# Setting Up Amazon CloudFront with Your AWS GovCloud (US) or Resources CloudFront with Your Resources Amazon CloudFront is a web service that uses a global network of edge locations to deliver content to end users with low latency and high data transfer speeds. CloudFront is an AWS global service that you can leverage with your AWS GovCloud (US) resources. Requests for your content are routed to the nearest edge location, so content is delivered with the best possible performance. CloudFront is optimized to work with other Amazon Web Services, like Amazon Simple Storage Service (Amazon S3), Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, and Amazon Route 53. CloudFront is not available in AWS GovCloud (US), but you can use CloudFront in the standard Regions and point to your AWS GovCloud (US) resources. CloudFront also works seamlessly with any non-AWS origin server, which stores the original, definitive versions of your files. Due to the isolation of the AWS GovCloud (US) Regions, using CloudFront with your AWS GovCloud (US) resources is analogous to using CloudFront with a non-AWS origin server. # Credentials If you use CloudFront with AWS GovCloud (US), be sure that you use the correct credentials: + To use CloudFront with your AWS GovCloud (US) resources, you must have an AWS GovCloud (US) account. If you don’t have an account, see [AWS GovCloud (US) Sign Up](getting-started-sign-up.md) for more information. + To set up CloudFront, sign in to the [CloudFront console](https://console.aws.amazon.com/cloudfront/) by using your standard AWS credentials. You cannot use your AWS GovCloud (US) account credentials to sign in to the standard AWS Management Console. + It is important to note that CloudFront is located outside of the AWS GovCloud (US) boundary and customers should not enter or store ITAR-controlled data in the service. # Tips for Setting Up CloudFront As you set up CloudFront to serve your AWS GovCloud (US) content, keep the following in mind: + You will be setting up CloudFront to distribute content from a custom origin server. + Because you will be using a custom origin server, you do not have the option to restrict bucket access using a CloudFront Origin Access Identity. + If you want to restrict viewer access and use signed URLs, you must: + Use your standard AWS account and one of its CloudFront key pairs to create the signed URLs. As with other AWS Regions, you use the CloudFront key pair with your code or third-party console to create the signed URLs. + You can further restrict access to your content by blocking requests not originating from CloudFront IP addresses. You can use bucket policies to accomplish this for original content stored in AWS GovCloud (US) Amazon S3 buckets. A list of IP addresses is maintained on a best-effort basis at https://forums.aws.amazon.com/ann.jspa?annID=2051. For more information, see [AWS IP Address Ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html). + If you want CloudFront to log all viewer requests for files in your distribution, select an Amazon S3 bucket in an AWS standard Region as a destination for the log files. + Since CloudFront is not within AWS GovCloud (US) Regions, CloudFront is not within the ITAR boundary. If you want to use CloudFront to distribute your export-controlled data, encrypt your content in transit. + Integrated support for CloudFront Live Streaming is not available for origins located in the AWS GovCloud (US) Regions. + For detailed information about CloudFront, see the [CloudFront documentation](https://aws.amazon.com/documentation/cloudfront/).