Does your website use third-party services? Get GDPR compliant in minutes.

Amazon CloudFront

What does Amazon CloudFront do?

Amazon CloudFront is the Content Delivery Network operated by Amazon Web Services. It distributes web content from the operator origin through more than 450 edge Points of Presence worldwide, including extensive EU coverage (Frankfurt, Paris, Dublin, Stockholm, Milan). CloudFront does not set tracking cookies by default and only processes the data needed to deliver content (visitor IP, User Agent, request path), but it is operated by Amazon Web Services Inc in the United States and falls within scope of the US CLOUD Act, so EU operators must rely on Standard Contractual Clauses, the EU US Data Privacy Framework and a documented transfer impact assessment.

What Amazon CloudFront is and how it works

Amazon CloudFront is the Content Delivery Network operated by Amazon Web Services Inc. It caches and delivers web content (HTML, JavaScript, CSS, images, videos, API responses) from more than 450 edge Points of Presence worldwide. When a visitor opens a CloudFront enabled website, the browser request is routed to the nearest edge POP, served from cache when possible, and otherwise forwarded to the operator origin. CloudFront supports HTTPS termination, request signing, geo restrictions, Lambda@Edge functions and a tight integration with other AWS services (S3, EC2, ALB, API Gateway, Shield, WAF).

What data CloudFront processes

CloudFront does not set tracking cookies by default. To serve a request, it processes the visitor IP address, the User Agent, the requested URL, any operator defined headers, the geographical region detected by the POP, and timing metadata. CloudFront access logs may contain the visitor IP and the URL accessed. The operator can choose to store these logs in an S3 bucket of their choice (in an EU AWS region if desired) and configure CloudFront to anonymise or truncate identifiers. Signed Cookies or Signed URLs are used only for access controlled content and represent a contractual relationship between the operator and the visitor.

GDPR, ePrivacy and US CLOUD Act implications

From the visitor perspective, CloudFront is technical infrastructure delivering the requested content, so the dominant legal basis is Article 6(1)(b) GDPR (performance of a contract) plus Article 6(1)(f) (legitimate interest) for security and performance. No consent is required for the CDN function itself under Article 5(3) of the ePrivacy Directive, as it is strictly necessary to deliver the requested service. However, CloudFront is operated by Amazon Web Services Inc, a US company subject to FISA 702 and the CLOUD Act, so the operator must treat the use of CloudFront as a Chapter V GDPR transfer with documented safeguards.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International transfers and EU data residency

AWS provides Standard Contractual Clauses through the AWS GDPR Data Processing Addendum, is self certified under the EU US Data Privacy Framework, and offers the AWS Data Residency Add On (legally binding commitment to process data in selected AWS Regions). For CloudFront specifically, EU operators can restrict the origin to EU regions and configure access logs to be stored in EU S3 buckets, but the edge POPs cover every continent and the control plane is operated from US AWS regions. EDPB and CNIL guidance still classifies the residual access risk as significant and requires a transfer impact assessment.

Practical compliance steps

Sign the AWS GDPR Data Processing Addendum, opt in to the AWS Data Residency Add On where applicable, restrict the origin and the log buckets to EU AWS regions, and disable any geo restriction that would force traffic to US POPs. Document the use of CloudFront in your Record of Processing Activities, list it in the privacy policy as a processor and as an international transfer recipient, and run a transfer impact assessment. For high risk sectors that require strict EU only infrastructure, consider EU based CDNs such as Bunny CDN, Fastly with EU POPs only, OVHcloud CDN, Scaleway Edge Services or self hosted nginx with EU servers.

GDPR consent category

Other

Websites using Amazon CloudFront must obtain user consent under GDPR regulations.

Legal basisArticle 6(1)(b) GDPR (performance of a contract) when CloudFront serves the operator content that the visitor requests. Article 6(1)(f) GDPR (legitimate interest) for security, fraud prevention and performance optimisation. Consent is only required for any non essential cookies that the operator chooses to set through CloudFront.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, French CNIL guidance on CDN and third country transfers, German TTDSG, Spanish LSSI, Schrems II case law, US CLOUD Act, EU US Data Privacy Framework, AWS Data Residency Add On, AWS GDPR Data Processing Addendum

DPIA considerations

A DPIA is recommended whenever CloudFront serves a website processing significant volumes of EEA visitor data, including health, finance or public administration use cases. The DPIA must document the AWS Data Processing Addendum, the use of Standard Contractual Clauses with AWS, the EU US Data Privacy Framework status, the residual risk from US CLOUD Act and FISA 702 access, the use of the AWS Data Residency Add On where applicable, and the safer alternatives evaluated (Bunny CDN, Fastly with EU only POPs, OVHcloud CDN, Scaleway Edge Services).

Sample consent text

Our website is delivered through Amazon CloudFront, the Content Delivery Network operated by Amazon Web Services. CloudFront caches our public content on edge servers worldwide and processes your IP address and request metadata to deliver pages efficiently. CloudFront is operated by Amazon Web Services Inc in the United States under Standard Contractual Clauses and the EU US Data Privacy Framework, with a contractual data processing addendum.

Technical details

Tracking methodAWS edge network distributing web content (HTML, JavaScript, CSS, images, videos) and proxying requests to the operator origin. No cookies are injected by default. The operator can use CloudFront Signed Cookies or Signed URLs for access controlled content and configure Lambda@Edge or CloudFront Functions to enrich or filter requests.

Server locationAmazon Web Services Inc operates CloudFront with more than 450 edge Points of Presence worldwide, including extensive EU coverage (Frankfurt, Paris, Dublin, Stockholm, Milan). Amazon Web Services EMEA SARL in Luxembourg acts as the contracting entity for EEA customers. The control plane and logs are operated from US AWS regions.

Cookieless tracking availableYes

Data transferred outside the EUCloudFront is operated by Amazon Web Services Inc (US) and Amazon Web Services EMEA SARL (Luxembourg). When a visitor accesses a CloudFront distribution, the request reaches the nearest edge Point of Presence, but logs, configuration and the control plane are processed on US infrastructure. AWS provides Standard Contractual Clauses, is self certified under the EU US Data Privacy Framework, and offers the AWS Data Residency Add On for additional contractual commitments. EDPB and CNIL still classify AWS access by US authorities (FISA 702, CLOUD Act) as a residual risk that must be documented in a transfer impact assessment.

Third-party domains contacted

cloudfront.netamazonaws.comawsstatic.com

Cookies placed

Name	Type	Duration	Purpose
CloudFront-Policy	http	Configurable	CloudFront Signed Cookie carrying the access policy for protected content. Strictly necessary to deliver the operator gated resource.
CloudFront-Signature	http	Configurable	CloudFront Signed Cookie carrying the policy signature used to authenticate the request to protected content.
CloudFront-Key-Pair-Id	http	Configurable	CloudFront Signed Cookie containing the AWS key pair identifier used to verify the Signed Cookie policy.

This service may collect user data. Ensure GDPR compliance with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does CloudFront set?

By default, none. CloudFront is a CDN and does not inject tracking cookies. The operator can configure CloudFront Signed Cookies for access controlled content (CloudFront-Policy, CloudFront-Signature, CloudFront-Key-Pair-Id) which are strictly necessary for the protected resource. Any visitor cookies set by the operator origin are simply forwarded by CloudFront according to the cache behaviour configured.

Does CloudFront require user consent?

No. The CDN function is strictly necessary to deliver the content the visitor has requested, which is the storage device exemption in Article 5(3) of the ePrivacy Directive. Consent is only required for cookies that the operator origin chooses to set through CloudFront and that are themselves non essential (analytics, advertising, etc.).

What is the legal basis for using CloudFront?

The legal basis is Article 6(1)(b) GDPR (performance of a contract) when CloudFront serves the operator content. Article 6(1)(f) GDPR (legitimate interest) covers the related security, fraud prevention and performance optimisation. The use of CloudFront as a processor must be reflected in the Record of Processing Activities and a Data Processing Agreement.

Does CloudFront transfer data to the United States?

Yes in practice. Even when origin and log buckets are in EU AWS regions, the CloudFront control plane is operated from US AWS regions and the edge POPs cover every continent. AWS provides Standard Contractual Clauses through the AWS GDPR Data Processing Addendum, is self certified under the EU US Data Privacy Framework, and offers the AWS Data Residency Add On for tighter contractual commitments.

Do I need a DPIA for CloudFront?

It is recommended whenever CloudFront serves a website processing significant volumes of EEA visitor data, and required in regulated sectors. The DPIA must cover the AWS Data Processing Addendum, the EU US Data Privacy Framework status, the US CLOUD Act residual risk, the use of the AWS Data Residency Add On where applicable, and the safer alternatives evaluated (EU only CDNs).

How do I implement CloudFront compliantly?

Sign the AWS GDPR Data Processing Addendum, restrict the origin and access log buckets to EU AWS regions, disable any geo restriction that forces traffic to US POPs and configure access logs to anonymise or truncate identifiers. Document the processor relationship in the privacy policy and the Record of Processing Activities, and run a transfer impact assessment.

What are safer alternatives to CloudFront?

EU based CDNs include Bunny CDN (Slovenia), Fastly configured with EU POPs only, OVHcloud CDN (France), Scaleway Edge Services (France), Hetzner CDN, KeyCDN (Switzerland) and self hosted nginx with EU servers. EU operators with strict data residency requirements often combine an EU CDN with origin and storage in EU only regions.

How do I update my cookie policy to include CloudFront?

Document CloudFront and Amazon Web Services as a processor used to deliver the website, mention Amazon Web Services Inc in the United States as a recipient under Standard Contractual Clauses and the EU US Data Privacy Framework, clarify that CloudFront does not by itself set tracking cookies, and link to the AWS GDPR Data Processing Addendum and the AWS privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup