AWS CloudFront MCP server

Amazon CloudFront is a fast content delivery network (CDN) that securely distributes data, videos, applications, and APIs globally with low latency and high transfer speeds. With this MCP server, AI agents can create distributions, manage cache behaviors, configure security policies, and monitor performance through natural language commands.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

CloudFront uses AWS Signature V4 authentication via IAM credentials. Configure an AWS IAM user or role with CloudFront permissions.

• Service: cloudfront
• Region: Global (us-east-1 for API calls)
• Required permissions: cloudfront:* or specific CloudFront actions
• Credential types: IAM user access keys or assumed role credentials

Available tools

The CloudFront MCP server exposes distribution management, cache policy configuration, invalidation, security settings, and monitoring APIs.

Tool	Purpose
Distribution Management	Create, update, and delete distributions; manage distribution configurations; list distributions
Origin Configuration	Configure origins (S3, ALB, custom); set up origin failover; manage origin shields
Cache Behaviors	Create cache policies; configure TTLs; set cache headers; manage compression
Invalidations	Invalidate cached content by path; monitor invalidation status and history
Security Features	Configure SSL/TLS; manage field-level encryption; set up signed URLs and cookies
Edge Functions	Configure CloudFront Functions; publish Lambda@Edge functions; manage code versions
Analytics & Logs	Monitor distribution metrics; configure real-time logs; analyze usage patterns

Tips

Use origin groups for failover redundancy.

Configure custom headers to identify CloudFront requests at your origin.

Use Origin Shield for additional caching layer on heavily accessed content.

Set appropriate timeouts and keep-alive settings.

Create separate cache behaviors for different content types (static assets, API endpoints, dynamic pages).

Use query string forwarding only when necessary.

Configure appropriate TTLs based on content freshness requirements.

Enable compression for text-based content.

Use signed URLs or cookies for premium or sensitive content.

Enable WAF on your distribution to protect against common web exploits.

Configure geographic restrictions if applicable.

Implement HTTPS-only access.

Use CloudFront's real-time logs to understand access patterns and performance.

Set up CloudWatch metrics for distribution monitoring.

Analyze cache hit ratios to optimize cache configuration.

Test invalidation strategies in staging first.

Use lower-priced edge locations when appropriate.

Leverage origin failover to reduce origin load.

Implement compression to reduce data transfer.

Regularly review and optimize cache TTLs.

---