CloudFront Distribution ARN — CDN Resource Reference
Parse a CloudFront distribution ARN to understand the global service pattern and distribution ID format. Covers OAC and S3 origin access patterns.
Detailed Explanation
CloudFront Distribution ARN
CloudFront distributions are global resources, but unlike S3, their ARNs include the account ID. The region field is empty because CloudFront operates at the edge, not in a single region.
Example ARN
arn:aws:cloudfront::123456789012:distribution/E1234ABCDEF567
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | cloudfront |
| Region | (empty) — global service |
| Account ID | 123456789012 |
| Resource Type | distribution |
| Resource ID | E1234ABCDEF567 |
Distribution ID Format
CloudFront distribution IDs start with E followed by an alphanumeric string (e.g., E1234ABCDEF567). This ID is used in the domain name (d111111abcdef8.cloudfront.net) and in API calls.
Origin Access Control (OAC) ARNs
Modern CloudFront setups use Origin Access Control to securely access S3 origins:
arn:aws:cloudfront::123456789012:origin-access-control/EABC123DEF456
Key Group ARNs
CloudFront key groups for signed URLs/cookies:
arn:aws:cloudfront::123456789012:key-group/abc123-def456
IAM Policies for CloudFront
CloudFront ARNs in IAM policies often use wildcards because permissions tend to be granted for all distributions or for the CloudFront service as a whole:
{
"Resource": "arn:aws:cloudfront::123456789012:distribution/*"
}
CloudFront + S3 Pattern
The most common CloudFront configuration involves an S3 bucket origin. In this setup, you reference the CloudFront distribution ARN in IAM and the S3 bucket ARN in the distribution's origin configuration — two different ARN formats working together.
Use Case
Managing CloudFront distributions through infrastructure-as-code tools like CloudFormation or Terraform. The distribution ARN is referenced in S3 bucket policies when using Origin Access Control (OAC) to restrict direct S3 access to only CloudFront.