When should I use a custom origin instead of an S3 origin?

Use an S3 origin for static files served straight from a bucket. Use a custom origin for an application load balancer, EC2 instance, or API endpoint — anything that speaks HTTP/HTTPS rather than the native S3 protocol.

How does the custom error response work?

It maps an origin error code (for example 403 from S3 for a missing key) to a page you choose, optionally rewriting the response code. This is how single-page apps serve index.html for unknown paths and return 200.

What does redirect-to-https do for the viewer protocol policy?

It accepts HTTP requests but answers with a 301 redirect to the HTTPS URL, so browsers retry securely. allow-all serves both without redirecting, and https-only rejects HTTP outright with a 403.

Does this create the distribution for me?

No. It produces the DistributionConfig JSON document the AWS CLI and API expect, with a generated CallerReference for idempotency. You apply it yourself with the AWS CLI, SDK, or console, which keeps your credentials off this page.

CloudFront Distribution Config Builder

Q: What is the difference between MinTTL, DefaultTTL, and MaxTTL?

MinTTL is the floor CloudFront will cache an object even if the origin asks for less. DefaultTTL applies when the origin sends no Cache-Control header. MaxTTL is the ceiling, capping how long an object is cached regardless of origin headers.

A CloudFront distribution config builder that produces the DistributionConfig JSON document the AWS CLI and API expect. Choose an origin, set the cache behavior and security policy, and copy a config you can feed straight into aws cloudfront create-distribution. Nothing leaves your browser — no AWS keys required.

How it works

CloudFront distributions are defined by a single JSON structure. The builder assembles the required pieces: an Origins block (with S3OriginConfig for buckets or CustomOriginConfig with TLS settings for custom backends), a DefaultCacheBehavior carrying the viewer protocol policy, allowed methods, and the three TTL values, plus optional CustomErrorResponses, Restrictions.GeoRestriction, and a ViewerCertificate.

A unique CallerReference is generated from the current timestamp so AWS treats each apply as idempotent — re-submitting the same reference will not create a duplicate distribution. The TTL trio controls caching: MinTTL is the lower bound, DefaultTTL applies when the origin sends no Cache-Control, and MaxTTL caps everything.

Tips and notes

For a single-page app on S3, map error code 403 to /index.html with response code 200 so client-side routes resolve correctly instead of showing an access-denied page.
PriceClass_100 serves only North America and Europe edge locations and is the cheapest; raise it only if your audience is global and latency in Asia matters.
An S3 origin reached over the public website endpoint behaves differently from one reached through Origin Access Control. For private buckets, pair this with an OAC bucket policy.
Set Compress to true so CloudFront gzips or brotli-compresses text assets at the edge, shrinking transfer for CSS, JS, and HTML.

CloudFront Distribution Config Builder

Email me this result

How it works

Tips and notes