Learning Objectives: - Learn how you can use Lambda@Edge and Amazon CloudFront to deliver richer, more personalized content with low latency to your customers - Learn how you can use serverless coding across Amazon's network of edge locations - Find out from our customers how they are using Lambda@Edge Today, developers have to forward requests from distributed CDN endpoints back to compute resources at their centralized servers in order to do any customized processing, slowing down the end user experience. The Lambda-based processing model allows you to write JavaScript code that runs within the growing network of AWS edge locations. In this tech talk, we will provide a deep dive on the capabilities of Lambda@Edge and its use cases.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George John, Amazon Web Services
August 17, 2017
Deep Dive on Lambda@Edge

2. What to expect from this session
• Amazon CloudFront and AWS Lambda
• Lambda@Edge
• Tozny’s Lambda@Edge use case
• Getting started with Lambda@Edge

3. CloudFront: Global content delivery network
 Accelerate your application and APIs
 Include static content such as images and video
 Massively scalable
 Highly secure
 Self-service
 Priced to minimize cost

4. AWS Lambda: Serverless
Computing

5. Benefits of AWS Lambda
Continuous
scaling
No servers to
manage
Never pay for idle
– no cold servers
(only happy
accountants)

6. AWS Lambda@Edge:
Serverless Edge Computing

7. Introducing Lambda@Edge
• Lambda@Edge is an extension of AWS Lambda that allows you to run
Node.js code at global AWS locations
• Bring your own code to the Edge and customize your content very close to
your users, improving end-user experience
Continuous
scaling
No servers
to manage
Never pay for idle
– no cold servers
Globally
distributed

8. Write once, run everywhere
AWS
Location
AWS
Location
AWS
Location
AWS
Location
Origin server
AWS
Location

9. CloudFront triggers for Lambda@Edge
functions

10. CloudFront triggers for Lambda@Edge
functions
CloudFront cache
End user
Origin
server
Viewer request Origin request
Origin responseViewer response

11. Lambda@Edge events
• All Lambda@Edge invocations are synchronous
• Request events
• URI and header modifications can change the object being requested
• Viewer request can change the object being requested from the CloudFront
cache and the origin
• Origin request can change the object or path pattern being requested from the
origin
• Response events
• Origin response can modify what is cached and generate cacheable responses
to be returned to the viewer
• Viewer response can change what is returned to the viewer
CloudFront
cache
End user Origin
server
Viewer request Origin request
Origin responseViewer response

12. Lambda@Edge functionality
• Read and write access to headers, URIs, and
cookies across all triggers
• Ability to generate custom responses from
scratch
• Access to make network calls to external
resources on origin-facing hooks

13. So, what can I do with
Lambda@Edge?

14. Highly personalized websites
• Redirect viewers to the optimal
experience based on their location,
language preferences, and device type

15. Highly personalized websites – how?
• Trigger: Viewer request
• Inputs
• Requested URL
• Device type (i.e., User-Agent)
• Existing session data
• Output
• Generate a response directly from Lambda@Edge,
specifically a redirect to the most relevant experience (e.g. ,
cropped images and mobile sites for mobile users)

16. Pretty URLs
• Rewrite the URL end user's request
to serve content without exposing
your team’s internal directory
structure and organization
• Provide customized experiences
without compromising consistency in
what your viewers see

17. Pretty URLs – how?
• Trigger: Origin request
• Inputs
• URL requested
• Outputs
• Rewrite the requested URL, which will be passed to the origin
• The response will be cached based on what the customer
requested to serve subsequent requests (i.e., the pretty URL)

18. Authorization at the Edge
• Inspect cookies or custom headers to
authenticate clients right at the edge
• Enforce paywalls at the Edge to gate
access to premium content to only
authenticated viewers

19. Authorization at the Edge – how?
• Trigger: Viewer request
• Prerequisites
• The customer must have previously authenticated against your authoritative
service, resulting in some sort of authorization credential. Typically this is a
cookie.
• Inputs
• URL
• Authorization credential (cookie)
• Outputs
• Allow the request to succeed if the request is authorized. If not, either return
a 403 response or redirect to an authentication page

20. Limited access to content
• Enforce timed access to content
at the edge
• Make a call to an external
authentication server to confirm
if a user’s session is still valid
• Forward valid requests to the
origin, and serve redirects to
new users to login pages

21. Limited content access – How?
• Trigger: Origin request
• Inputs
• URL/cookies
• Access to external user-tracking database
• Outputs
• If a customer requests content for specific URLs or with
specific cookies, make a request to the external server to
confirm session validity.
• Based on response from external server, serve content, or
redirect to a login page.

22. Response generation at the Edge
Generate an HTTP response to end
user requests arriving at AWS locations:
• Generate customized error pages
and static websites directly from Edge
locations
• Combine content drawn from multiple
external resources to dynamically
build websites at the Edge

23. Response generation – how?
• Viewer or origin request event
• Inputs
• URI
• Headers
• Outputs
• Custom response based on URI and headers

24. Poll question
What functionality are you
most excited about using with
Lambda@Edge?

25. Let’s see it in action
Introducing

26. Lambda@Edge
For Scalable, Secure Browser Crypto
Isaac Potoczny-Jones
ijones@tozny.com
https://tozny.com

27. We help developers do crypto right
Crypto is vital for good security.
Use of Crypto is growing across the industry.
Most developers do crypto wrong.
We help developers do crypto right.

28. Good Crypto Makes Data Breaches Not Matter
$ per Record
Crypto Matters
Ponemon - http://www-03.ibm.com/security/infographics/data-breach/
Costs
Driven by
Disclosure
and
Lawsuit
Risk
Solutions

29. 83% are misuses of cryptographic libraries by individual applications.”
- APSys ’14, June 25–26, 2014
“Our study covers 269 cryptographic vulnerabilities
reported in the CVE database from January 2011 to May 2014…

30. Challenge: Browser-Based Crypto
Typically considered to be less secure than smart-client crypto
• A good crypto client is a static, auditable codebase and secret key
• How do you trust the code delivered to the browser?
• How do you keep the key secret in the browser?

31. Where does Lambda@Edge come in?
• Our InnoVault Console is a static, single page app
• Crypto JavaScript, CSS, HTML delivered via CloudFront
• This gives us speed and scale
• But for security, we need to add various headers
• These headers are specific to our use case

32. Approach: Add Security Headers @Edge
• Content Security Policy: Only allow loading external JavaScript from
trusted domains
• Strict Transport Security: Tell the browser to only connect over
HTTPS to prevent MITM with plain HTTP
• XSS Protection: Tells the browser to cancel loading a page if
reflected Cross Site Scripting is detected

33. Result: Secure and Scalable JS Delivery

34. Lambda@Edge Function Code
'use strict';
exports.handler = (event, context, callback) => {
const headers = event.Records[0].cf.response.headers;
headers['Strict-Transport-Security'] = [{key: "Strict-Transport-Security",
value: "max-age=31 ..."}];
headers['Content-Security-Policy'] = [{key: "Content-Security-Policy",
value: "default-src ..."}];
headers['X-Content-Type-Options'] = [{key: "X-Content-Type-Options", value:
"nosniff"}];
headers['X-Frame-Options'] = [{key: "X-Frame-Options", value:
"DENY"}];
headers['X-XSS-Protection'] = [{key: "X-XSS-Protection", value: "1;
mode=block"}];
Node 6.10 Runtime

35. Returned HTTP Headers

36. Mozilla Observatory

37. Details on CloudFront Case Study

38. To get the slides and learn more:
https://tozny.com/blog/secure-https-headers-lambda/
Isaac Potoczny-Jones
ijones@tozny.com
https://tozny.com

39. Lambda@Edge: Getting Started

40. Lambda@Edge – let’s get started
• Sign up: https://aws.amazon.com/lambda/edge

41. Recap – using Lambda@Edge
Bring your own code
• Self-service through the
Lambda console
Familiar programming
model
• Standard Node.js-6.10
Write once, run everywhere
• Automatically deployed to the AWS network
of 79 Edge locations
• Requests are routed to the locations closest
to your end users across the world
Functionality
- Modify response header
- CloudFront response generation
- CloudFront HTTP redirect
Benefits
- Simple remote call at origin-facing hooks
- Cacheable static content generation
- Content generation with remote calls

42. Poll question
What functionality do you
want to see in
Lambda@Edge next?

43. Thank you!