True | CloudFront itself does not offer encryption at rest for the content it delivers. Encryption at rest would need to be implemented at the origin server (e.g., using S3 with server-side encryption). | Requires additional configuration with AWS KMS or similar. |
| Encryption | Encryption in Transit | True | CloudFront uses HTTPS (TLS/SSL) for all communication by default. Users can configure minimum TLS version and cipher suites. | |
| Logging & Monitoring | Access Logging | True | CloudFront provides access logs detailing requests received by its edge servers. | Requires configuration. |
| Logging & Monitoring | Audit Logging | True | CloudFront offers access and distribution logs that can be used for auditing. These logs can be sent to CloudWatch, S3 or other targets. | Requires configuration. |
| Logging & Monitoring | Log Retention | True | Log retention is controlled by the storage service used to store the logs (like S3), which offers configurable retention policies. | Dependent on the storage service configuration (e.g., S3). |
| Logging & Monitoring | Monitoring & Alerting | True | CloudFront metrics can be monitored using Amazon CloudWatch, enabling customized alerts based on various criteria. | Requires configuration with CloudWatch. |
| Network Security | API Gateway Integration | False | CloudFront is not directly integrated with API Gateway; they are separate AWS services. | |
| Network Security | DDoS Protection | True | CloudFront benefits from AWS Shield, a DDoS protection service integrated into AWS. This protection is automatically applied. | |
| Network Security | Firewall Rules | False | CloudFront doesn't directly support configuring ingress/egress firewall rules. Security measures are implemented at the origin server and through IAM policies. | |
| Network Security | Private Access | True | CloudFront supports private access through features like CloudFront Private Content Delivery, allowing content to be accessed only from within a private VPC. | Requires additional configuration (e.g., using CloudFront's private content delivery) |
| Secure Development Lifecycle (SDL) | API Design Principles | True | AWS follows secure development practices, though the specific details of its SDL for CloudFront are not publicly disclosed. | Details are not publicly available. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs code review and testing processes as part of its development lifecycle. The specific methods used for CloudFront are confidential. | Details are not publicly available. |
| Vulnerability Management & Patching | Security Updates | True | AWS regularly updates CloudFront's underlying infrastructure and security features. Specific patching details are not publicly released in granular detail. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | AWS performs regular security assessments and penetration testing on its services, including CloudFront. However, the specifics are confidential. | Details are not publicly disclosed. |