.CloudFront Functions

Jun 7th 2021-2 min read

A few weeks ago Amazon announced a new feature for Amazon CloudFront to run code in Edge Locations. But where is the difference between Lambda@Edge and CloudFront Functions? CloudFront Functions are running in Edge locations whereas Lambda@Edge functions are executed in a regional edge cache (eg.: the AWS region closest to the CloudFront edge location reached by the client). Therefore CloudFront Functions are even closer to the client and are at the same time approximately 1/6th the price of Lambda@Edge.

Use Cases

  • Authorization: Implement authorization for the content delivered through CloudFront using Basic Authentication or by creating and validating user-generated tokens.

  • Redirects: Redirect users to a different URL - eg.: If you change to a new website structure you can redirect the user to the new URL.

  • Header Manipulation: Add, modify, or delete any of the request/response headers - eg.: foward the IP of the client using the Header to your origin.

CloudFront Functions versus Lambda@Edge


Most important differences - if you need more information check this docs: Choosing between CloudFront Functions and Lambda@Edge.

CloudFront FunctionsLambda@Edge
Execution locationCloudFront Edge LocationsCloudFront Regional Edge Caches
Programming languagesPython, Nodejs
Event sourcesViewer request Viewer responseViewer request Viewer response Origin request Origin response
Memory2 MB128 MB (viewer triggers) – 10 GB (origin triggers)
Max size of Function10 KB1 MB (viewer request / response) 50 MB (origin request / response)
Max execution time1 ms 5 seconds (viewer request / response) 30 seconds (origin request / response)
Access to geolocation and device data❌ (viewer request) ✅ (viewer response) ✅ (origin request) ✅ (origin response)
Access to the request body

Pricing example

Service Price per 1 million InvocationsPrice per Duration (for every GB-second)InvocationsDurationAllocated MemoryTotal Cost
CloudFront Function$0.1-20 Million1ms-$2.0
Lambda@Edge$0.6 $0,0000500120 Million10ms128MB$12.26

The prices were checked on 30.05.2021 from Lambda@Edge pricing and CloudFront Function pricing

Example template for Basic Auth with CloudFront Functions

Following you will find a CloudFront Function for Basic Auth - I am using it as a second layer of security for private CloudFront origins. For example I am generating exports of Jira content to S3 using a Lambda as a Backup. In Front of CloudFront I have a WAF to restrict to specify IPs plus these CloudFront functions.

AWSTemplateFormatVersion: 2010-09-09
Description: Creates a Base CloudFront Function for Authentification
    Description: David Krohn

    Description: Username CloudFront
    Type: String
    Description: Password CloudFront
    Type: String
    NoEcho: true
    Type: AWS::CloudFront::Function
      AutoPublish: true
      FunctionCode: !Sub |
        var USERS = {
            Website: [{
                username: '${CloudFrountUsername}',
                password: '${CloudFrountPassword}',

        //Response when auth is not valid.
        var response401 = { 
            statusCode: 401,
            statusDescription: 'Unauthorized',
            headers: {
                'www-authenticate': {
                    value: 'Basic'

        var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

        function btoa(input) {
            input = String(input);
            var bitmap, a, b, c,
                result = "",
                i = 0,
                rest = input.length % 3; // To determine the final padding

            for (; i < input.length;) {
                if ((a = input.charCodeAt(i++)) > 255 ||
                    (b = input.charCodeAt(i++)) > 255 ||
                    (c = input.charCodeAt(i++)) > 255)
                    throw new TypeError("Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.");

                bitmap = (a << 16) | (b << 8) | c;
                result += b64.charAt(bitmap >> 18 & 63) + b64.charAt(bitmap >> 12 & 63) +
                    b64.charAt(bitmap >> 6 & 63) + b64.charAt(bitmap & 63);

            // If there's need of padding, replace the last 'A's with equal signs
            return rest ? result.slice(0, rest - 3) + "===".substring(rest) : result;

        function handler(event) {
            var request = event.request;
            var headers = request.headers;

            var auth = request.headers.authorization && request.headers.authorization.value;

            var users = USERS['Website'];

            if (users) {
                if (!auth || !auth.startsWith('Basic ')) {
                    return response401;
                if(!users.find(function(user) {

                        // Construct the Basic Auth string
                        var authString = 'Basic ' + btoa(user.username + ':' + user.password);

                        return authString === auth;
                    })) {
                    return response401;
            return request;

        Comment: !Sub 'Basic Auth for S3 Bucket ${MyWebsiteBucket}'
        Runtime: cloudfront-js-1.0

More samples can be found here: Amazon CloudFront Functions Samples.

globaldatanetCloud Development, Optimization & Automation



  • follow globaldatanet on instagram
  • follow globaldatanet on facebook
  • follow globaldatanet on twitter
  • follow globaldatanet on linkendin
  • follow globaldatanet on twitch
  • follow globaldatanet's tech rss feed
  • follow globaldatanet at github
© 2021 by globaldatanet. All Right Reserved