01 Run get-distribution-config command (OSX/Linux/UNIX) to retrieve the configuration metadata from the CloudFront web distribution that you want to reconfigure (see Audit section part II to identify the right resource):
aws cloudfront get-distribution-config
--id AAAABBBBCCCCDD
02 The command output should return the requested configuration information:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
...
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
}
}
}
03 Modify the configuration document returned at the previous step to enable geo restriction feature by changing the GeoRestriction configuration object values as shown in the example below, then save the new configuration in a JSON document named "enable-geo-restriction.json". The following example restrict all users within a country identified by the ID "UA" from accessing your web distribution content. Replace <domain_name> and other required configuration details with your own details:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": false,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/static/images",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1.2"
],
"Quantity": 1
},
"OriginProtocolPolicy": "https-only",
"OriginReadTimeout": 30,
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginKeepaliveTimeout": 5
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "Custom-<domain_name>/static/images",
"DomainName": "&ly;domain_name>"
}
],
"Quantity": 1
},
"DefaultRootObject": "",
"PriceClass": "PriceClass_100",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "Custom-<domain_name>/static/images",
"ViewerProtocolPolicy": "https-only",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "12345678901234",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"Items": [
"UA"
],
"RestrictionType": "blacklist",
"Quantity": 1
}
},
"Aliases": {
"Quantity": 0
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enable geo restriction. The following command example updates your CDN distribution using a JSON configuration document named "enable-geo-restriction.json":
aws cloudfront update-distribution
--id AAAABBBBCCCCDD
--distribution-config file://enable-geo-restriction.json
--if-match ABCDABCDABCDAB
05 The command output should return the metadata for the reconfigured CloudFront CDN distribution:
{
"Distribution": {
"Status": "InProgress",
...
"Restrictions": {
"GeoRestriction": {
"Items": [
"UA"
],
"RestrictionType": "blacklist",
"Quantity": 1
}
},
...
"ETag": "ABCDABCDABCDAB"
}
06 Repeat steps no. 1 – 5 to enable and configure geo restriction for other AWS CloudFront CDN distributions available within your AWS account