David Krohn for AWS Community Builders

Posted on May 31, 2021 • Originally published at globaldatanet.com on May 31, 2021

CloudFront Functions

A few weeks ago Amazon announced a new feature for Amazon CloudFront to run code in Edge Locations. But where is the difference between Lambda@Edge and CloudFront Functions?
CloudFront Functions are running in Edge locations whereas Lambda@Edge functions are executed in a regional edge cache (eg.: the AWS region closest to the CloudFront edge location reached by the client). Therefore CloudFront Functions are even closer to the client and are at the same time approximately 1/6th the price of Lambda@Edge.

Use Cases

Authorization: Implement authorization for the content delivered through CloudFront using Basic Authentication or by creating and validating user-generated tokens.

Redirects: Redirect users to a different URL - eg.: If you change to a new website structure you can redirect the user to the new URL.

Header Manipulation: Add, modify, or delete any of the request/response headers - eg.: foward the IP of the client using the Header to your origin.

CloudFront Functions versus Lambda@Edge

Features

Most important differences - if you need more information check this docs: Choosing between CloudFront Functions and Lambda@Edge.

	CloudFront Functions	Lambda@Edge
Execution location	CloudFront Edge Locations	CloudFront Regional Edge Caches
Programming languages	JavaScript (ECMAScript 5.1 compliant)	Python, Nodejs
Event sources	Viewer request Viewer response	Viewer request Viewer response Origin request Origin response
Memory	2 MB	128 MB (viewer triggers) – 10 GB (origin triggers)
Max size of Function	10 KB	1 MB (viewer request / response) 50 MB (origin request / response)
Max execution time	1 ms	5 seconds (viewer request / response) 30 seconds (origin request / response)
Access to geolocation and device data	✅	❌ (viewer request) ✅ (viewer response) ✅ (origin request) ✅ (origin response)
Access to the request body	❌	✅

Pricing example

Service	Price per Invocation	Price per Duration (for every GB-second)	Invocations	Duration	Allocated Memory	Total Cost
CloudFront Function	$0.1	-	2 Million	1ms	-	$2.0
Lambda@Edge	$0.6	$0,00005001	2 Million	10ms	128MB	$12.26

The prices were checked on 30.05.2021 from Lambda@Edge pricing and CloudFront Function pricing

Example template for Basic Auth with CloudFront Functions

Following you will find a CloudFront Function for Basic Auth - I am using it as a second layer of security for private CloudFront origins. For example I am generating exports of Jira content to S3 using a Lambda as a Backup. In Front of CloudFront I have a WAF to restrict to spefic IPs plus these CloudFront functions.

AWSTemplateFormatVersion: 2010-09-09
Description: Creates a Base CloudFront Function for Authentification
Metadata:
  Author:
    Description: David Krohn

Parameters:
  CloudFrountUsername:
    Description: Username CloudFront
    Type: String
  CloudFrountPassword:
    Description: Password CloudFront
    Type: String
    NoEcho: true
Ressources:
  CloudFrontFunctionBasicAuth:
    Type: AWS::CloudFront::Function
    Properties: 
      AutoPublish: true
      FunctionCode: !Sub |
        var USERS = {
            Website: [{
                username: '${CloudFrountUsername}',
                password: '${CloudFrountPassword}',
            }],
        };

        //Response when auth is not valid.
        var response401 = { 
            statusCode: 401,
            statusDescription: 'Unauthorized',
            headers: {
                'www-authenticate': {
                    value: 'Basic'
                },
            },
        };

        var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

        function btoa(input) {
            input = String(input);
            var bitmap, a, b, c,
                result = "",
                i = 0,
                rest = input.length % 3; // To determine the final padding

            for (; i < input.length;) {
                if ((a = input.charCodeAt(i++)) > 255 ||
                    (b = input.charCodeAt(i++)) > 255 ||
                    (c = input.charCodeAt(i++)) > 255)
                    throw new TypeError("Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.");

                bitmap = (a << 16) | (b << 8) | c;
                result += b64.charAt(bitmap >> 18 & 63) + b64.charAt(bitmap >> 12 & 63) +
                    b64.charAt(bitmap >> 6 & 63) + b64.charAt(bitmap & 63);
            }

            // If there's need of padding, replace the last 'A's with equal signs
            return rest ? result.slice(0, rest - 3) + "===".substring(rest) : result;
        }

        function handler(event) {
            var request = event.request;
            var headers = request.headers;

            var auth = request.headers.authorization && request.headers.authorization.value;


            var users = USERS['Website'];

            if (users) {
                if (!auth || !auth.startsWith('Basic ')) {
                    return response401;
                }
                if(!users.find(function(user) {

                        // Construct the Basic Auth string
                        var authString = 'Basic ' + btoa(user.username + ':' + user.password);

                        return authString === auth;
                    })) {
                    return response401;
                }
            }
            return request;
        }

      FunctionConfig:
        Comment: !Sub 'Basic Auth for S3 Bucket ${MyWebsiteBucket}'
        Runtime: cloudfront-js-1.0