Skip to main content

AWS CloudFront MCP Server

Create a powerful Model Context Protocol (MCP) server for Amazon CloudFront in minutes with our AI Gateway. This guide walks you through setting up seamless CloudFront integration with enterprise-grade security and AWS Signature v4 authentication.

About AWS CloudFront API

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs globally with low latency and high transfer speeds. The CloudFront API enables programmatic access to:

  • Distribution Management: Create and configure CDN distributions
  • Cache Control: Manage caching behaviors and invalidations
  • Origin Configuration: Connect to S3, ALB, or custom origins
  • Security Features: SSL/TLS, signed URLs, and field-level encryption
  • Edge Functions: Lambda@Edge and CloudFront Functions
  • Real-time Analytics: Monitor performance and usage
  • Access Control: Geographic restrictions and signed cookies
  • Streaming: Support for live and on-demand video

Key Features

  • 450+ Edge Locations: Global presence for low latency
  • Origin Shield: Additional caching layer for origin protection
  • HTTP/3 Support: Latest protocol for better performance
  • WebSocket Support: Real-time bidirectional communication
  • Compression: Automatic Gzip and Brotli compression
  • Custom Error Pages: Branded error experiences
  • Origin Failover: Automatic failover for high availability
  • Real-time Logs: Detailed logs within seconds

What You Can Do with CloudFront MCP Server

The MCP server transforms CloudFront's API into a natural language interface, enabling AI agents to:

Distribution Management

  • Distribution Operations

    • "Create CDN distribution for website.example.com"
    • "List all active CloudFront distributions"
    • "Update distribution to add new origin"
    • "Enable IPv6 for production distribution"

  • Origin Configuration

    • "Add S3 bucket as origin for static assets"
    • "Configure custom origin for API backend"
    • "Set up origin failover for high availability"
    • "Add custom headers to origin requests"

Performance Optimization

  • Cache Behaviors

    • "Create cache behavior for /api/* with no caching"
    • "Set 1-year cache for static assets"
    • "Configure different TTLs by file type"
    • "Enable query string forwarding for dynamic content"

  • Compression & Optimization

    • "Enable Gzip compression for text files"
    • "Configure Brotli for modern browsers"
    • "Set up automatic image optimization"
    • "Enable HTTP/2 and HTTP/3"

Cache Management

  • Invalidations

    • "Invalidate all cached content"
    • "Clear cache for /images/* path"
    • "Invalidate specific files after update"
    • "Check invalidation status and history"

  • Cache Policies

    • "Create custom cache policy for API responses"
    • "Use managed cache policy for static content"
    • "Configure cache based on headers"
    • "Set up device-based caching"

Security Configuration

  • Access Control

    • "Enable signed URLs for premium content"
    • "Set up geographic restrictions for compliance"
    • "Configure WAF rules for DDoS protection"
    • "Implement field-level encryption"

  • SSL/TLS Management

    • "Use AWS Certificate Manager SSL certificate"
    • "Configure SNI for custom domain"
    • "Set minimum TLS version to 1.2"
    • "Enable HSTS headers"

Edge Computing

  • Lambda@Edge

    • "Deploy function for A/B testing"
    • "Add security headers at edge"
    • "Implement request routing logic"
    • "Personalize content by location"

  • CloudFront Functions

    • "Add cache key normalization"
    • "Implement URL redirects"
    • "Validate request tokens"
    • "Modify response headers"

Monitoring & Analytics

  • Real-time Metrics

    • "Show current request rate"
    • "Monitor cache hit ratio"
    • "Track bandwidth usage by distribution"
    • "Alert on origin error rate"

  • Usage Reports

    • "Generate monthly bandwidth report"
    • "Show top referrers and user agents"
    • "Analyze geographic distribution"
    • "Track popular objects"

Quick Start Guide

1. Prerequisites

  • AWS Account with CloudFront access
  • Authentication method (choose one):
    • AWS IAM credentials (Access Key ID and Secret Access Key)
    • OAuth2 via AWS IAM Identity Center (SSO)
    • SAML 2.0 federation
  • Domain name (for custom domains)
  • AI Gateway account

2. Authentication Options

Option A: AWS IAM Credentials (Traditional)

Use AWS Access Key ID and Secret Access Key with the required IAM permissions below.

Option B: OAuth2 via AWS IAM Identity Center

AWS supports OAuth2 through IAM Identity Center for programmatic access:

  1. Enable IAM Identity Center:

    • Navigate to IAM Identity Center in AWS Console
    • Enable Identity Center in your preferred region
    • Configure identity source

  2. Register OAuth Application:

    aws sso-admin register-client \
      --client-name "AI-Gateway-CloudFront-MCP" \
      --client-type "public" \
      --scopes "cloudfront:*"

  3. Configure OAuth Settings:

    • Authorization URL: https://[your-sso-url].awsapps.com/start/authorize
    • Token URL: https://[your-sso-url].awsapps.com/start/token
    • Redirect URI: https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
    • Scopes: Configure based on CloudFront operations needed

  4. Permission Sets: Create permission set in IAM Identity Center with CloudFront policies attached.

3. Required IAM Permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudfront:CreateDistribution",
        "cloudfront:GetDistribution",
        "cloudfront:UpdateDistribution",
        "cloudfront:DeleteDistribution",
        "cloudfront:ListDistributions",
        "cloudfront:CreateInvalidation",
        "cloudfront:GetInvalidation",
        "cloudfront:ListInvalidations",
        "cloudfront:CreateOriginAccessControl",
        "cloudfront:GetOriginAccessControl",
        "cloudfront:UpdateOriginAccessControl",
        "cloudfront:DeleteOriginAccessControl",
        "cloudfront:CreateCachePolicy",
        "cloudfront:GetCachePolicy",
        "cloudfront:UpdateCachePolicy",
        "cloudfront:DeleteCachePolicy",
        "cloudfront:ListCachePolicies",
        "cloudfront:CreateResponseHeadersPolicy",
        "cloudfront:GetResponseHeadersPolicy",
        "cloudfront:UpdateResponseHeadersPolicy",
        "cloudfront:DeleteResponseHeadersPolicy"
      ],
      "Resource": "*"
    }
  ]
}

4. MCP Server Configuration

For IAM Credentials:

  1. Navigate to the AI Gateway dashboard
  2. Click "Create New MCP Server"
  3. Select "AWS CloudFront" from the available integrations
  4. Choose "AWS IAM" authentication
  5. Configure credentials:
    • Enter AWS Access Key ID
    • Enter AWS Secret Access Key
    • Configure default behaviors
    • Set up monitoring preferences

For OAuth2 (IAM Identity Center):

  1. Navigate to the AI Gateway dashboard
  2. Click "Create New MCP Server"
  3. Select "AWS CloudFront" from the available integrations
  4. Choose "OAuth 2.0" authentication
  5. Configure OAuth settings:
    • Authorization URL: Your IAM Identity Center authorize endpoint
    • Token URL: Your IAM Identity Center token endpoint
    • Client ID: From registered application
    • Client Secret: From registered application (if confidential client)
    • Scopes: Select required CloudFront permissions
    • AWS Region: Global (CloudFront is a global service)

5. Test Your Connection

Try these commands to verify your setup:

  • "List all CloudFront distributions"
  • "Create a test distribution"
  • "Check cache statistics"

OAuth2 Scopes for CloudFront Operations

When using OAuth2 via IAM Identity Center, configure permission sets with these CloudFront actions:

Distribution Management

  • cloudfront:CreateDistribution - Create new distributions
  • cloudfront:GetDistribution - View distribution details
  • cloudfront:UpdateDistribution - Modify distributions
  • cloudfront:DeleteDistribution - Remove distributions
  • cloudfront:ListDistributions - List all distributions

Cache Operations

  • cloudfront:CreateInvalidation - Clear cached content
  • cloudfront:GetInvalidation - Check invalidation status
  • cloudfront:ListInvalidations - View invalidation history

Security & Access

  • cloudfront:CreateOriginAccessControl - Secure origin access
  • cloudfront:UpdateOriginAccessControl - Modify access controls
  • cloudfront:CreateKeyGroup - Manage signed URLs
  • cloudfront:CreatePublicKey - Add public keys

Policies & Configuration

  • cloudfront:CreateCachePolicy - Define cache behaviors
  • cloudfront:CreateOriginRequestPolicy - Configure origin requests
  • cloudfront:CreateResponseHeadersPolicy - Set response headers
  • cloudfront:TagResource - Add resource tags

Configure permission sets in IAM Identity Center to match your CDN management needs.

Common Use Cases

Static Website Hosting

Deliver static websites globally:

"Create distribution for S3 static website"
"Configure index.html as default root object"
"Set up custom error pages"
"Enable compression for all text files"

API Acceleration

Speed up API responses:

"Create distribution for REST API"
"Configure caching by API version header"
"Set up origin request policy"
"Enable CORS headers"

Media Streaming

Deliver video content efficiently:

"Set up distribution for video streaming"
"Configure byte-range requests"
"Enable origin shield for popular content"
"Set up signed URLs for premium videos"

Dynamic Content

Optimize dynamic applications:

"Configure cache based on user cookies"
"Forward query strings to origin"
"Set up device detection"
"Implement geo-targeting"

Advanced Features

Origin Groups

Set up high availability:

"Create origin group with primary and failover"
"Configure health checks for automatic failover"
"Set up multi-region origins"
"Test failover scenarios"

Security Headers

Enhance application security:

"Add Content-Security-Policy header"
"Enable X-Frame-Options for clickjacking protection"
"Set Strict-Transport-Security"
"Configure Referrer-Policy"

Custom Behaviors

Fine-tune content delivery:

"Create behavior for mobile users"
"Set up path-based routing"
"Configure method-based caching"
"Implement content negotiation"

Real-time Logs

Monitor in real-time:

"Enable real-time logs to Kinesis"
"Set up log filtering"
"Configure sampling rate"
"Monitor specific distributions"

Best Practices

Distribution Design

  • Use separate distributions for different content types
  • Implement proper cache key design
  • Configure appropriate TTLs
  • Use Origin Shield for high-traffic content

Performance

  • Enable compression for text content
  • Use HTTP/2 and HTTP/3
  • Optimize cache behaviors
  • Implement connection pooling

Security

  • Always use HTTPS
  • Implement proper access controls
  • Use AWS WAF for protection
  • Enable AWS Shield for DDoS protection

Cost Optimization

  • Monitor data transfer costs
  • Use Origin Shield strategically
  • Implement efficient cache policies
  • Regular usage analysis

Troubleshooting

Common Issues

  • 504 Gateway Timeout: Increase origin timeout settings
  • Cache Misses: Review cache behaviors and headers
  • SSL Errors: Verify certificate configuration
  • Access Denied: Check S3 bucket policies and OAC

Performance Debugging

  • Use CloudFront reports for insights
  • Monitor cache hit ratios
  • Analyze origin response times
  • Check compression effectiveness

Integration Examples

With AWS Services

"Use S3 as origin for static content"
"Integrate with ALB for dynamic content"
"Trigger Lambda@Edge for processing"
"Send logs to CloudWatch"

With AI Gateway Tools

"Invalidate cache when content updates in CMS"
"Generate CDN usage reports in Google Sheets"
"Alert on high origin errors via Slack"
"Track CDN costs in billing dashboard"

Edge Computing

Lambda@Edge Use Cases

  • Viewer Request: Authenticate users, URL rewrites
  • Origin Request: Modify headers, route requests
  • Origin Response: Add security headers, compress
  • Viewer Response: Modify content, A/B testing

CloudFront Functions

  • Lightweight processing at edge
  • Sub-millisecond execution
  • Ideal for simple transformations
  • Cost-effective for high-volume

Monitoring and Analytics

Key Metrics

"Show cache hit ratio trends"
"Monitor 4xx and 5xx error rates"
"Track bandwidth by geography"
"Analyze request patterns"

Cost Analysis

"Calculate data transfer costs by region"
"Show HTTP vs HTTPS request ratio"
"Track invalidation costs"
"Optimize for cost efficiency"

Security Features

Access Control Methods

  • Signed URLs: Time-limited access
  • Signed Cookies: Session-based access
  • Origin Access Control: Secure S3 access
  • AWS WAF: Application firewall rules

Compliance Features

  • Field-Level Encryption: Protect sensitive data
  • Geographic Restrictions: Comply with regulations
  • Access Logging: Audit trail
  • AWS Shield: DDoS protection

Pricing Considerations

Cost Components

  • Data Transfer Out: Varies by geography
  • HTTP/HTTPS Requests: Per 10,000 requests
  • Invalidation Requests: First 1,000 paths free
  • Field-Level Encryption: Additional per request
  • Origin Shield: Optional caching layer
  • Real-time Logs: Based on log volume

Cost Optimization Tips

  • Use Origin Shield for popular content
  • Implement efficient caching strategies
  • Monitor and optimize TTLs
  • Use CloudFront's free tier effectively

Ready to accelerate your content delivery? Start creating your CloudFront MCP server today and enable AI-powered CDN management!