Skip to main content

CloudFront Integration

You can set up VerifiedVisitors for a CloudFront distribution using our Lambda@Edge module.

The Lambda function executes on each "ViewerRequest" (before caching), calls the VerifiedVisitors API for an access control decision, and serves a mitigation or allows the request through.

The JS agent is required to serve challenge pages (CAPTCHA and js_challenge), and should be included with any HTML content served by your origin.

info
  • You should be familiar with AWS and CloudFront Lambda@Edge.
  • The target CloudFront distribution behaviour must not have an existing Viewer Request function association.
  • The CloudFront viewer behaviour must be configured to process any methods that you wish to protect (e.g. POST)

Setup

1. Create a VerifiedVisitors access token for API access

In your VerifiedVisitors portal, navigate to "Profile Settings", click on the "Tokens" tab, and generate a new token. This will be needed later when setting up the lambda function.

2. Create the Lambda function

In the Lambda dashboard of the AWS console, create a Lambda function in the us-east-1 region:

  1. Click on "Create function".
  2. Select "Author from scratch".
  3. In the basic information section, enter a name for the function and ensure the runtime is set to Node.js.
  4. Click on "Create function".
  5. Rename the index.mjs file to index.js (our implementation doesn't support ESM yet).
  6. In the code tab, replace the contents with the VerifiedVisitors Lambda implementation.
  7. Click "Deploy" to save the changes.
  8. In the "config" section of the code:
    • Replace the API_KEY value with the access token you created in step 1.
  9. In the configuration tab, under general configuration, set the timeout to 1 second.

3. Configure the Lambda execution role

Permissions must be configured according to the AWS documentation.

From the configuration tab, under 'Permissions', click on the role name to modify it:

  1. Edit the trust relationship to include the edgelambda.amazonaws.com service:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  1. Edit the permissions policy to allow logging in other regions (optional):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": ["logs:CreateLogStream", "logs:PutLogEvents"],
            "Resource": ["arn:aws:logs:*:*:log-group:/aws/lambda/*"]
        }
    ]
}

4. Deploy the Lambda function

Back in the Lambda function page, click on "Actions" followed by "Deploy to Lambda@Edge", then:

  1. Select the CloudFront distribution to process requests for.
  2. Select "Viewer Request" as the CloudFront event.
  3. Check "Confirm deploy to Lambda@Edge".
  4. Click on "Deploy".

It may take a few minutes for your CloudFront distribution to deploy the new settings.

Updating the Lambda function

The Lambda function can be updated as follows:

  1. In the Lambda dashboard of the AWS console, ensure the region is set to us-east-1 and select the VerifiedVisitors function to be updated.
  2. In the code tab, edit the code source to update the implementation.
  3. Click on "Deploy" to save the changes.
  4. Click on "Actions" followed by "Deploy to Lambda@Edge".
  5. In the dialog box that appears, choose "Use existing CloudFront trigger on this function" and select the trigger to be updated.
  6. Click on "Deploy".

It may take a few minutes for your CloudFront distribution to deploy the new settings.