Lambda@Edge

We can use Lambda@Edge to override the behaviour of request and responses

1. Viewer request : When CloudFront receives a request from a viewer.
2. Origin request : Before CloudFront forwards a request to the origin.
3. Origin response : When CloudFront receives a response from the origin
4. Viewer response Before CloudFront returns the response to the viewer

Protection

By Default a Distribution allows everyone to have access.

• Original Identity Access(OAI) :
  A virtual user identity that will be used to give your CloudFront Distribution permission to fetch a private object
  

  when Restrict viewer Access set to Yes, viewer must use Signed URLs or Signed cookies to access content

  1. Signed URLs :
     It's NOT the same with Presigned URL in S3.
     it's a url with provides temporary access to cached objects
  2. Signed Cookies
     A cookie which is passed along with the request to CloudFront.
     The advantage of using a Cookie rather than Signed URL is you want to provide access to multiple restricted files, so you don't need to generate Signed URLs for every files you want to access.