Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
AWS CloudFront is Amazon Web Services' content delivery network. It caches static and dynamic web content at edge locations around the world and serves it to end users with low latency. From a GDPR perspective, CloudFront acts as a processor that handles visitor IP addresses, request metadata and optional access logs, with data ultimately controlled by AWS Inc. in the United States.
AWS CloudFront is the content delivery network (CDN) of Amazon Web Services. It caches HTML pages, JavaScript and CSS bundles, images, fonts, video segments and API responses at hundreds of edge locations spread across the world, then serves them from the location closest to each visitor. For website operators in the European Union, CloudFront is most often deployed as a reverse proxy in front of an S3 bucket, an Application Load Balancer or a third party origin, with the goal of reducing latency, smoothing traffic spikes and offloading bandwidth from the origin.
CloudFront receives every HTTP and HTTPS request issued by a visitor''s browser. To deliver the response it processes the source IP address, the requested URL, the HTTP method, request and response headers (including the User Agent, Referer and cookies forwarded by the origin), the TLS version and selected cipher, the geolocation derived from the IP and the chosen edge location. When access logs or real time logs are enabled, this information is stored in an S3 bucket or streamed to Kinesis. CloudFront itself does not set marketing or analytics cookies, but it can forward and cache cookies, query strings and headers configured in the cache policy.
IP addresses processed by CloudFront are personal data under the GDPR. Amazon Web Services Inc. acts as a processor on behalf of the website operator and as a controller for limited service operation purposes. Because the parent entity is established in the United States, every request to a CloudFront distribution can theoretically be observed by US infrastructure. The legal basis for routine content delivery is legitimate interest under Article 6(1)(f) GDPR, similar to other CDNs. The ePrivacy Directive only requires prior consent when information is stored or read on the user''s device, which is not triggered by raw content delivery but is triggered if CloudFront is paired with marketing cookies, advertising tags or fingerprinting techniques.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Even when a European edge cache serves the response, AWS may transfer or replicate operational data to the United States. These transfers rely on the AWS GDPR Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, complemented by encryption in transit (TLS 1.3) and at rest, customer managed keys via AWS KMS and an enterprise grade access control regime. Website operators must list AWS as a processor in their record of processing activities and inform visitors about the United States destination in the privacy notice.
Sign the AWS GDPR Data Processing Addendum, document CloudFront in the record of processing activities and update the privacy notice to mention the AWS edge network and the United States destination. Configure cache policies that strip non essential cookies and query strings, enable AWS WAF rules that do not log raw IP addresses unnecessarily, and limit access log retention to a defined period. When CloudFront serves resources that are loaded together with analytics or advertising scripts, gate those downstream scripts behind a consent management platform so that no marketing tag fires before the visitor has accepted.
Websites using AWS CloudFront must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for routine static asset delivery via CloudFront. A DPIA is recommended when CloudFront is used together with WAF, Lambda@Edge, real time logs or fingerprinting features that systematically monitor visitor behaviour, or when sensitive content (health, finance, public sector) is served to EU users.
Sample consent text
We use Amazon CloudFront, a content delivery network operated by Amazon Web Services Inc. (USA), to deliver this website faster and more reliably. CloudFront processes your IP address and request metadata. By accepting, you allow this transfer to AWS servers, including in the United States, under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
cloudfront.netamazonaws.comaws.amazon.coms3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| aws-waf-token | Security | Up to 24 hours (configurable) | Set by AWS WAF Bot Control or Captcha challenges when integrated with CloudFront. Stores a signed token attesting that the visitor has passed a bot or captcha challenge so that subsequent requests are not blocked. |
| CloudFront-Key-Pair-Id | Functional | Session or until logout | Used by CloudFront signed cookies to authorise access to private content (videos, downloads). Carries the key pair ID that identifies the signing keys used by the distribution. |
| CloudFront-Policy | Functional | Defined by the signing policy (typically minutes to hours) | Stores the base64 encoded policy that defines which resources the signed cookie authorises and until when. Read by CloudFront edge servers to validate access to restricted distributions. |
| CloudFront-Signature | Functional | Same lifetime as CloudFront-Policy | Stores the cryptographic signature that proves the CloudFront-Policy was issued by an authorised signer. Used together with CloudFront-Key-Pair-Id and CloudFront-Policy to grant access to private content. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
CloudFront itself does not set any tracking, analytics or advertising cookies. It may, however, forward and cache cookies coming from your origin if the cache policy is configured to include them. Marketing or analytics cookies that appear on a site using CloudFront come from other layers (your application, AWS WAF challenges, embedded scripts) and must be treated according to the rules that apply to those layers.
No. Pure content delivery via CloudFront falls under legitimate interest under Article 6(1)(f) GDPR and does not trigger the ePrivacy storage rule, because no information is written to or read from the device for that purpose. Explicit consent becomes mandatory only when CloudFront serves marketing tags, advertising creatives or fingerprinting scripts that themselves require Article 6(1)(a) GDPR consent.
The legal basis is legitimate interest under Article 6(1)(f) GDPR, because operating a CDN to serve your own website is a recognised commercial and security interest. The processing must remain proportionate, retention of access logs must be limited, and visitors must be informed of the AWS edge network and the United States destination in the privacy notice.
AWS publishes a GDPR Data Processing Addendum that includes the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and confirms participation in the EU US Data Privacy Framework. Supplementary measures include TLS 1.3 in transit, encryption at rest, AWS KMS customer managed keys, audit certifications (ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II) and strong access controls.
For routine static asset delivery a DPIA is not required. A DPIA is recommended whenever CloudFront is paired with AWS WAF, Lambda@Edge, real time logs or fingerprinting that systematically monitor visitor behaviour, when the protected resource handles sensitive data (health, finance, public sector), or when traffic from EU minors is expected.
Sign the AWS GDPR Data Processing Addendum, add AWS to your record of processing activities, update the privacy notice to mention the United States destination, and configure cache and origin request policies that strip non essential cookies. Limit access log retention, restrict WAF logging of raw IP addresses to what is strictly necessary and gate any third party scripts loaded over CloudFront behind a consent management platform.
Yes. European CDNs such as BunnyCDN (registered in Slovenia), KeyCDN (Switzerland), Gcore (Luxembourg) and OVHcloud (France) keep edge nodes and corporate control in Europe, which reduces the volume of US transfers. Cloudflare also offers an EU only data residency add on. The right choice depends on geographic coverage, advanced features (WAF, edge compute) and integration with the rest of your stack.
List AWS Inc. as the processor of the CDN service, mention the AWS edge network locations relevant to your traffic, state that data including IP addresses may be transferred to the United States under SCCs and the EU US Data Privacy Framework, link to the AWS Privacy Notice and explain the retention period chosen for CloudFront access logs.