Intercept S3 requests with Lambda Functions and Cloud Front
When working with AWS S3 you might want to intercept S3 Requests and Responses for various reasons. First, let’s look at how we can set up your S3 bucket with Cloud Front distribution
Set up Cloud front for S3 Bucket
Log in to your AWS Console and visit the cloud-front dashboard. Then click the Create Cloud Front Distribution button. On the Create distribution form select your S3 bucket as the origin. All other settings can be configured as you want.
In my configuration I don’t want to restrict S3 access only through cloud front, so this is how I configured it (This configuration depends on your requirements so don’t just blindly use the following config)
- S3 bucket access — Yes use OAI
- Viewer protocol policy — Redirect HTTP to HTTPS
- Allowed HTTP methods — GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
- Cache policy — Caching Optimized
- Origin request policy — CORS-S3Origin
- Response headers policy — CORS-With-Preflight
Create a Lambda function
Navigate to Lambda dashboard and make sure your region is set to us-east-1. Click create button and set a function name and your preferred runtime and architecture. I’ll use Node.js 16.x and x86_64 in this example
First we have to update the Trust relationship for the lambda role
Go to Configuration -> Permissions and click the Role name link. Then Trust relationships and click Edit trust policy. We have to add edgelambda.amazonaws.com to Principal Service array.
Click update policy and you are done here. Let’s go back to our lambda function and click the Code tab.
Understand the event, context, and callback
In the handler code we have access to 3 parameters, event, context and callback.
exports.handler = (event,context,callback)=>{}The Context contains the information about your function and runtime.
The Callback is a function that accepts 2 arguments, error and value in order. In case of error,
callback(error,null)otherwise,
callback(null,response)if you want to send a HTTP status to user,
if you want to add headers,
The Event object contains all the data from your lambda trigger event, here is an example values for simple get request from angular HTTP client
If you attach your function to response trigger you will have both request and response data in the event object, You can inspect these object by yourself by doing something like this
Now it is up to you to implement the business logic as you want. You can use tests to make sure your code works before attaching to a trigger.
Attach lambda function to request or response
In Function overview, click Add Trigger and select Cloud Front, then click Deploy to Lambda@Edge. on the pop up form select your cloud front distribution then select the event. Click the confirmation checkbox and click deploy.
There is an option to select behavior in the popup form, you can see your default behavior in the behavior tab on your cloud front distribution. we can create multiple behaviors and attach different lambda functions. for example, if you have a /public directory and /private directory you can create a behavior with /private path and attach the authorization lambda function to that.
That’s all the basics you should know to get started. Hope this helped you. Happy Coding !