diff --git a/terraform/anejo_example.tfvars b/terraform/anejo_example.tfvars
index af86391..9f9c0d9 100644
--- a/terraform/anejo_example.tfvars
+++ b/terraform/anejo_example.tfvars
@@ -15,4 +15,8 @@ anejo_repo_bucket = ""
 
 ### Optional ###
 
-anejo_write_catalog_delay = ""
+anejo_distribution_aliases = []
+
+anejo_distribution_geo_restriction_whitelist = ["US", "CA", "GB", "DE"]
+
+anejo_write_catalog_delay = "300"
diff --git a/terraform/cloudfront.tf b/terraform/cloudfront.tf
new file mode 100644
index 0000000..f9aced8
--- /dev/null
+++ b/terraform/cloudfront.tf
@@ -0,0 +1,89 @@
+### Anejo – CloudFront Distribution ###
+
+
+locals {
+  anejo_s3_origin_id = "AnejoS3Origin"
+}
+
+
+
+resource "aws_cloudfront_origin_access_identity" "anejo_distribution_identity" {
+  comment = "Origin Access Identity for Anejo S3 bucket origin."
+}
+
+
+# CloudFront Distribution
+resource "aws_cloudfront_distribution" "anejo_distribution" {
+  origin {
+    domain_name = "${aws_s3_bucket.anejo_repo_bucket.bucket_regional_domain_name}"
+    origin_id   = "${local.anejo_s3_origin_id}"
+    origin_path = "/html"
+
+    s3_origin_config {
+      origin_access_identity = "${aws_cloudfront_origin_access_identity.anejo_distribution_identity.cloudfront_access_identity_path}"
+    }
+  }
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "Anejo CloudFront distribution"
+
+  logging_config {
+    include_cookies = false
+    bucket          = "${aws_s3_bucket.anejo_repo_bucket.bucket_domain_name}",
+    prefix          = "logs/distribution/"
+  }
+
+  aliases = "${var.anejo_distribution_aliases}"
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "${local.anejo_s3_origin_id}"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "allow-all"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+  }
+
+    # Cache behavior for catalogs
+  ordered_cache_behavior {
+    path_pattern     = "*.sucatalog"
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "${local.anejo_s3_origin_id}"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "allow-all"
+    min_ttl                = 0
+    default_ttl            = 600
+    max_ttl                = 3600
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = "${var.anejo_distribution_geo_restriction_whitelist}"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+}
diff --git a/terraform/iam.tf b/terraform/iam.tf
index 3f0fe44..7145a6b 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -1,5 +1,7 @@
 ### Anejo – IAM Roles and Policies ###
 
+## IAM Roles ##
+
 # Anejo IAM Role
 resource "aws_iam_role" "anejo_iam_role" {
   name               = "anejo-lambda-role"
@@ -23,6 +25,8 @@ EOF
 }
 
 
+## IAM Policies ##
+
 # IAM Policy – CloudWatch
 resource "aws_iam_role_policy" "anejo_cloudwatch_iam_policy" {
   name   = "AnejoCloudWatchPolicy"
@@ -155,3 +159,29 @@ resource "aws_iam_role_policy" "anejo_sqs_iam_policy" {
 }
 EOF
 }
+
+
+## IAM Policy Documents ##
+
+# Anejo S3 Bucket Policy Document
+data "aws_iam_policy_document" "anejo_s3_bucket_policy_document" {
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["${aws_s3_bucket.anejo_repo_bucket.arn}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.anejo_distribution_identity.iam_arn}"]
+    }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["${aws_s3_bucket.anejo_repo_bucket.arn}"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_cloudfront_origin_access_identity.anejo_distribution_identity.iam_arn}"]
+    }
+  }
+}
diff --git a/terraform/main.tf b/terraform/main.tf
index eb62c33..cbefae6 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -27,6 +27,18 @@ variable "anejo_repo_bucket" {
   description = "S3 bucket for Anejo (Reposado)"
 }
 
+variable "anejo_distribution_aliases" {
+  type        = "list"
+  description = "CNAME aliases for Anejo CloudFront distribution"
+  default     = []
+}
+
+variable "anejo_distribution_geo_restriction_whitelist" {
+  type        = "list"
+  description = "Geo restriction whitelist for Anejo CloudFront distribution"
+  default     = ["US", "CA", "GB", "DE"]
+}
+
 variable "anejo_write_catalog_delay" {
   type        = "string"
   description = "Time to delay rewriting catalogs"
diff --git a/terraform/s3.tf b/terraform/s3.tf
index ff5c203..622eacc 100644
--- a/terraform/s3.tf
+++ b/terraform/s3.tf
@@ -1,8 +1,15 @@
 ### Anejo – S3 Buckets ###
 
-# Repo S3 Bucket
+# Anejo Repo S3 Bucket
 resource "aws_s3_bucket" "anejo_repo_bucket" {
   bucket        = "${var.anejo_repo_bucket}"
   acl           = "private"
   force_destroy = true
 }
+
+
+# Anejo S3 Bucket Policy
+resource "aws_s3_bucket_policy" "anejo_s3_bucket_policy" {
+  bucket = "${aws_s3_bucket.anejo_repo_bucket.id}"
+  policy = "${data.aws_iam_policy_document.anejo_s3_bucket_policy_document.json}"
+}