DEV Community: Daniel Muller The latest articles on DEV Community by Daniel Muller (@danielmuller). https://dev.to/danielmuller https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F451538%2F5a712ac6-1d1b-457c-b9a0-576ac07449d4.jpeg DEV Community: Daniel Muller https://dev.to/danielmuller en Diving into Cloudfront Daniel Muller Fri, 17 Feb 2023 17:52:40 +0000 https://dev.to/aws-builders/diving-into-cloudfront-171h https://dev.to/aws-builders/diving-into-cloudfront-171h <p>Cloudfront can be simply defined as a CDN (Content Delivery Network), caching your static assets in a datacenter nearer to your viewers. But Cloudfront is a lot more complex and versatile than this simple definition.</p> <p>Cloudfront is a "pull" CDN, which means that you don't push your content to the CDN. The content is pulled into the CDN Edge from the origin at the first request of any piece of content.</p> <p>In addition to the traditional pull and cache usage, Cloudfront can also be used as:</p> <ul> <li>A Networking Router</li> <li>A Firewall</li> <li>A Web Server</li> <li>An Application Server</li> </ul> <h2> Why is using a CDN relevant? </h2> <p>The main reason is to improve the speed of delivery of static content. By caching the content on the CDN edge, you not only reduce the download time from a few seconds to a few milliseconds, but you also reduce the load and amount of requests on your backend (Network, IO, CPU, Memory, ...).</p> <p><em>Static content</em> can be defined as content not changing between two identical requests done in the same time frame.</p> <p>Identical can be as simple as the same URI, or as fine grained as down to the authentication header. The time frame can range between 1 second to 1 year.</p> <p>The most common case, is caching resources like Javascript or CSS and serving the same file to all users for ever. But caching a JSON response tailored to a user (Authentication header) for a few seconds reduces the backend calls when the user has the well known "frenetic browser reload syndrome".</p> <h2> Edges, Mid-Tier Caches and Origins </h2> <p>Cloudfront isn't "just" some servers in datacenters around the world. The service is a layered network of <em>Edge Locations</em> and <em>Regional Edge Caches</em> (or <em>Mid-Tier Caches</em>).</p> <p><em>Edge Locations</em> are distributed around the globe with more than 400 points of presence over 90 cities across 48 countries. Each <em>Edge Location</em> is connected to one of the 13 <em>Regional Edge Caches</em>.</p> <p><em>Regional Edge Caches</em> are transparent to you and your visitors, you can't configure them or access them directly. Your visitors will interact with the nearest <em>Edge Location</em>, which will connect to the attached <em>Regional Edge Cache</em> and finally to your origin. Therefore, in this article, we will refer to <em>Cloudfront</em> as the combination of <em>Edge Locations</em> and <em>Region Edge Caches</em>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--FV3VSrHT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ezt6bnb74x5khfhzlb05.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FV3VSrHT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ezt6bnb74x5khfhzlb05.png" alt="Cloudfront Edge Locations, Regional Edge Caches and Origins" width="880" height="619"></a></p> <p>Not only will the visitors benefit on download speed by retrieving content cached on the same <em>Edge Location</em>, but visitors in the same region using different <em>Edge Locations</em> will also benefit from the content cached at the <em>Regional Edge Cache</em> level by not having the need retrieve the content from the Origin.</p> <h2> Classic Pull and Cache Setup </h2> <p>Before diving into the deep end, let's refresh our memories with some of the basics of Cloudfront.</p> <p>Cloudfront can allow write actions (POST, PUT, DELETE) but they will never be cached. We will mainly focus on the read actions (GET, HEAD, OPTIONS).</p> <h3> Origin types </h3> <ul> <li>HTTP/HTTPS <ul> <li>S3 Website</li> <li>S3 Multi-Region Access Points</li> <li>API Gateway</li> <li>ALB</li> <li>Any HTTP Webserver</li> </ul> </li> <li>S3 <ul> <li>S3 API</li> </ul> </li> <li>Elemental Media Store Container</li> <li>Elemental Media Package Container</li> </ul> <h4> S3 Website or S3 API ? </h4> <p>Even if they look very similar, this two ways of accessing S3 are very different.</p> <ul> <li> <strong>S3 Website</strong>: <ul> <li>The bucket needs to be configured with website capabilities</li> <li>Origin Domain: <em>bucketName</em>.s3-website-<em>region</em>.amazonaws.com</li> <li>Configured as CustomOrigin</li> <li>Pros:</li> <li> <em>GET /foo/bar/</em> will serve <em>/foo/bar/index.html</em> </li> <li>Returns <em>404</em> on file not found (if <em>listBucket</em> is public)</li> <li>Cons:</li> <li>HTTP origin only</li> <li>Files in the bucket need to be public</li> <li>Files can be accessed by calling directly the S3-Website endpoint</li> </ul> </li> <li> <strong>S3 API</strong>: <ul> <li>Origin Domain: <em>bucketName</em>.s3.amazonaws.com (or <em>bucketName</em>.s3.<em>region</em>.amazonaws.com)</li> <li>Configured as S3Origin</li> <li>Pros:</li> <li>HTTPS origin only</li> <li>Files can be private and Cloudfront is granted access using <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/">OAC</a> </li> <li>Cons:</li> <li> <em>GET /foo/bar/</em> returns 403 and not <em>index.html</em> </li> </ul> </li> </ul> <p>In both cases, we can overcome some of the cons:</p> <ul> <li> <strong>S3 Website</strong>: <ul> <li>Spoofing the <em>referer</em> header on the origin call and using an S3 policy to enforce this header minimizes the possibility to access the bucket directly</li> </ul> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--aH7927gr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/j9hdamnvvij2yfpczomu.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--aH7927gr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/j9hdamnvvij2yfpczomu.png" alt="Custom Headers Configuration" width="880" height="619"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ```json { "Version": "2012-10-17", "Id": "Cloudfront", "Statement": [ { "Sid": "Cloudfront", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::myBucket/*", "Condition": { "StringLike": { "aws:Referer": "AAAAAA" } } } ] } ``` </code></pre> </div> <ul> <li> <strong>S3 API</strong>: <ul> <li>Using Lambda@Edge, we can rewrite the origin URI to serve index.html (more details below).</li> </ul> </li> </ul> <h4> S3 Multi-Region Access Points </h4> <p>Sadly you won't see it as a possible origin, you need to treat it as a custom HTTPS endpoint.</p> <p>To allow access to the origin you need to sign all the requests with <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">AWS Sig4</a> by yourself using Lambda@Edge.</p> <h4> Custom HTTP(S) origins </h4> <p>For any HTTP/HTTPS origin, you can configure how Cloudfront connects to it:</p> <ul> <li>Enforce HTTPS (or HTTP)</li> <li>Custom ports</li> <li>Timeouts</li> <li>Additional Headers</li> <li>...</li> </ul> <h3> Multiple Origins and Behaviors </h3> <p>Cloudfront can handle multiple origins. The routing is based on the request path and are configured as <em>behaviors</em>.</p> <p>Each <em>behavior</em> has it's own settings of origin to use and how to handle cache policies.</p> <p>It is not uncommon to have multiple behaviors sharing the same origin to adjust caching policies for different kind of content.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AEpMtI3_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7co69j3qiweh0c0q74zy.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AEpMtI3_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7co69j3qiweh0c0q74zy.png" alt="Combination of multiple backends and behaviors" width="709" height="194"></a></p> <h3> Custom Domain </h3> <p>Cloudfront will always attach their xxxxx.cloudfront.net domain to your distribution. But you have the possibility to use your own domain by defining one or more domain aliases.</p> <h3> SSL Termination </h3> <p>Cloudfront handles SSL terminations at the Edge. You can only attach a single SSL certificate. This certificate needs to list all domains used as aliases. Furthermore, your clients need to support SNI (all modern browser do), else you need to purchase dedicated IP addresses for your distribution.</p> <p>You need to provision the certificate in <em>us-east-1</em>, which is an annoyance when working with Cloudformation and deploying to another region.</p> <p>This allows to serve HTTPS traffic to your client, but connect using HTTP to the origin (S3 Website) or HTTPS on another domain (ALB, API Gateway).</p> <h3> Cache Policies and Cache Key </h3> <p>Caching is controlled using cache policies. Each behavior has a cache policy.</p> <p>The cache policy not only dictates what makes a content vary, but also sets the time an object should remain in cache and if the response should be compressed or not. Values defined as Cache Key are automatically transferred to the Origin.</p> <p>Cloudfront provides a set of pre-defined set of cache policies:</p> <ul> <li>CachingOptimized: Ideal for S3 backends <ul> <li>Headers, Cookies and Query String aren't taken into consideration</li> <li>Origin's Max-Age is used, defaults to 1 day</li> <li>Response is compressed</li> </ul> </li> <li>CachingDisabled: <ul> <li>Headers, Cookies and Query String aren't taken into consideration</li> <li>Origin's Max-Age is overwritten to 0 (no cache)</li> <li>Response is compressed</li> </ul> </li> <li>MediaPackage: Ideal for MediaPackage origin <ul> <li> <em>origin</em> Header is used to vary content</li> <li>Query String parameters <em>aws.manifestfilter</em>, <em>start</em>, <em>end</em>, <em>m</em> are used to vary content </li> <li>Cookies aren't taken into account</li> <li>Origin's Max-Age is used, defaults to 1 day</li> <li>Response is compressed</li> </ul> </li> </ul> <p>You can create your own depending on your needs, some examples:</p> <ul> <li>Visitor's Language: <ul> <li>Use the Browser's Header <em>Accept-Language</em> </li> </ul> </li> <li>Visitor's Country: <ul> <li>Use the Header generated by Cloudfront based on the visitor's IP: <em>CloudFront-Viewer-Country</em> </li> </ul> </li> <li>API with pagination: <ul> <li>Use the Query String Parameter <em>page</em> </li> </ul> </li> </ul> <p>Cache policies aren't linked to a specific distribution. You can re-use the same policy on different and unrelated distributions.</p> <h4> Max-Age and Cache-Control </h4> <p>Cloudfront will use the Origin's Max-Age (<em>Cache-Control</em>) if it is in the bounds of <em>min TTL</em> and <em>max TTL</em>.</p> <p>If the Origin's TTL is outside the defined bounds, cloudfront will overwrite it with <em>min TTL</em> or <em>max TTL</em>.</p> <p>If the Origin doesn't set any caching rule, the <em>Default TTL</em> value will be used.</p> <p>Cloudfront's behavior on TTL doesn't affect the clients behavior. The Cache-Control header from the Origin is sent unmodified to the client.</p> <p>Cloudfront might evict your object before the <em>Max-Age</em> is reached, specially if the object isn't requested often, but it won't never keep it longer than that value.</p> <p>The browser will also cache for the amount of <em>Max-Age</em>, to cache the object differently in Cloudfront, you can use a combination of <em>Max-Age</em> and <em>s-maxage</em>. Cloudfront will cache the object for a duration of <em>s-maxage</em> and the browser for a duration of <em>Max-Age</em>. This is useful when using <em>Cloudfront Functions</em> to validate access token, when you want the browser to re-validate access but without having to fetch the object from the Origin.</p> <p><em>Max-Age</em> isn't the only way to control cache, <em>Expires</em>. For more in-depth details on the usage of <em>Max-Age</em>, refer to Cloudfront's <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html">expiration documentation</a>.</p> <h2> Extending with edge functions </h2> <p>Cloudfront isn't limited at only a fetching and caching statically defined resources. It gives you the ability to modify requests and responses in-flight using functions deployed and executed at the edge.</p> <p>You are able to interact with the request/response in four different steps of the execution.</p> <ul> <li> <strong>viewer-request</strong>: <ul> <li>Triggered before the request reaches Cloudfront</li> <li>Access to the first 40 KB of the body</li> <li>A modified body can have a maximum size of 53.2 KB</li> <li>Executed on each request</li> <li>Generate a response and by-pass the Origin Request</li> <li>Use cases:</li> <li>Normalize headers</li> <li>Normalize query string</li> <li>Normalize cache keys</li> <li>Authorization</li> </ul> </li> <li> <strong>origin-request</strong>: <ul> <li>Triggered before Cloudfront calls the Origin</li> <li>Access to the first 1 MB of the body</li> <li>A modified body can have a maximum size of 1.33 MB</li> <li>Executed on cache miss only</li> <li>Generate a response and by-pass the Origin Request</li> <li>Use cases:</li> <li>Rewriting path or host</li> <li>Generate cached redirects</li> <li>Generate cached static responses</li> </ul> </li> <li> <strong>origin-response</strong>: <ul> <li>Triggered before Cloudfront received the Origin response</li> <li>No access to the body</li> <li>Body can be generated</li> <li>Executed on cache miss only</li> <li>Use cases:</li> <li>Add headers</li> <li>Change HTTP status</li> <li>Replace body with static content</li> </ul> </li> <li> <strong>viewer-response</strong>: <ul> <li>Triggered before Cloudfront sends the response to the client</li> <li>No access to the body</li> <li>Body can be generated</li> <li>Executed on each response</li> <li>Use cases:</li> <li>Add dynamic CORS headers</li> </ul> </li> </ul> <p>You have two solutions to interact with this requests/responses:</p> <ul> <li> <strong>Cloudfront Functions</strong>: <ul> <li>Executed on the Edge Location</li> <li>Access to <em>viewer-request</em> and <em>viewer-response</em> only</li> <li>Function can be deployed in any region. It's a Cloudfront Object</li> <li>Logs are stored in Cloudwatch Logs in <em>us-east-1</em> </li> <li>No access to body</li> <li>Geolocation Headers available</li> <li>Runtime: javascript (ES 5.1) with some restrictions:</li> <li>No custom ENV variables</li> <li>No module includes</li> <li>No timers</li> <li>No network access</li> <li>No File system access</li> <li> <em>Crypto</em> and <em>QueryString</em> modules are built-in</li> <li>Cost: $0.10 / 1M executions</li> <li>Use cases:</li> <li>Header normalization, manipulation</li> <li>Query String normalization</li> <li>Cache key generation</li> <li>Path rewrite</li> <li>Static Authorization</li> </ul> </li> <li> <strong>Lambda@Edge</strong>: <ul> <li>Executed at the Regional Edge Cache</li> <li>Access to all 4 events</li> <li>Function needs to be deployed to <em>us-east-1</em> as a Lambda Function</li> <li>Logs are stored in Cloudwatch Logs in the region of the Regional Edge Cache</li> <li>Limited access on request body</li> <li>5s timeout on viewer request/response</li> <li>30s timeout on origin request/response</li> <li>Geolocation Headers available</li> <li>Runtime: NodeJS or Python with some restrictions:</li> <li>No custom ENV variables</li> <li>No Lambda DLQ</li> <li>No VPC</li> <li>No Lambda Layers</li> <li>No Lambda Container Images</li> <li>Cost: $0.60 / 1M executions and additionally for the execution duration. </li> <li>Use cases:</li> <li>Authorization with oAuth endpoint</li> <li>Database query</li> <li>Body rewrite/validation</li> </ul> </li> </ul> <p>When to use which depends on the use case. If you don't need to access network resources, Cloudfront Functions is the right choice. Even if they are executed on each request (viewer-request), you would need a very good hit ratio to get cheaper executions with Lambda@Edge (when executed only on cache miss on origin-request).</p> <p>Furthermore, the need to deploy Lambda@Edge to <em>us-east-1</em> makes it a cumbersome task when you want to define your stack in a single Cloudformation template deployed to any other region than <em>us-east-1</em>.</p> <p>If you need to access network resources or need more memory and time to execute your code, then Lambda@Edge is the right choice.</p> <p>If neither of this solutions works for you, you still can deploy Lambda and access it via API Gateway or Lambda function URL deployed in one or multiple regions and cache the result in Cloudfront.</p> <h3> Event structure </h3> <p>Events for Lambda@Edge or Cloudfront Functions differ in some parts, mainly how headers are represented.</p> <h4> Viewer Request </h4> <p><strong>Lambda@Edge</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cf"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer-request"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User-Agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.66.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"accept"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"accept"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Cloudfront Function</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer-request"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.85.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"accept"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cookies"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Origin Request </h4> <p><strong>Lambda@Edge</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cf"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"origin-request"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"x-forwarded-for"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Forwarded-For"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User-Agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Amazon CloudFront"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"via"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Via"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0 2afae0d44e2540f472c0635ab62c232b.cloudfront.net (CloudFront)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example.org"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"cache-control"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cache-Control"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-cache, cf-no-cache"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"origin"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"custom"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"customHeaders"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"domainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example.org"</span><span class="p">,</span><span class="w"> </span><span class="nl">"keepaliveTimeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readTimeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"sslProtocols"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"TLSv1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"TLSv1.1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"TLSv1.2"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Origin Response </h4> <p><strong>Lambda@Edge</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cf"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"origin-response"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"x-forwarded-for"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Forwarded-For"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User-Agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Amazon CloudFront"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"via"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Via"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0 8f22423015641505b8c857a37450d6c0.cloudfront.net (CloudFront)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example.org"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"cache-control"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Cache-Control"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-cache, cf-no-cache"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"origin"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"custom"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"customHeaders"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"domainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"example.org"</span><span class="p">,</span><span class="w"> </span><span class="nl">"keepaliveTimeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">443</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readTimeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"sslProtocols"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"TLSv1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"TLSv1.1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"TLSv1.2"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"response"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access-control-allow-credentials"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Access-Control-Allow-Credentials"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"access-control-allow-origin"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Access-Control-Allow-Origin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"date"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Date"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mon, 13 Jan 2020 20:12:38 GMT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"referrer-policy"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Referrer-Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-referrer-when-downgrade"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Server"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ExampleCustomOriginServer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-content-type-options"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Content-Type-Options"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nosniff"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-frame-options"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Frame-Options"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DENY"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-xss-protection"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-XSS-Protection"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1; mode=block"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"content-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Content-Type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"text/html; charset=utf-8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"content-length"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Content-Length"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9593"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"statusDescription"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OK"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h4> Viewer Response </h4> <p><strong>Lambda@Edge</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Records"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cf"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer-response"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4TyzHTaYWb1GX1qTfsHhEqV6HUDd_BzoBZnwfnvQc_1oF26ClkoUSEQ=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Host"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User-Agent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.66.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"accept"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"accept"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"response"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access-control-allow-credentials"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Access-Control-Allow-Credentials"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"access-control-allow-origin"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Access-Control-Allow-Origin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"date"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Date"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mon, 13 Jan 2020 20:14:56 GMT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"referrer-policy"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Referrer-Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"no-referrer-when-downgrade"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Server"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ExampleCustomOriginServer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-content-type-options"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Content-Type-Options"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nosniff"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-frame-options"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-Frame-Options"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DENY"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"x-xss-protection"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X-XSS-Protection"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1; mode=block"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"age"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Age"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2402"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"content-type"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Content-Type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"text/html; charset=utf-8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"content-length"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Content-Length"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9593"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"statusDescription"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OK"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Cloudfront Function</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"distributionDomainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="p">,</span><span class="w"> </span><span class="nl">"distributionId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EDFDVBD6EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"viewer-response"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MmxS5hbDhc9VyOIqzmYksKesOj6n_54ycCBX4XCS5-w7OJJ5wloOAA=="</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"viewer"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.178"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"request"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"querystring"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"d111111abcdef8.cloudfront.net"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"curl/7.85.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"accept"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cookies"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"response"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"statusDescription"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OK"</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"date"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Fri, 25 Nov 2022 12:33:42 GMT"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"last-modified"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Fri, 25 Nov 2022 12:31:12 GMT"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"etag"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"</span><span class="se">\"</span><span class="s2">b9c2e628c3ffe65db36c4d92c9aebbb3</span><span class="se">\"</span><span class="s2">"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"accept-ranges"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bytes"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AmazonS3"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"via"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.1 dfeaaa9951aa7df30bdb3dfb8a94470a.cloudfront.net (CloudFront)"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"age"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"82"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"content-type"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"text/html"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"content-length"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"109"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cookies"</span><span class="p">:</span><span class="w"> </span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Less conventional usages </h2> <h3> Networking Router </h3> <p>Even if you don't need the caching functionalities of Cloudfront (POST requests or disabling cache on GET), you can still use Cloudfront to act as a Networking Router, by sending your visitor traffic to the nearest edge. From the edge to the origin, the performant AWS Backbone will be used instead of your ISP's peering.</p> <p>By using multiples behaviors, you can route your traffic to different backends that don't need to be in the same region or even inside AWS.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--i4dVhCQh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yzk1iwh8849vik7yhyoj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--i4dVhCQh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yzk1iwh8849vik7yhyoj.png" alt="Leveraging the AWS Backbone over the ISP's Peering" width="880" height="445"></a></p> <p>As an example, <a href="https://aws.amazon.com/s3/transfer-acceleration/">S3 Transfer Acceleration</a> uses Cloudfront as the endpoint, forcing the networking path to the nearest Edge Location and leveraging the AWS backbone to reach the bucket.</p> <h3> Firewall </h3> <p>In addition to use <a href="https://aws.amazon.com/waf/">AWS WAF</a> with Cloudfront to protect your Origin application, Cloudfront also provides a default DDOS protection. You can also deny access to visitors from specific countries.</p> <p>By adding <a href="https://aws.amazon.com/about-aws/whats-new/2020/10/announcing-amazon-cloudfront-origin-shield/">Origin Shield</a>, you add an additional layer of caching between Cloudfront and your Origin, reducing the need for Cloudfront to retrieve content from your Origin. This helps to reduce the load on your origin and improves the CDN hit ratio (and therefore download speed) for your visitors.</p> <h3> Application Server </h3> <p>By using Lambda@Edge functions, you can directly query databases like DynamoDB and apply business logic to it, without needing any Origin (you still need to configure a dummy one, Cloudfront doesn't allow you to be Origin-less).</p> <p>Combining this with <a href="https://aws.amazon.com/dynamodb/global-tables/">DynamoDB Global Tables</a>, you can always query a table near your edge, making your application performant and reliable.</p> <h3> Web Server </h3> <p>As seen through all the examples mentioned in this article, Cloudfront can be seen as "just" an HTTP server in front of your application.</p> <p>Using functions (or Lambda@Edge) you can return redirections or static content without the need of any backend.</p> <p>By using multiples behaviors, you can route your traffic to different types backends.</p> <h2> Real World Use Cases </h2> <p>You can find the template used for the below examples on <a href="https://github.com/serverless-guru/templates/tree/master/cloudfront-samples">Github</a>.</p> <p>The template provides a distribution with different backends:</p> <ul> <li>S3 Website <ul> <li>/blog/*</li> <li>/private/*</li> </ul> </li> <li>S3 API <ul> <li>/assets/*</li> <li>/html/*</li> <li>/airport/*</li> </ul> </li> <li>API Gateway <ul> <li>/*</li> </ul> </li> </ul> <h3> Cache based on visitor's country </h3> <ul> <li>Backend: Api Gateway + Lambda</li> <li>Edge function: None</li> <li>Policy: Whitelist <em>cloudfront-viewer-country</em> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudFront::CachePolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CachePolicyConfig</span><span class="pi">:</span> <span class="na">DefaultTTL</span><span class="pi">:</span> <span class="m">10</span> <span class="na">MinTTL</span><span class="pi">:</span> <span class="m">0</span> <span class="na">MaxTTL</span><span class="pi">:</span> <span class="m">3600</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">Country</span> <span class="na">ParametersInCacheKeyAndForwardedToOrigin</span><span class="pi">:</span> <span class="na">CookiesConfig</span><span class="pi">:</span> <span class="na">CookieBehavior</span><span class="pi">:</span> <span class="s">none</span> <span class="na">EnableAcceptEncodingBrotli</span><span class="pi">:</span> <span class="no">true</span> <span class="na">EnableAcceptEncodingGzip</span><span class="pi">:</span> <span class="no">true</span> <span class="na">HeadersConfig</span><span class="pi">:</span> <span class="na">HeaderBehavior</span><span class="pi">:</span> <span class="s">whitelist</span> <span class="na">Headers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cloudfront-viewer-country</span> <span class="na">QueryStringsConfig</span><span class="pi">:</span> <span class="na">QueryStringBehavior</span><span class="pi">:</span> <span class="s">none</span> </code></pre> </div> <p><strong>Request</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="s1">'https://d3h57w0cnyb350.cloudfront.net/country'</span> <span class="o">&gt;</span> GET /country HTTP/2 <span class="o">&gt;</span> Host: d3h57w0cnyb350.cloudfront.net <span class="o">&gt;</span> user-agent: curl/7.85.0 <span class="o">&gt;</span> accept: <span class="k">*</span>/<span class="k">*</span> &lt; HTTP/2 200 &lt; content-type: application/json &lt; content-length: 2 &lt; <span class="nb">date</span>: Tue, 06 Dec 2022 17:58:23 GMT &lt; x-amz-cf-pop: LIS50-C1 </code></pre> </div> <p><strong>Lambda Event</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"routeKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET /country"</span><span class="p">,</span><span class="w"> </span><span class="nl">"rawPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/country"</span><span class="p">,</span><span class="w"> </span><span class="nl">"rawQueryString"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="nl">"headers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"accept-encoding"</span><span class="p">:</span><span class="w"> </span><span class="s2">"br,gzip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cloudfront-viewer-country"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"content-length"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wvo7t33pz3.execute-api.eu-central-1.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user-agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Amazon CloudFront"</span><span class="p">,</span><span class="w"> </span><span class="nl">"via"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2.0 592fdb72142153f4ac204b48e22d9036.cloudfront.net (CloudFront)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x-amz-cf-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"kz-vrWiS6p5lg9ZjGRCY7Xuwg2gmr5utkrJLaU62Leol8ApRIzL4nw=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"x-amzn-trace-id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Root=1-638f8250-33b4ecae5ea02e382b6d5d8b"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x-forwarded-for"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X.X.X.X"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x-forwarded-port"</span><span class="p">:</span><span class="w"> </span><span class="s2">"443"</span><span class="p">,</span><span class="w"> </span><span class="nl">"x-forwarded-proto"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestContext"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"accountId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"688589788262"</span><span class="p">,</span><span class="w"> </span><span class="nl">"apiId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wvo7t33pz3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"domainName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wvo7t33pz3.execute-api.eu-central-1.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"domainPrefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"wvo7t33pz3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"http"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/country"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP/1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"X.X.X.X"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Amazon CloudFront"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cvFMihZBliAEPSw="</span><span class="p">,</span><span class="w"> </span><span class="nl">"routeKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET /country"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$default"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"06/Dec/2022:17:56:32 +0000"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeEpoch"</span><span class="p">:</span><span class="w"> </span><span class="mi">1670349392038</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"isBase64Encoded"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Rewrite URI to serve index.html </h3> <p>Nobody wants to type <code>/index.html</code> when calling a URL. Apache, Nginx and S3-Website are loading <code>index.html</code> automatically when no document is passed in the URI. When using an S3-API backend we need to provide this functionality ourselves. Cloudfront is only able to load <code>index.html</code> at the root, which is generally enough for an SPA but not for a static generated site.</p> <h4> S3-Website </h4> <ul> <li>Backend: S3-Website</li> <li>Edge function: None</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>Request</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="s1">'https://d3h57w0cnyb350.cloudfront.net/blog/articles/'</span> &lt; HTTP/2 200 &lt; content-type: text/html </code></pre> </div> <p><code>index.html</code> is returned, the backend is an S3-Website and has the logic to serve index.html when document name is provided.</p> <h4> S3-API without function </h4> <ul> <li>Backend: S3-API</li> <li>Edge function: None</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>Request</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="s1">'https://d3h57w0cnyb350.cloudfront.net/assets/articles/'</span> &lt; HTTP/2 403 &lt; content-type: application/xml </code></pre> </div> <p>An error is returned. The document <code>/assets/articles/</code> doesn't exist in S3.</p> <h4> S3-API with function </h4> <ul> <li>Backend: S3-API</li> <li>Edge function: viewer-request Cloudfront Function</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>function</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">handler</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span> <span class="kd">var</span> <span class="nx">uri</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="k">if</span> <span class="p">(</span><span class="nx">uri</span><span class="p">.</span><span class="nx">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">index.html</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">uri</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">/index.html</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">request</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Request</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="s1">'https://d3h57w0cnyb350.cloudfront.net/html/articles/'</span> &lt; HTTP/2 200 &lt; content-type: text/html </code></pre> </div> <p><code>index.html</code> is returned, we rewrite the incoming URI to append <code>index.html</code> to the request so that an existing key can be fetched from S3.</p> <h3> Serve localized content </h3> <p>Using the browser's <code>accept-language</code> header, we are returning the content in the language requested by the viewer. The URL is the same regardless of the language, but needs to be cached according to this language. Since this header can have multiple variations, we normalize it to increase our hit ratio.</p> <ul> <li>Backend: S3-API</li> <li>Edge function: viewer-request Cloudfront Function</li> <li>Policy: Whitelist <em>x-locale</em> </li> </ul> <p><strong>function</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">handler</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="cm">/* * Rewrite URI to serve index.html when missing **/</span> <span class="kd">var</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span> <span class="k">if</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">.</span><span class="nx">endsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">index.html</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">/index.html</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/* * Set default locale **/</span> <span class="kd">var</span> <span class="nx">locale</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">en</span><span class="dl">'</span> <span class="kd">var</span> <span class="nx">translations</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">fr</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">de</span><span class="dl">'</span><span class="p">]</span> <span class="cm">/* * Parse accept-language and extract the first value for simplicity * We should use all languages and use the first for which we have a translation **/</span> <span class="k">if</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">accept-language</span><span class="dl">'</span><span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">accept-language</span><span class="dl">'</span><span class="p">].</span><span class="nx">value</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">language</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">accept-language</span><span class="dl">'</span><span class="p">].</span><span class="nx">value</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">;</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nx">substring</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="mi">2</span><span class="p">).</span><span class="nx">toLowerCase</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="nx">translations</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="nx">language</span><span class="p">)</span> <span class="o">&gt;</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="nx">locale</span> <span class="o">=</span> <span class="nx">language</span> <span class="p">}</span> <span class="p">}</span> <span class="cm">/* * Create an x-locale header to be used as part of the cache key **/</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-locale</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">locale</span> <span class="p">}</span> <span class="cm">/** * Rewrite the URI */</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">locale/</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`locale/</span><span class="p">${</span><span class="nx">locale</span><span class="p">}</span><span class="s2">/`</span><span class="p">)</span> <span class="k">return</span> <span class="nx">request</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Default (English)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://d3h57w0cnyb350.cloudfront.net/html/locale/ &lt; x-cache: Miss from cloudfront </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>English<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>English content<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong>French</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Accept-Language: fr"</span> https://d3h57w0cnyb350.cloudfront.net/html/locale/ &lt; x-cache: Miss from cloudfront </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>French<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>French content<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong>Swiss-French</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Accept-Language: fr-CH"</span> https://d3h57w0cnyb350.cloudfront.net/html/locale/ &lt; x-cache: Hit from cloudfront </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>French<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>French content<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Even with a different <code>Accept-Language</code> header, the call for <em>fr-CH</em> is a Hit. Both languages are normalized to <em>fr</em>.</p> <h3> Protect with password </h3> <p>To showcase how password protection work, we will use "Basic Authentication". In a more realistic setup, we would use a <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-validate-token.html">JWT token validation</a>. In both cases, the authorization is stored inside the function's code. If this is a security concern, you would need to use a Lambda@Edge function and validate the token by calling the Authorization service.</p> <ul> <li>Backend: S3-Website</li> <li>Edge function: viewer-request Cloudfront Function</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>function</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nx">handler</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">authHeaders</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span> <span class="cm">/** * Authorization string is sent by the browser as base64Encode(username:password). * base64Encode('private:private')='cHJpdmF0ZTpwcml2YXRl' */</span> <span class="kd">var</span> <span class="nx">expected</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">Basic cHJpdmF0ZTpwcml2YXRl</span><span class="dl">"</span> <span class="k">if</span> <span class="p">(</span><span class="nx">authHeaders</span> <span class="o">&amp;&amp;</span> <span class="nx">authHeaders</span><span class="p">.</span><span class="nx">value</span> <span class="o">===</span> <span class="nx">expected</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span> <span class="p">}</span> <span class="kd">var</span> <span class="nx">response</span> <span class="o">=</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">statusDescription</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unauthorized</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">www-authenticate</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Basic realm='Enter your credentials'</span><span class="dl">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> </code></pre> </div> <p>With a valid authentication, the request is returned, instructing Cloudfront to continue by sending the request to the Origin.</p> <p>Without any valid authentication, a response is returned, instructing Cloudfront to not call the Origin and directly return the response to the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> https://d3h57w0cnyb350.cloudfront.net/private/ &lt; HTTP/2 401 &lt; www-authenticate: Basic <span class="nv">realm</span><span class="o">=</span><span class="s1">'Enter your credentials'</span> &lt; x-cache: FunctionGeneratedResponse from cloudfront curl <span class="nt">-v</span> https://private:private@d3h57w0cnyb350.cloudfront.net/private/ <span class="o">&gt;</span> authorization: Basic cHJpdmF0ZTpwcml2YXRl &lt; HTTP/2 200 &lt; content-type: text/html </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Private<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;h1&gt;</span>Private Content<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> Fetch content from DynamoDB </h3> <p>We use a Lambda@Edge function on the <em>origin-request</em> event. We fetch data from a DynamoDB Table and return the result, bypassing the request to the Origin.</p> <p>By using <em>origin-request</em>, we can cache the response in Cloudfront and trigger the function only when the result isn't already cached in Cloudfront.</p> <ul> <li>Backend: Any (not used but must be provided)</li> <li>Edge function: origin-request Lambda@Edge</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>function</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CloudFrontRequestEvent</span><span class="p">,</span> <span class="nx">CloudFrontResponseResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">aws</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">https</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">https</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">documentClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">DynamoDB</span><span class="p">.</span><span class="nx">DocumentClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">eu-central-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">httpOptions</span><span class="p">:</span> <span class="p">{</span> <span class="na">agent</span><span class="p">:</span> <span class="k">new</span> <span class="nx">https</span><span class="p">.</span><span class="nx">Agent</span><span class="p">({</span> <span class="na">keepAlive</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">:</span> <span class="nx">CloudFrontRequestEvent</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CloudFrontResponseResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cf</span><span class="p">.</span><span class="nx">request</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">).</span><span class="nx">slice</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">documentClient</span> <span class="p">.</span><span class="kd">get</span><span class="p">({</span> <span class="na">TableName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">demoContent</span><span class="dl">'</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nx">promise</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="p">(</span><span class="nx">data</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">Item</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">Item</span><span class="p">.</span><span class="nx">name</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">notFound</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">200</span><span class="dl">'</span><span class="p">,</span> <span class="na">statusDescription</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OK</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">Item</span><span class="p">),</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=120</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">notFound</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">notFound</span> <span class="o">=</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">404</span><span class="dl">'</span><span class="p">,</span> <span class="na">statusDescription</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Not Found</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=10</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Object Not Found</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-v</span> <span class="s2">"https://d3h57w0cnyb350.cloudfront.net/airport/gva"</span> &lt; x-cache: Miss from cloudfront curl <span class="nt">-v</span> <span class="s2">"https://d3h57w0cnyb350.cloudfront.net/airport/gva"</span> &lt; x-cache: Hit from cloudfront </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"city"</span><span class="p">:</span><span class="s2">"Geneva"</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="s2">"gva"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="s2">"Geneva International Airport"</span><span class="p">,</span><span class="w"> </span><span class="nl">"country"</span><span class="p">:</span><span class="s2">"Switzerland"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Serve alternate content in case of error </h3> <p>When the Origin is unreachable, overloaded or simply unable to handle the request, instead of showing the error to the client we redirect him to an alternate site.</p> <ul> <li>Backend: Any</li> <li>Edge function: origin-response Lambda@Edge</li> <li>Policy: managed-cacheOptimized</li> </ul> <p><strong>function</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">CloudFrontResponseEvent</span><span class="p">,</span> <span class="nx">CloudFrontResponseResult</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-lambda</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span> <span class="nx">event</span><span class="p">:</span> <span class="nx">CloudFrontResponseEvent</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CloudFrontResponseResult</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cf</span><span class="p">.</span><span class="nx">response</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cf</span><span class="p">.</span><span class="nx">request</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">status</span> <span class="o">=</span> <span class="nb">parseInt</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">status</span> <span class="o">&gt;=</span> <span class="mi">400</span> <span class="o">&amp;&amp;</span> <span class="nx">status</span> <span class="o">&lt;=</span> <span class="mi">599</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">redirect</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">response</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// eslint-disable-next-line no-console</span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">e</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">redirect</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">uri</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">redirect</span> <span class="o">=</span> <span class="p">(</span><span class="nx">uri</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">CloudFrontResponseResult</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">307</span><span class="dl">'</span><span class="p">,</span> <span class="na">statusDescription</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Temporary Redirect</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="s2">`https://alt.example.com</span><span class="p">${</span><span class="nx">uri</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> What have we learnt? </h2> <ul> <li>Cloudfront is more than just a simple "pull-cache-serve" service</li> <li>You improve delivery speed to your visitors</li> <li>You can increase resilience by always using a healthy backend</li> <li>You improve overall speed to your backend by leveraging AWS's backbone</li> <li>You can modify any request to tailor the response to your visitor's device or region</li> <li>You don't always need a backend</li> <li>You protect your backend by reducing the amount of calls reaching it</li> </ul> aws cdn cloudfront Convert and distribute your videos with AWS Elemental Daniel Muller Wed, 01 Feb 2023 09:52:19 +0000 https://dev.to/aws-builders/convert-and-distribute-your-videos-with-aws-elemental-2c95 https://dev.to/aws-builders/convert-and-distribute-your-videos-with-aws-elemental-2c95 <p>You are in possession of some videos that you want to distribute or share.</p> <p>Your use case could be as simple as needing to share a lower resolution of a video taken on your smartphone or camera. Or your use case could be as complex as sharing production-quality copies of the latest movie you are producing.</p> <p>For both cases you can use Serverless Cloud Products to address your needs. <a href="https://aws.amazon.com/mediaconvert/" rel="noopener noreferrer">AWS Elemental MediaConvert</a>, one of the Media tools from the <a href="https://www.elemental.com/" rel="noopener noreferrer">AWS Elemental</a> family, will allow you to solve your problem.</p> <p>Or perhaps, you want to distribute your content to viewers around the globe allowing them to watch on any device? Then you can use another Serverless Cloud Product from the AWS Elemental family: <a href="https://aws.amazon.com/mediapackage/" rel="noopener noreferrer">AWS Elemental MediaPackage</a>.</p> <h2> Services used </h2> <p>Video files are complex. You need to worry about image and audio, which means you need to worry about container, codecs, bitrate, pixel aspect ratio and more.</p> <h3> MediaConvert </h3> <p>MediaConvert allows you to transcode file-based content. This means you can transform a video file into a different format and size.</p> <p>But MediaConvert is more that just transformation. We won't get into details of all functionalities in this article, but here are some noticeable features:</p> <ul> <li>Watermarking</li> <li>Graphic overlay (static or motion)</li> <li>Select parts (time or size) of an Input</li> <li>Rotation</li> <li>Deinterlacing</li> <li>...</li> </ul> <h3> MediaPackage </h3> <p>AWS Elemental MediaPackage is a Just-In-Time (JIT) media packager for your existing assets. It will generate the relevant manifest for a group of video sources.</p> <p>It not only allows you to define multiple qualities of the same video, but allows to add multiple audio sources and different video sources like camera angles.</p> <p>For our use case, we are only interested in providing different qualities of the same content and only a single audio track.</p> <p>MediaPackage uses the formats created by MediaConvert and generates on the fly a manifest either in HLS or in Dash to be consumed by the player.</p> <h2> Simple Use case: Reduce and Convert for mobile sharing </h2> <p>You created a FHD (1920x1080) video with your camera. You camera creates movies in uncompressed QuickTime format. Most of the devices won't be able to read this format unless they have the right codecs installed.</p> <p>To allow recipients to play your video, you need to convert it to an MP4 container and the H.264 codec (de facto standard for Web distribution). You will also want to improve the download speed.</p> <ul> <li>Upload your source file to S3</li> <li>Trigger a MediaConvert job using this file <ul> <li>Convert to an MP4 Container</li> <li>Convert to H.264 codec</li> <li>Reduce the size to 1280x720</li> </ul> </li> </ul> <h3> Result </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Source file</th> <th>Converted file</th> <th>Converted file</th> </tr> </thead> <tbody> <tr> <td>Container</td> <td>QuickTime</td> <td>MP4</td> <td>MP4</td> </tr> <tr> <td>Codec</td> <td>H.264</td> <td>H.264</td> <td>H.264</td> </tr> <tr> <td>Dimensions</td> <td>1920x1080</td> <td>1920x1080</td> <td>1280x720</td> </tr> <tr> <td>Duration</td> <td>28s</td> <td>28s</td> <td>28s</td> </tr> <tr> <td>Size</td> <td>37 MB</td> <td>21.7 MB</td> <td>12.9 MB</td> </tr> <tr> <td>Bitrate</td> <td>10836 kb/s</td> <td>6429 kb/s</td> <td>3835 kb/s</td> </tr> </tbody> </table></div> <p>Both outputs were created in a single MediaConvert job that took 17 seconds.</p> <h2> More complex use case: Create content for web distribution </h2> <p>In this use case, we want to distribute a 4K (3840x2160) 90 minutes movie. We want our viewer to enjoy our content on any type of screen: from small smartphones to big TV screens.</p> <p>We also want them to enjoy it regardless of their network connectivity.</p> <p>We need to be bandwidth conscious and not ship more than the viewer can consume.</p> <p>MP4 container and H.264 Codec is a combination that can be viewed by most media players (smartphones, TV, Set-top boxes, Gaming devices, ...). We will use this format to distribute our content.</p> <h3> Screen size consideration </h3> <p>We pre-render our content to adapt to our viewers screen size. Reducing the dimensions also allows us to reduce the bandwith needed.</p> <p>Unless mentioned, we will use H.264 and the source frame rate.</p> <ul> <li>SD: 480 x 270, 400kbps, 15fps</li> <li>SD: 640 x 360, 700kbps</li> <li>SD: 854 x 480, 1Mbps</li> <li>HD: 1280 x 720, 3.5Mbps</li> <li>FHD: 1920 x 1080, 6Mbps</li> <li>4K: 3840 x 2160, 20Mbps, H.265</li> </ul> <h3> Segmented videos: HLS and Dash </h3> <p>If we distribute a single file, the client would be stuck on a single quality. Without tweaks on the player side, the client would download the whole file, even the parts that aren't watched.</p> <p>To allow a streaming-like experience, we will use a distribution format named <a href="https://en.wikipedia.org/wiki/HTTP_Live_Streaming" rel="noopener noreferrer">HLS</a> (HTTP Live Streaming) and <a href="https://dashif.org/" rel="noopener noreferrer">Dash</a>.</p> <p>Both format are very similar in the concept, but the choice of their usage depends on the players OS. For simplification, one could say that HLS is for Apple devices and Dash for others, but in reality it's slightly more complex.</p> <p>The idea behind theses formats, is to split the movie in little chunks of a few seconds and define the structure through a manifest file.</p> <p>By doing this, the player will download little chunks of content in the dimensions appropriate for the screen and the available bandwidth. By downloading only a few segments ahead of the current timestamp, it will use only the bandwidth needed for what is really watched and adapt playback on the current conditions of the player (phone rotated, window resized, bandwidth alterations, ...).</p> <p>By leveraging HTTP as a delivery mechanism, we not only rely on an universally approved protocol but also allow caching at the CDN level, improving distribution around the globe.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5zvskkka20rtdbn5yzob.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5zvskkka20rtdbn5yzob.png" width="604" height="534"></a><br>HLS manifests and video files </p> <h3> Generate HLS and Dash Segments </h3> <p>MediaConvert can generate segmented videos and store them to S3. But with everything generated statically once, you loose flexibility. There a multiple reasons you want to have a more dynamic way to generate your manifests:</p> <ul> <li>Removing some renditions on client attributes: paid tiers, legal constraints in some countries</li> <li>Ordering of renditions: Improve start time for some players</li> <li>Cost of storing never accessed renditions</li> <li>DRM protection</li> <li>Additional audio or video tracks</li> </ul> <h2> The solution </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuocouonqjqb8fbvngz6l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuocouonqjqb8fbvngz6l.png" width="800" height="884"></a><br>Serverless stack: Build renditions and distribution of large video files </p> <h3> Configuration </h3> <h4> MediaConvert outputs </h4> <p><strong>Audio</strong>: AAC, 160kbps, 48kHz<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"AudioDescriptions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AudioSourceName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Audio Selector 1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AudioType"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"AudioTypeControl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"FOLLOW_INPUT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Codec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AAC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodecSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AacSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AudioDescriptionBroadcasterMix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NORMAL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">160000</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodecProfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodingMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CODING_MODE_2_0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RateControlMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CBR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RawFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NONE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SampleRate"</span><span class="p">:</span><span class="w"> </span><span class="mi">48000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Specification"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MPEG4"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"LanguageCodeControl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"FOLLOW_INPUT"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><strong>Video</strong>: MP4, H.264/H.265, Quality based bitrate</p> <p>Bitrate and dimensions are replaced for each output quality.</p> <p>The GOPSize of 2 seconds is important, this allows to "cut" the MP4 on key frames every multiple of 2 seconds, providing a fast and safe way to generate segments from the source file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ContainerSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Container"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MP4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Mp4Settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"CslgAtom"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INCLUDE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FreeSpaceBox"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EXCLUDE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MoovPlacement"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PROGRESSIVE_DOWNLOAD"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"VideoDescription"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AfdSignaling"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NONE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AntiAlias"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">1080</span><span class="p">,</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">1920</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodecSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Codec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"H_264"</span><span class="p">,</span><span class="w"> </span><span class="nl">"H264Settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AdaptiveQuantization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HIGH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodecLevel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_4_2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"CodecProfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HIGH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"EntropyEncoding"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CABAC"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FieldEncoding"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PAFF"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FlickerAdaptiveQuantization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FramerateControl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SPECIFIED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FramerateConversionAlgorithm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DUPLICATE_DROP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"FramerateDenominator"</span><span class="p">:</span><span class="w"> </span><span class="mi">1001</span><span class="p">,</span><span class="w"> </span><span class="nl">"FramerateNumerator"</span><span class="p">:</span><span class="w"> </span><span class="mi">30000</span><span class="p">,</span><span class="w"> </span><span class="nl">"GopBReference"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DISABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"GopClosedCadence"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"GopSize"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"GopSizeUnits"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SECONDS"</span><span class="p">,</span><span class="w"> </span><span class="nl">"HrdBufferInitialFillPercentage"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="p">,</span><span class="w"> </span><span class="nl">"HrdBufferSize"</span><span class="p">:</span><span class="w"> </span><span class="mi">12000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"InterlaceMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PROGRESSIVE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"MaxBitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">6000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"MinIInterval"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"NumberBFramesBetweenReferenceFrames"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"NumberReferenceFrames"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"ParControl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SPECIFIED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ParDenominator"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"ParNumerator"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"QualityTuningLevel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SINGLE_PASS_HQ"</span><span class="p">,</span><span class="w"> </span><span class="nl">"QvbrSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"QvbrQualityLevel"</span><span class="p">:</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"RateControlMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QVBR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RepeatPps"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DISABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"SceneChangeDetect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Slices"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"SlowPal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DISABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Softness"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"SpatialAdaptiveQuantization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Syntax"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DEFAULT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Telecine"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NONE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TemporalAdaptiveQuantization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UnregisteredSeiTimecode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DISABLED"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ColorMetadata"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INSERT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"DropFrameTimecode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"RespondToAfd"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NONE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ScalingBehavior"</span><span class="p">:</span><span class="w"> </span><span class="s2">"STRETCH_TO_OUTPUT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Sharpness"</span><span class="p">:</span><span class="w"> </span><span class="mi">50</span><span class="p">,</span><span class="w"> </span><span class="nl">"TimecodeInsertion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DISABLED"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">3840</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">2160</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">20000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MAIN-MAIN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AUTO"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Codec"</span><span class="p">:</span><span class="w"> </span><span class="s2">"H_265"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">1920</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">1080</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">6000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HIGH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_4_2"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">1280</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">720</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">3500000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HIGH"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_4_2"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">854</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">480</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MAIN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_3_1"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">640</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">360</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">700000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MAIN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_3_1"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Width"</span><span class="p">:</span><span class="w"> </span><span class="mi">480</span><span class="p">,</span><span class="w"> </span><span class="nl">"Height"</span><span class="p">:</span><span class="w"> </span><span class="mi">270</span><span class="p">,</span><span class="w"> </span><span class="nl">"Bitrate"</span><span class="p">:</span><span class="w"> </span><span class="mi">400000</span><span class="p">,</span><span class="w"> </span><span class="nl">"FramerateNumerator"</span><span class="p">:</span><span class="w"> </span><span class="mi">15000</span><span class="p">,</span><span class="w"> </span><span class="nl">"Profile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"MAIN"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LEVEL_3_1"</span><span class="p">,</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <h4> MediaPackage packaging groups </h4> <p><strong>HLS</strong><br> For HLS, we create segments of 6 seconds (industry standard)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::MediaPackage::PackagingConfiguration</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">hls</span> <span class="na">PackagingGroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MediaPackagePackagingGroup</span> <span class="na">HlsPackage</span><span class="pi">:</span> <span class="na">HlsManifests</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ManifestName</span><span class="pi">:</span> <span class="s">index</span> <span class="na">IncludeIFrameOnlyStream</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">StreamSelection</span><span class="pi">:</span> <span class="na">StreamOrder</span><span class="pi">:</span> <span class="s">VIDEO_BITRATE_DESCENDING</span> <span class="na">SegmentDurationSeconds</span><span class="pi">:</span> <span class="m">6</span> <span class="na">UseAudioRenditionGroup</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p><strong>Dash</strong><br> For HLS, we create segments of 2 seconds (industry standard)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::MediaPackage::PackagingConfiguration</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">dash</span> <span class="na">PackagingGroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MediaPackagePackagingGroup</span> <span class="na">DashPackage</span><span class="pi">:</span> <span class="na">DashManifests</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ManifestName</span><span class="pi">:</span> <span class="s">index</span> <span class="na">ManifestLayout</span><span class="pi">:</span> <span class="s">FULL</span> <span class="na">MinBufferTimeSeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">StreamSelection</span><span class="pi">:</span> <span class="na">StreamOrder</span><span class="pi">:</span> <span class="s">VIDEO_BITRATE_DESCENDING</span> <span class="na">SegmentDurationSeconds</span><span class="pi">:</span> <span class="m">2</span> <span class="na">SegmentTemplateFormat</span><span class="pi">:</span> <span class="s">NUMBER_WITH_TIMELINE</span> </code></pre> </div> <h3> Incoming Bucket </h3> <ul> <li>Source files are uploaded to S3</li> <li>A rule on EventBridge listens to "Object:Created" events and triggers the execution of the "Conversion" Step Function.</li> </ul> <h3> Conversion Step Function </h3> <ul> <li>Using a Lambda function and <a href="https://dev.toffmpeg">https://ffmpeg.org/</a>, the source file is analyzed with <em>ffprobe</em> <ul> <li>Bitrate</li> <li>Dimensions</li> <li>Codecs</li> </ul> </li> <li>The file name is parsed to provide a movie name <ul> <li>A naming convention could be used to interact with IMDB to gather more informations</li> </ul> </li> <li>An entry is created in DynamoDB</li> <li>The video is sent to <a href="https://aws.amazon.com/rekognition/" rel="noopener noreferrer">Rekognition</a> to extract labels, persons, ... <em>Not implemented for this article</em> </li> <li>A Lambda function builds the outputs based on the source file definition and triggers MediaConvert <ul> <li>We don't create a rendition bigger than the source</li> <li>We don't create renditions with a higher bitrate than the source</li> <li>Generate video stills to be used as covers</li> </ul> </li> <li>An EventBridge rule listens to executed MediaConvert jobs and triggers </li> </ul> <h3> Packaging Step Function </h3> <ul> <li>Store still informations to DynamoDB <ul> <li>Images can be used by a CRM as Video covers</li> </ul> </li> <li>Store renditions informations to DynamoDB <ul> <li>These files can be used for download (offline viewing)</li> </ul> </li> <li>A Lambda function creates a SMIL manifest</li> <li>A Lambda function creates a package using the manifest and the pre-defined HLS and Dash outputs</li> <li>The URLs are stored to DynamoDB</li> </ul> <h3> Consumption </h3> <ul> <li>The video metadata and sources can be provided to the client via an API (<em>not implemented for this article</em>).</li> <li>The client accessed the video content directly from the HLS or Dash URL served via Cloudfront</li> </ul> <h2> Result in action </h2> <p>To showcase the solution, we used a simple source file shot on a Smartphone: 11 seconds FHD (1920x1080) of 25MB.</p> <p>All we needed to do to produce ready consumable content, was to upload this file to S3. Our Serverless solution took care of all the underlying steps.</p> <h3> MP4 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Source</th> <th>11 s</th> <th>1920 x 1080</th> <th>25 MB</th> <th>19.1 Mbps</th> </tr> </thead> <tbody> <tr> <td><a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-1080p.mp4" rel="noopener noreferrer">1080p</a></td> <td>11 s</td> <td>1920 x 1080</td> <td>8.6 MB</td> <td>19.1 Mbps</td> </tr> <tr> <td><a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-720p.mp4" rel="noopener noreferrer">720p</a></td> <td>11 s</td> <td>1280 x 720</td> <td>5.0 MB</td> <td>19.1 Mbps</td> </tr> <tr> <td><a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-480p.mp4" rel="noopener noreferrer">480p</a></td> <td>11 s</td> <td>854 x 480</td> <td>1.6 MB</td> <td>19.1 Mbps</td> </tr> <tr> <td><a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-360p.mp4" rel="noopener noreferrer">360p</a></td> <td>11 s</td> <td>640 x 360</td> <td>7.3 MB</td> <td>19.1 Mbps</td> </tr> <tr> <td><a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-270p.mp4" rel="noopener noreferrer">270p</a></td> <td>11 s</td> <td>480 x 270</td> <td>0.8 MB</td> <td>19.1 Mbps</td> </tr> </tbody> </table></div> <p><strong>360p</strong></p> Download <a href="https://d2bv705w0inzgj.cloudfront.net/bae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2/estoril_classics_2022-360p.mp4" rel="noopener noreferrer">MP4</a> video. <h3> Stills </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000003.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000003.jpg" alt="0003" width="800" height="450"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000005.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000005.jpg" alt="0005" width="800" height="450"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000006.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fd2bv705w0inzgj.cloudfront.net%2Fbae61c4a-5ae1-43f2-bbf3-b22bd6fb20a2%2Fframes%2Festoril_classics_2022.0000006.jpg" alt="0006" width="800" height="450"></a></p> <h3> Adaptive bitrates </h3> <p><strong>HLS</strong></p> <p>If your browser doesn't support HLS natively, you can access it on the <a href="https://hls-js.netlify.app/demo/?src=https://d2bv705w0inzgj.cloudfront.net/out/v1/fabe3df4cc8945ae98f4599edd714697/4d70e98d285e4f5fa77eb3bd125b2bf4/74f30d88f4854b78b23c8eaa0e6c7829/index.m3u8" rel="noopener noreferrer">hls-js demo page</a>.</p> <p><strong>Dash</strong></p> <p>If your browser doesn't support Dash natively, you can access it on the <a href="https://reference.dashif.org/dash.js/nightly/samples/dash-if-reference-player/index.html?url=https://d2bv705w0inzgj.cloudfront.net/out/v1/fabe3df4cc8945ae98f4599edd714697/5aba5a08bb4943aa8fc625e562e2f1cd/b85a89a8e76e4d36bec2b6dab59342d2/index.mpd" rel="noopener noreferrer">dashif demo page</a>.</p> <h2> What did we achieve? </h2> <p>We created a fully Serverless pipeline to transform a source video provided in any format in a group of ready consumable formats by any smartphone or browser anywhere in the world. Even viewers with limited bandwidth can enjoy our content without buffering, they will however settle for a lower quality.</p> <p>By leveraging Serverless solutions, we get all the known benefits of serverless:</p> <ul> <li>Cost is kept to a minimum by paying only for what we use <ul> <li>Video Conversion: Pay per movie conversion</li> <li>Video Packaging: Pay per movie consumption</li> <li>CDN: Pay per movie consumption</li> <li>S3 Storage: Pay for stored content</li> <li>DynamoDB: Pay for stored data</li> </ul> </li> <li>No servers to provision or maintain</li> <li>The services scales with usage automatically</li> </ul> <h2> Extending the solution </h2> <p>With the solution we built, we barely scratched the surface of what can be done. There are several addons that can be built on top of this solution:</p> <ul> <li>Provide DRM to protect your content</li> <li>Use multiple manifests to allow high definition to selected viewers</li> <li>Monetize your content with in-stream ads by leveraging <a href="https://aws.amazon.com/mediatailor/" rel="noopener noreferrer">AWS Media Tailor</a> </li> <li>Create live feeds from your VOD assets</li> <li>...</li> </ul> crypto blockchain web3 discuss Use IAM Identity Center (AWS SSO) to protect your Cloudfront served application Daniel Muller Tue, 04 Oct 2022 22:45:18 +0000 https://dev.to/aws-builders/use-iam-identity-center-aws-sso-to-protect-your-cloudfront-served-application-4005 https://dev.to/aws-builders/use-iam-identity-center-aws-sso-to-protect-your-cloudfront-served-application-4005 <p>Using <a href="https://aws.amazon.com/cloudfront/" rel="noopener noreferrer">Cloudfront</a> to distribute your web application is a good practice, by leveraging caching at the Edge, you ensure that your visitors will get the lowest latency possible.</p> <p>But what if you had a pre-release of your application that isn't for the whole world to see, but you still want to provide the same experience as you will in production? Cloudfront doesn't propose a solution out-of-the-box for this.</p> <h2> Lambda@Edge or Cloudfront-Functions </h2> <p>Luckily, Cloudfront has ways to act on request by using either <a href="https://aws.amazon.com/lambda/edge/" rel="noopener noreferrer">Lambda@Edge</a> or <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html" rel="noopener noreferrer">Cloudfront-Functions</a>.</p> <p>Several solutions already exist leveraging theses services to add different types of password protection or user authentication on Cloudfront:</p> <ul> <li>HTTP Basic Authentication using Cloudfront-Functions: <a href="https://www.joshualyman.com/2022/01/add-http-basic-authentication-to-cloudfront-distributions/" rel="noopener noreferrer">joshualyman.com</a> </li> <li>CloudFront authorization@edge: <a href="https://github.com/aws-samples/cloudfront-authorization-at-edge" rel="noopener noreferrer">aws-samples</a> </li> </ul> <h2> Using SAML Authentication with existing IAM Identity Center </h2> <p>You might have set-up your AWS Accounts using <a href="https://aws.amazon.com/controltower" rel="noopener noreferrer">Control Tower</a> with <a href="https://aws.amazon.com/organizations/" rel="noopener noreferrer">Organizations</a> and are managing your members using <a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">IAM Identity Center</a> (Successor to AWS Single-Sign-On). Or you are using AWS Identity Center as a standalone tool to centralize your SSO credentials for 3rd party applications.</p> <h3> The solution </h3> <p>The application is the SAML Service Provider (SP), IAM Identity Center is the SAML Identity Provider (IdP).</p> <ol> <li>For each request, the SP validates the encrypted authorization cookie using a Lambda@Edge function in the <em>viewer-request</em> event.</li> <li>If the Cookie isn't valid: <ol> <li>The Lambda@Edge function will create an <em>Authorization Request</em> and redirect the browser to the relevant IdP Endpoint.</li> <li>The IdP provides the user with a login page.</li> <li>Upon successful login, the IdP generates a <em>SAML Assertion Document</em> and redirects the browser to the <em>SP ACS Endpoint</em>.</li> <li>The SP validates the assertion, sets an encrypted authorization cookie in the browser and redirects the browser to the originally requested URL.</li> </ol> </li> <li>If the Cookie is valid: <ol> <li>The content is either served from the cache or retrieved from the origin.</li> </ol> </li> </ol> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq0oheolkzn5c5vqdlny0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq0oheolkzn5c5vqdlny0.png" alt="Service Provider initiated login with IAM Identity Center using Lambda@Edge"></a></p> <h2> Add an Application in IAM Identity Center </h2> <p>We assume that you already have IAM Identity Center setup, perhaps already with some groups and users.</p> <ul> <li>Open the AWS Console</li> <li>Open IAM Identity Center</li> <li>On the left menu, expand "Application assignments" and click on "Applications"</li> <li>Click on the "Add application" button on the right</li> <li>Choose "Add custom SAML 2.0 application" and click on the "Next" button</li> <li>Enter a user friendly <em>Display Name</em> </li> <li>enter a user friendly <em>Description</em> </li> <li>Download the <em>IAM Identity center SAML metadata file</em>, you will need it to configure the solution</li> <li>Leave <em>Application start URL</em> and <em>Relay state</em> empty</li> <li>Enter dummy values for <em>Application ACS URL</em> and <em>Application SAML audience</em>, we will come back to configure this later</li> <li>Click on the "Submit" button</li> <li>Open your application settings</li> <li>On the "Action" drop-down top right, choose "Edit Attribute Mappings"</li> <li>Enter the name of your project (this value isn't used, but needs to be filled)</li> <li>Set the Format to <em>transient</em> </li> <li>Click on the button "Save changes"</li> </ul> <h2> The code: Cloudfront and S3 hosted website </h2> <p>The solution is deployed using <a href="https://serverless.com" rel="noopener noreferrer">serverless.com</a></p> <ul> <li>It creates a Cloudfront distribution</li> <li>It creates an S3 Bucket</li> <li>It creates an SSL Certificate in <a href="https://aws.amazon.com/certificate-manager/" rel="noopener noreferrer">ACM</a> </li> <li>It creates an Entry in Route53</li> <li> <p>It creates 3 Lambda@Edge functions:</p> <ul> <li> <strong>Protect</strong>:</li> <li>Attached as <em>viewer-request</em> to the default Cloudfront Behavior</li> <li>Invoked on each request to validate the cookie and redirect the browser to the IdP if needed</li> <li> <strong>acs</strong>:</li> <li>Attached to as <em>viewer-request</em> to the <em>/saml/acs</em> path</li> <li>Invoked with POST by the browser with the <em>SAML Assertion Document</em> </li> <li> <strong>metadata</strong>:</li> <li>Attached to as <em>viewer-request</em> to the <em>/saml/metadata.xml</em> path</li> <li>Allows to retrieve the SP metadata document to configure the IdP </li> </ul> </li> <li> <p>It uses one NPM module:</p> <ul> <li><a href="https://github.com/tngan/samlify" rel="noopener noreferrer">samlify</a></li> </ul> </li> </ul> <h3> Prerequisites </h3> <h4> AWS IAM Roles </h4> <p>Your account needs to have 2 IAM Roles set-up to allow deploying StackSets for the bucket that is in another region:</p> <ul> <li>AWSCloudFormationStackSetAdministrationRole</li> <li>AWSCloudFormationStackSetExecutionRole</li> </ul> <p>Create them if they don't already exist<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s">2010-09-09</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Configure the AWSCloudFormationStackSet Roles to enable use of AWS CloudFormation StackSets.</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">AdministrationRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="s">AWSCloudFormationStackSetAdministrationRole</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">cloudformation.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">AssumeRole-AWSCloudFormationStackSetExecutionRole</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">arn:*:iam::*:role/AWSCloudFormationStackSetExecutionRole"</span> <span class="na">ExecutionRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="s">AWSCloudFormationStackSetExecutionRole</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:iam::${AWS::AccountId}:root</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess</span> </code></pre> </div> <h4> Domain </h4> <ul> <li>Your domain needs to be hosted in <a href="https://aws.amazon.com/route53/" rel="noopener noreferrer">Route53</a> </li> <li>You need to retrieve the HostedZoneId</li> </ul> <h4> Development tools </h4> <p>Some tools are needed, install them if you don't already have them:</p> <ul> <li>npm i -g serverless</li> <li><a href="https://github.com/nvm-sh/nvm" rel="noopener noreferrer">nvm</a></li> </ul> <h3> Get the source </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/DanielMuller/Cloudfront-Auth-IAM-Identity-Center <span class="nb">cd </span>Cloudfront-Auth-IAM-Identity-Center npm i </code></pre> </div> <p>Edit <code>serverless.yml</code>, change the following settings:</p> <ul> <li>service</li> <li>custom.domainName: This is the domain for your Cloudfront distribution</li> <li>custom.hostedZoneId: The Route53 HostedZoneId for your domain</li> <li>custom.bucketRegion: The region you want your S3 Bucket to be created in</li> <li>custom.sourceToken: Any string, protects direct access to your bucket </li> <li>custom.origin.DomainName: Remove <code>.${self:custom.bucketRegion}</code> if your bucket is in us-east-1</li> <li>provider.deploymentBucket.name: Set your deployment bucket name</li> <li>The region needs to be set to us-east-1, Lambda@Edge functions can only be deployed to this region</li> </ul> <p>Create <code>src/secrets/main.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="p">{</span> <span class="na">initVector</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1234567890123456</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// change me to any 16 Bytes string</span> <span class="na">privateKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">12345678901234567890123456789012</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// change me to any 32 Bytes string</span> <span class="na">audience</span><span class="p">:</span> <span class="dl">'</span><span class="s1">audience string</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// change me to my application name</span> <span class="na">idpMetadata</span><span class="p">:</span> <span class="s2">`XML content of IdP metadata.xml downloaded earlier`</span> <span class="p">};</span> </code></pre> </div> <p>Replace <code>WantAuthnRequestsSigned="true"</code> with <code>WantAuthnRequestsSigned="false"</code> in the IdP metadata if it is present.</p> <h3> Deploy it </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sls deploy </code></pre> </div> <h2> Configure your Application in IAM Identity Center </h2> <ul> <li>Download your SP metadata.xml by visiting <a href="https://yourdomain.example.com/saml/metadata.xml" rel="noopener noreferrer">https://yourdomain.example.com/saml/metadata.xml</a> </li> <li>Open the previously created Custom SAML Application in IAM Identity Center</li> <li>On the "Action" drop-down top right, choose "Edit Configuration"</li> <li>Upload your metadata.xml in the "Application metadata" section</li> <li>Add users or groups to your application</li> </ul> <h2> Add some files to your bucket </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'Index'</span> <span class="o">&gt;</span> index.html <span class="nb">echo</span> <span class="s2">"Page1"</span> <span class="o">&gt;</span> page1.html <span class="nb">echo</span> <span class="s2">"Page2"</span> <span class="o">&gt;</span> page2.html <span class="nb">echo</span> <span class="s2">"404"</span> <span class="o">&gt;</span> 404.html <span class="nb">echo</span> <span class="s2">"403"</span> <span class="o">&gt;</span> 403.html <span class="c"># Replace ${DomainName} with your bucket name (same as domain name)</span> aws s3 <span class="nb">cp</span> <span class="nt">--cache-control</span> max-age<span class="o">=</span>31536000 index.html s3://<span class="k">${</span><span class="nv">domainName</span><span class="k">}</span>/index.html aws s3 <span class="nb">cp</span> <span class="nt">--cache-control</span> max-age<span class="o">=</span>31536000 page1.html s3://<span class="k">${</span><span class="nv">domainName</span><span class="k">}</span>/page.html aws s3 <span class="nb">cp</span> <span class="nt">--cache-control</span> max-age<span class="o">=</span>31536000 page2.html s3://<span class="k">${</span><span class="nv">domainName</span><span class="k">}</span>/page2/index.html aws s3 <span class="nb">cp</span> <span class="nt">--cache-control</span> max-age<span class="o">=</span>31536000 404.html s3://<span class="k">${</span><span class="nv">domainName</span><span class="k">}</span>/404.html aws s3 <span class="nb">cp</span> <span class="nt">--cache-control</span> max-age<span class="o">=</span>31536000 403.html s3://<span class="k">${</span><span class="nv">domainName</span><span class="k">}</span>/403.html <span class="nb">rm</span> <span class="k">*</span>.html </code></pre> </div> <h2> What did we achieve? </h2> <ul> <li>Access to your distribution requires an authentication</li> <li>SP initiated and IdP initiated login to your site</li> <li>Direct access to your bucket is blocked</li> <li>All visitors share the same cached content</li> </ul> <h2> Test it out </h2> <ul> <li>Open http://${domainName}.s3-website.${aws_region}.amazonaws.com/page.html: You receive an <em>Access denied</em> </li> <li>Open https://${domainName}/page.html: You will be redirected to the IAM Identity Center login page and back to your site where the page will display</li> <li>Clear your cookies</li> <li>Open your IAM Identity Center start page and log-in</li> <li>Select your application and click on it. You will be redirected to your site and already logged in</li> <li>Open https://${domainName}/page2. You will see the content of page2/index.html</li> <li>Open https://${domainName}/anything. You will see your 404 page</li> </ul> <h2> Why Lambda@Edge and not Cloudfront Functions? </h2> <ul> <li>Cloudfront Functions doesn't have access to the request body. IAM Identity Center will issue a POST request to the ACS endpoint with the payload in the body.</li> <li>Cloudfront Functions can't include modules and has some limitations on what Javascript functions can be used</li> </ul> <h2> Conclusion </h2> <p>Serving your website using Cloudfront is the perfect way to ensure a low latency to all your visitors. You want to use the same technology in development than in production, but you want the next version of your application to be a surprise to your members.</p> <p>You want to allow only certain members of your organization to have access to the next version.</p> <p>To achieve this, we added an additional layer to Cloudfront by protecting all access with a login-wall and thus keeping unwanted eyes away from our future release. By adding this to Cloudfront (which is our Network Stack), we didn't need to alter our application's code in any way, keeping it identical for development and production.</p> <p>By leveraging the Identity Provider already used to grant access to AWS resources, we don't have to manage a separate IdP and still have the fine grained capability of picking which members of the Organization can access our application. No need to send passwords via email and rotate them when we want to revoke an access, like it would have been needed with HTTP's Basic Authentication.</p> <p>We can as easily revoke access by simply removing the user from the relevant group.</p> s3 sso cloudfront lambda My First Lambda Container Daniel Muller Tue, 08 Dec 2020 00:11:20 +0000 https://dev.to/aws-builders/my-first-lambda-container-1641 https://dev.to/aws-builders/my-first-lambda-container-1641 <p>Container support for Lambda was <a href="https://aws.amazon.com/about-aws/whats-new/2020/12/aws-lambda-now-supports-container-images-as-a-packaging-format/">announced</a> at Re:Invent 2020. At first, I didn't think much of it. My projects are generally small enough to work fine with a little <code>npm i</code>. But I have a little side project that could benefit from it: running Spamassassin inside <a href="https://aws.amazon.com/lambda/">Lambda</a> to tackle <a href="https://dev.to/aws-builders/aws-sns-receive-it-s-worse-than-you-thought-183l">SES's spam tagging failure</a>.</p> <p>Despite not being very familiar with Docker, I pulled my sleeves back and started on the project. This put me through the typical 4 stages of an AWS Re:Invent announcement:</p> <ul> <li>๐Ÿ˜ Excitement</li> <li>๐Ÿ˜ž Disappointment</li> <li>๐Ÿ˜ก Anger</li> <li>๐Ÿ˜‘ Resignation</li> </ul> <h2> My Journey </h2> <h3> Stage 1: Excitement </h3> <p>Being able to use Lambda in my SES flow without calling a third service, what a relief. Building a container for Lambda shouldn't be that hard...</p> <p>Lucky for me, <a href="https://aws.amazon.com/blogs/aws/author/danilop/">Danilo Poccia</a> did a great <a href="https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/">blog post</a> on how to build your own image from scratch.</p> <p>I used the <a href="https://github.com/instantlinux/docker-tools/tree/master/images/spamassassin">spamassassin image</a> provided by <a href="https://github.com/instantlinux">instantlinux</a> to get me started. I chose this image, because it runs on <a href="https://debian.org">Debian</a>, configures Razor, Pyzor and DCC correctly.</p> <p>I just needed a <a href="https://www.npmjs.com/package/spamc">NodeJS Spamc</a> implementation in my function, pass the body of the E-Mail to Lambda et voilร .</p> <p>I fired up the container locally, threw some messages at it and there it was, all the messages that SES let through where putting Spamassassin's score into the dark red. I finally had a solution that was cheap (aka pay only when needed) and without any change in my current flow, except adding a <code>lambda.invoke</code>.</p> <p>At that point, I had big plans for a v2 with <a href="https://aws.amazon.com/efs/">EFS</a> backed storage to share Bayes and manual learning of falsely classified messages. One can dream big...</p> <h3> Stage 2: Disappointment </h3> <p>I pushed my image into <a href="https://aws.amazon.com/ecr/">ECR</a> (Thank You <a href="https://github.com/awslabs/amazon-ecr-credential-helper">ecr-credential-helper</a>, your tool made my life easier), quickly configured a Lambda manually through the console and invoked it with a test content.</p> <p>That's when I fell from excitement into disappointment. Everything that worked so perfectly locally, just failed in a big ball of fire. My container in Lambda had the same constraints than any function in Lambda: it runs on a read-only system. I was now unable to run <code>sa-update</code>, unable to bind <code>spamd</code> to 127.0.0.1:783. No pid files could be written, no log files per services, ...</p> <h3> Stage 3: Anger </h3> <p>I naively thought that I could do what I want with my container. No Lambda runtime would go into my way. I was first very angry at AWS for promising me something that didn't meet my wishes/hopes (I generally always somehow land into this state with a new service).</p> <p>Then I got angry to myself for not having foreseen the obvious, it is logical that my container runs in read-only. It's still Lambda.</p> <p>I started to try to move everything to /tmp, which kind of worked after several trial-and-error. I don't know how to emulate this in my local Docker, so I had to test online each little tweak. I was still hitting a problem, running spamd on a file socket instead of an io socket, I somehow never got it to work. I wanted to keep spamd, since it gave me a nice output with just the score and the rules.</p> <h3> Stage 4: Resignation </h3> <p>After a few hours, I caved in and let go of my dreams of a fleet of spamd with shared config and rules.</p> <p>I decided to just run <a href="https://spamassassin.apache.org/">spamassassin</a> and parse the headers on the modified message. <code>sa-update</code> runs during <code>image build</code> and logs are sent to stderr. I disabled DCC, hoping that the standard RBL rules in addition to Pyzor and Razor should be a good enough start. Can't be worse than what SES is doing.</p> <h2> Does it work? </h2> <p>I have this in production since less than 2 days at time of writing, not enough data to make a definitive statement, but so far it behaves very nicely. All the spams are discarded, and no false positive so far. ๐Ÿคž</p> <p>The function runs between 10 and 12 seconds and uses between 180 and 220 MB (~0.01ยข).</p> <p>You can find it on <a href="https://github.com/DanielMuller/lambda-docker-spamassassin">Github</a> or on <a href="https://gallery.ecr.aws/z5f6y0y4/danielmuller/lambda-spamassassin">Public ECR</a>.</p> <h2> What is still missing </h2> <p>Despite the read-only limitation, which will probably never be lifted, you currently can't use an image from another account's ECR. You also can't use an image published to public ECR. I guess this are just limitations on a brand new service, and should be lifted in the near future. For now, I just need to push my image to the 2 accounts where they are needed. Some <a href="https://aws.amazon.com/codepipeline/">CodePipeline</a> would come in handy.</p> <h2> What's next ? </h2> <p>I could use an EventBridge Scheduler to rebuild the image weekly to have the rules up-to-date. Which anyway is a better solution than pulling them at every start.</p> <p>Else, I had thoughts about running this on <a href="https://aws.amazon.com/fargate">Fargate</a> before, but I didn't insist enough on trying to get down to 0 when there is nothing to process.<br> <a href="https://aws.amazon.com/batch/">AWS batch</a> could be another contender, now that it <a href="https://aws.amazon.com/about-aws/whats-new/2020/12/severless-batch-scheduling-with-aws-batch-and-aws-fargate/">runs on Fargate</a>.</p> <h2> In Conclusion </h2> <p>Lambda Container won't become my major way of deploying Lambda. I just find the hassle of building, deploying, testing your container more troublesome than an <code>sls invoke local</code> and <code>sls deploy</code>.</p> <p>But I can see why this will appeal to some peoples, specially when you need tools compiled that you can't compile on your development machine (<a href="https://github.com/lovell/sharp">sharp</a> comes to mind), or if you can't just <code>npm</code>, <code>pip</code> or <code>go get</code> in your dependencies.</p> aws lambda docker AWS SES Receive: It's Worse Than You Thought Daniel Muller Sun, 06 Dec 2020 23:24:05 +0000 https://dev.to/aws-builders/aws-sns-receive-it-s-worse-than-you-thought-183l https://dev.to/aws-builders/aws-sns-receive-it-s-worse-than-you-thought-183l <p><a href="https://aws.amazon.com">AWS</a> generally has great products, I use them almost exclusively, both professionally and privately, I am a what you could call a fanboy.</p> <p>But now and then, they offer a service that is just utterly garbage, which becomes useless unless you write a lot around it. B2C services providfed by AWS often fall into this category.</p> <p>One of this services is <a href="https://aws.amazon.com/ses/details/#Email_Receiving">SES Receiving</a>.</p> <p>I <a href="https://danielmuller.me/2020/10/serverless-e-mail-forwarder-with-aws-ses/">migrated from a self-hosted solution to AWS-SES-Receiving</a> a few weeks back. My main area of concern is the lack of SPAM filtering.</p> <p>I gathered enough data to realize that this service is very faulty, under performing and creates more problems than it solves.<br> It other words: it's useless or one could even say: total garbage.</p> <h2> The bad stuff </h2> <p>This are limitation I was aware of before starting my migration and accepted them. But it would make the service so much more appealing if they where addressed.</p> <h3> No IMAP client </h3> <p>AWS has the <a href="https://aws.amazon.com/workmail/">WorkMail service</a>, which comes with a Webapp and IMAP server and costs 4.00 USD/month/user. For 6.00 USD/month/user, you get a <a href="https://workspace.google.com/">Google Workspace</a> account account, which includes so much more than just EMail (Drive, Meet, ...)</p> <p>This isn't a deal breaker for me, since I only wanted to provide forwards to personal emails.</p> <h3> No ability to forward messages </h3> <p>You have to send as a user from your domain, so no ability to forward an incoming message keeping the original external sender.</p> <p>This is the main feature of my needs. I made peace with it, and rewrite the From field and providing a Reply-To.</p> <h3> No in-built alias management </h3> <p>Everybody needs aliases. Be it only <code>info</code>. No way to do this in SES, unless you fiddle with the rules settings.</p> <p>Not a deal breaker, since I was to <a href="http://github.com/danielMuller/ses-email-forward">handle externally</a> all forwards.</p> <h2> The totally broken stuff </h2> <p>This is the part that made me cringe the most.</p> <h3> Spam filtering </h3> <p><em>SES Receiving</em> is absolutely worthless when it comes to SPAM filtering. Their functionality is totally useless, an important proportions of SPAM messages are still going through.</p> <h3> What is happening </h3> <p>On average, 30 to 50 messages are received a day. The total sample rate is of 840.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--_36M2wQ9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/msg_flow.svg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--_36M2wQ9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/msg_flow.svg" alt="Alt Messages Flow"></a></p> <p>Out of the 840 messages, SES identified:</p> <ul> <li>Spam: 198</li> <li>Invalid SPF: 2</li> <li>Ham: 640</li> </ul> <p>On manual analysis (just checking the Sender and Subject), from this 640, I identified:</p> <ul> <li>False Negative: 559</li> <li>Ham: 81</li> </ul> <p>From the <em>false negative</em>, 33 where dropped with a simple MX check on the sender's domain. Which leaves us with a delivery of 526 Spam messages to my end users.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--DNPkia65--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/ham-spam-ratio.svg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--DNPkia65--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/ham-spam-ratio.svg" alt="Alt Ham/Spam ratio"></a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--IJ1ss3n---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/missed-spam-ratio.svg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--IJ1ss3n---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://danielmuller.me/images/2020/12/missed-spam-ratio.svg" alt="Alt Missed Spam ratio"></a></p> <p>87.3% of the messages claimed to be clean by SES are actually SPAM. This is an astonishing bad and shameful result.</p> <h2> How to improve this? </h2> <p>There are a few obvious "tricks", which I started to implement:</p> <ul> <li>Check the sender's MX. If it doesn't exist, drop the message. This reduced the SPAM in only a minimalistic way.</li> <li>Use <a href="https://spamcheck.postmarkapp.com/">Postmarks's Spamassassin API</a>: It removed some SPAM, but not enough. Their rules seems top be a bit outdated.</li> <li>Run your own Spamassassin: which makes us going back to square one and hosting a solution on a server. Yes there is <a href="https://aws.amazon.com/fargate">Fargate</a>, or even <a href="https://aws.amazon.com/blogs/aws/new-for-aws-lambda-container-image-support/">Lambda Container</a>, but you still need to build and manage it.</li> </ul> <h2> What AWS should do </h2> <p>AWS want's to proclaim themselves as a leader in <a href="https://aws.amazon.com/free/machine-learning">ML</a>. Then show us how! Give us a decent and bullet proof SPAM filtering solution.</p> <p>We should be able to see some kind of confidence level and decide ourselves what is spam or not. We should even be able to cut the STMP communication early if the level is too high, and never have to process an obvious SPAM messages.</p> <p>And also, allow us to call an API to declare what is SPAM and what is HAM, like any <a href="https://mail.google.com">Gmail</a> Account allows us to do.</p> <h2> In Conclusion </h2> <p>Almost 90% of the messages (yes that's 9 out of 10) claiming to be clean are actually SPAM. This doesn't check anybody's level of expectation.</p> <p>Until AWS put's a lot of effort into SES, don't use them for your E-Mail solution. Just give your money to <a href="https://workspace.google.com/">Google</a>.</p> aws ses spam useless Using AWS S3 as a database Daniel Muller Thu, 05 Nov 2020 00:00:15 +0000 https://dev.to/aws-builders/using-aws-s3-as-a-database-17l0 https://dev.to/aws-builders/using-aws-s3-as-a-database-17l0 <p>During re:Invent 2017, AWS announced a new feature for S3: <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_SelectObjectContent.html" rel="noopener noreferrer">s3-select</a>, which went GA in April 2018.</p> <h1> In a Nutshell </h1> <p><em>S3 select</em> allows to retrieve partial content from a single key in S3 using SQL. You can think of it as a single table-database.</p> <p>There are some constraints:</p> <ul> <li>Data needs to be in a single file and can't be grouped under a prefix</li> <li>The content of the file must be in JSON, CSV or Apache Parquet</li> <li>Supported compressions are GZIP or BZIP2</li> <li>You can't use joins between tables</li> <li>You can't update a single entry, you need to replace the whole file <ul> <li>But this comes with a benefit: updating the data becomes very easy. All you need is an S3 PutObject access (Console, CLI, SDK, SFTP, ...)</li> </ul> </li> </ul> <p>This is specially useful in bigdata. Instead of loading a large file, you retrieve only the useful content. Therefore reducing network transfer, storage and memory on the processing side, which translates into cost reduction.</p> <p>S3-Select stills needs to scan the whole file (you pay for that), but you gain on the processing side.</p> <h1> Which format to choose? </h1> <p>Each format has it's pros and cons. The format to use mainly depends on your production capabilities and query needs.</p> <p>Being text formats, CSV and JSON a very easy to produce (code, spreadsheets, ...). Parquet needs some additional skills and tools.</p> <p>Schema alterations are straight forward in JSON, since every entry carries it's own schema. For CSV and Parquet, you need to alter each entry with the new field. Using a spreadsheet software helps for CSV.</p> <p>With all the attributes repeated, JSON is the heaviest format. Half of the file is schema definition. With CSV and Parquet you define your attributes only once. Obviously, this becomes less of a factor once compressed.</p> <p>On the query side, Parquet is the clear winner. Being a columnar format, the amount of data scanned is greatly reduced, since only the needed columns are used. With CSV and JSON the whole file needs to be scanned.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>JSON</th> <th>CSV</th> <th>Parquet</th> </tr> </thead> <tbody> <tr> <td>Data Creation</td> <td>Easy</td> <td>Easy</td> <td>Difficult</td> </tr> <tr> <td>Data Modification</td> <td>Easy</td> <td>Average</td> <td>Difficult</td> </tr> <tr> <td>Storage Size</td> <td>High</td> <td>Low</td> <td>Low</td> </tr> <tr> <td>Query speed</td> <td>Slow</td> <td>Slow</td> <td>Fast</td> </tr> </tbody> </table></div> <h1> Which compression to choose? </h1> <p>You should compress your files, there is no reason to keep them vanilla. Smaller files results in less storage used and faster transfer times from your data source to S3.</p> <p>BZIP2 is a bit slower, but will generate smaller files than GZIP. You reduce even more your upload times and storage costs, but with a small impact on query times.</p> <h1> A simple example </h1> <ul> <li>Dataset used: <a href="https://github.com/datasets/atp-world-tour-tennis-data/tree/master/csv/5_players" rel="noopener noreferrer">atp-world-tour-tennis-data/players</a> </li> <li>Size: 1.5MB (372KB gzipped)</li> <li>Entries: 10912</li> <li>Fields: 20</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>player_id</th> <th>player_slug</th> <th>first_name</th> <th>last_name</th> <th>player_url</th> <th>flag_code</th> <th>residence</th> <th>birthplace</th> <th>birthdate</th> <th>birth_year</th> <th>birth_month</th> <th>birth_day</th> <th>turned_pro</th> <th>weight_lbs</th> <th>weight_kg</th> <th>height_ft</th> <th>height_inches</th> <th>height_cm</th> <th>handedness</th> <th>backhand</th> </tr> </thead> <tbody> <tr> <td>a002</td> <td>ricardo-acuna</td> <td>Ricardo</td> <td>Acuna</td> <td><a href="http://www.atpworldtour.com/en/players/ricardo-acuna/a002/overview" rel="noopener noreferrer">http://www.atpworldtour.com/en/players/ricardo-acuna/a002/overview</a></td> <td>CHI</td> <td>Jupiter, FL, USA</td> <td>Santiago, Chile</td> <td>1958.01.13</td> <td>1958</td> <td>01</td> <td>13</td> <td>0</td> <td>150</td> <td>68</td> <td>"5'9"""</td> <td>69</td> <td>175</td> <td></td> <td></td> </tr> <tr> <td>a001</td> <td>sadiq-abdullahi</td> <td>Sadiq</td> <td>Abdullahi</td> <td><a href="http://www.atpworldtour.com/en/players/sadiq-abdullahi/a001/overview" rel="noopener noreferrer">http://www.atpworldtour.com/en/players/sadiq-abdullahi/a001/overview</a></td> <td>NGR</td> <td></td> <td></td> <td>1960.02.02</td> <td>1960</td> <td>02</td> <td>02</td> <td>0</td> <td>0</td> <td>0</td> <td>"0'0"""</td> <td>0</td> <td>0</td> <td></td> <td></td> </tr> <tr> <td>a005</td> <td>nelson-aerts</td> <td>Nelson</td> <td>Aerts</td> <td><a href="http://www.atpworldtour.com/en/players/nelson-aerts/a005/overview" rel="noopener noreferrer">http://www.atpworldtour.com/en/players/nelson-aerts/a005/overview</a></td> <td>BRA</td> <td></td> <td>Cachoeira Do Sul, Brazil</td> <td>1963.04.25</td> <td>1963</td> <td>04</td> <td>25</td> <td>0</td> <td>165</td> <td>75</td> <td>"6'2"""</td> <td>74</td> <td>188</td> <td></td> <td></td> </tr> <tr> <td>a004</td> <td>egan-adams</td> <td>Egan</td> <td>Adams</td> <td><a href="http://www.atpworldtour.com/en/players/egan-adams/a004/overview" rel="noopener noreferrer">http://www.atpworldtour.com/en/players/egan-adams/a004/overview</a></td> <td>USA</td> <td>Palmetto, FL, USA</td> <td>Miami Beach, FL, USA</td> <td>1959.06.15</td> <td>1959</td> <td>06</td> <td>15</td> <td>0</td> <td>160</td> <td>73</td> <td>"5'10"""</td> <td>70</td> <td>178</td> <td></td> <td></td> </tr> </tbody> </table></div> <p>...</p> <h2> Query the dataset </h2> <p>The API allowing to query a file's content is <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_SelectObjectContent.html" rel="noopener noreferrer">SelectObjectContent</a>. Also available in most of the SDK's.</p> <p>For the <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/select-object-content.html" rel="noopener noreferrer">CLI</a>, you find it under <code>aws s3api select-object-content</code>.</p> <p>Let's do it with Javascript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">)</span> <span class="kd">var</span> <span class="nx">credentials</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SharedIniFileCredentials</span><span class="p">({</span><span class="na">profile</span><span class="p">:</span> <span class="dl">'</span><span class="s1">default</span><span class="dl">'</span><span class="p">})</span> <span class="nx">AWS</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">credentials</span> <span class="o">=</span> <span class="nx">credentials</span> <span class="kd">const</span> <span class="nx">s3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">S3</span><span class="p">({</span><span class="na">region</span><span class="p">:</span><span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span><span class="p">})</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">SELECT s.last_name,s.birth_year from s3object s where s.flag_code=</span><span class="se">\'</span><span class="s1">SUI</span><span class="se">\'</span><span class="s1"> and s.birth_year!=</span><span class="se">\'\'</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Bucket</span><span class="p">:</span> <span class="dl">'</span><span class="s1">myDataBucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">datasets/atp-players.csv.gz</span><span class="dl">'</span><span class="p">,</span> <span class="na">InputSerialization</span><span class="p">:</span> <span class="p">{</span> <span class="na">CSV</span><span class="p">:</span> <span class="p">{</span> <span class="na">FileHeaderInfo</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USE</span><span class="dl">'</span> <span class="p">},</span> <span class="na">CompressionType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GZIP</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">OutputSerialization</span><span class="p">:</span> <span class="p">{</span> <span class="na">CSV</span><span class="p">:{}</span> <span class="p">},</span> <span class="na">ExpressionType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SQL</span><span class="dl">'</span><span class="p">,</span> <span class="na">Expression</span><span class="p">:</span> <span class="nx">query</span> <span class="p">}</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">selectObjectContent</span><span class="p">(</span><span class="nx">params</span><span class="p">).</span><span class="nf">promise</span><span class="p">().</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">records</span> <span class="o">=</span> <span class="p">[]</span> <span class="kd">let</span> <span class="nx">stats</span> <span class="o">=</span> <span class="p">{}</span> <span class="nx">res</span><span class="p">.</span><span class="nx">Payload</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">Stats</span><span class="p">)</span> <span class="p">{</span> <span class="nx">stats</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">Stats</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">.</span><span class="nx">Payload</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">Records</span><span class="p">.</span><span class="nx">Payload</span><span class="p">.</span><span class="nf">toString</span><span class="p">()</span> <span class="nx">records</span> <span class="o">=</span> <span class="p">[</span> <span class="p">...</span><span class="nx">records</span><span class="p">,</span> <span class="p">...</span><span class="nx">data</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span><span class="nx">l</span> <span class="o">=&gt;</span> <span class="nx">l</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">last_name</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="na">birth_year</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">res</span><span class="p">.</span><span class="nx">Payload</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">err</span><span class="dl">'</span><span class="p">,</span> <span class="nx">err</span><span class="p">)</span> <span class="p">})</span> <span class="nx">res</span><span class="p">.</span><span class="nx">Payload</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">records</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">stats</span><span class="p">)</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <p><strong>records</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"last_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allegro"</span><span class="p">,</span><span class="w"> </span><span class="nl">"birth_year"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1978"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"last_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bastl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"birth_year"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1975"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"last_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bohli"</span><span class="p">,</span><span class="w"> </span><span class="nl">"birth_year"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1983"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"last_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Blatter"</span><span class="p">,</span><span class="w"> </span><span class="nl">"birth_year"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1949"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p><strong>stats</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Details"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"BytesScanned"</span><span class="p">:</span><span class="w"> </span><span class="mi">379951</span><span class="p">,</span><span class="w"> </span><span class="nl">"BytesProcessed"</span><span class="p">:</span><span class="w"> </span><span class="mi">1557430</span><span class="p">,</span><span class="w"> </span><span class="nl">"BytesReturned"</span><span class="p">:</span><span class="w"> </span><span class="mi">1034</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>S3-Select had to scan the whole compressed file and needed to process the uncompressed content. But needed to return only 1KB (~0.3% of the total file).</p> <h1> In conclusion </h1> <p>Considering S3 as a Database is surely far fetched. But it works very well for single large datasets on which you need to retrieve a small chunk. Consider it as your read-only slave database.</p> <p>Keep in mind, that the read speed is far below what you can achieve with a real databases on SSD, so don't use this for anything time sensitive.</p> <p>The ability to update content with more traditional non-database tools, allows a wider range of peoples to curate and maintain the data.</p> <h1> A real life example </h1> <p>When S3-Select came out, I decided to use the above concept to create a <em>Serverless GeoIP API</em> using Maxmind's GeoIP2 databases. I wanted to replace the locally installed databases on each server by an HTTP service. This helps on the administrative side by managing updates in only one place, remove boot up scripts while autoscaling, and also it allows other processes and services to use this data (ETL, logging, lambda, ...).</p> <p>You can read more about it in my <a href="https://danielmuller.me/2018/05/creating-a-serverless-geoip-api/" rel="noopener noreferrer">blog</a> or install it from my <a href="https://github.com/DanielMuller/geoip-serverless" rel="noopener noreferrer">Github repo</a> (works with GeoIP2 and GeoLite2 databases).</p> <p>I made some tweaks from the above example:</p> <ul> <li>The data files are sharded by primary key to reduce the scan size</li> <li>Cloudfront is used as a database-cache layer to avoid having to query twice for the same IP.</li> </ul> <h2> Why not DynamoDB? </h2> <p>When S3-Select came out, DynamoDB didn't have an "On-Demand" pricing. Having to provision (and pay for) a fixed throughput was too expensive.</p> <p>Today, with "On-Demand" pricing, I would definitively use DynamoDB for this tool. Storage pricing is similar to S3, query pricing also. Maintaining and querying the data in DynamoDB is also easier.</p> aws s3 serverless database