CloudFront Functions – A New Security Paradigm for CDN Edge Computing

Today, we launched CloudFront Functions, a serverless scripting capability that allows you to run JavaScript code at more than 225 Amazon CloudFront edge locations to perform lightweight HTTP transformations and customize content delivery. Maintaining a high security bar while running user-provided code in a multi-tenant service like CloudFront can be challenging, because of diverse factors ranging from the complexity of modern CPUs to the sophistication of Operating Systems (OS) like Linux. We’re pleased to deliver this feature for CloudFront customers while simultaneously raising the security bar for edge computing capabilities.

In July 2017, Amazon CloudFront announced Lambda@Edge, which enables customers to modify HTTP requests flowing through Amazon CloudFront using the flexible and highly secure AWS Lambda. Customers such as DAZN, Truecar, Disney, and OLX have since built applications including website micro-frontends, image resizing, enhanced origin selection, and custom search engine optimization for single page applications without having to worry about regional deployments or dynamically routing to the best AWS region for individual viewers. While Lambda@Edge is immensely flexible and powerful, it isn’t a perfect fit for all use cases, especially those requiring a small amount of compute before a request is served by the CloudFront cache at edge locations, or right before the responses to such requests are delivered to end-users. Examples of these cases are URL rewrites, custom user authentication schemes or the insertion of response headers. For these use cases, we needed a solution better suited for higher volume and even lower latency, one that would execute functions at edge locations instead of AWS Regions.

CloudFront’s edge locations, which are called PoPs, or Points of Presence, are generally located in urban areas, close to the viewers, in locations where AWS, ISPs, and other network operators meet to connect to one another. Those facilities are not the very large data centers that run Amazon Elastic Compute Compute (EC2), Amazon Simple Storage Service (S3), and AWS Lambda. In contrast, the 225+ CloudFront PoPs are relatively small but much more distributed – spread across 90 cities in 47 countries to offer the best latency and the most optimal network path to end-users. This distributed nature also means that compared to the AWS Regions, the CloudFront PoPs have very different general-purpose computing resources.

When we started designing CloudFront Functions, the challenge we had was to deliver a high-density code execution environment operating at CloudFront scale – tens of millions of requests per second – while still delivering sub-millisecond latency. We are sure you are not hearing this for the first time, but at AWS, security is our number one priority. For the CloudFront team, this meant not only meeting the performance and efficiency goals we had set for running code at the edge, but also meeting the AWS security bar that customers have come to expect.

To achieve that, we’ve drawn on the unmatched years of experience AWS has in securely executing user-provided code and built a novel system to protect the data our customers entrust us with. For example, we used a simple but ECMAScript 5.1-compliant JavaScript engine that doesn’t make use of a JIT compiler, we isolated every single function into its own process, and we built several virtual walls of protection around each one of those processes. The end result meets AWS’s stringent security bar and at the same time, we hope, still delights our customers. We’re looking forward to sharing greater details with our customers at re:Invent 2021, so stay tuned!

In designing CloudFront Functions, security was always the biggest challenge from the very beginning, and embracing it from the early stages of the project allowed us to achieve something we hope you will find both useful and worthy of your trust. As always, this is just day one, and we look forward to sharing the further enhancements we are planning for CloudFront Functions. Give it a try and give us your feedback.