.CloudFront Functions

Jun 7th 2021-2 min read

A few weeks ago Amazon announced a new feature for Amazon CloudFront to run code in Edge Locations. But where is the difference between Lambda@Edge and CloudFront Functions? CloudFront Functions are running in Edge locations whereas Lambda@Edge functions are executed in a regional edge cache (eg.: the AWS region closest to the CloudFront edge location reached by the client). Therefore CloudFront Functions are even closer to the client and are at the same time approximately 1/6th the price of Lambda@Edge.

Use Cases

  • Authorization: Implement authorization for the content delivered through CloudFront using Basic Authentication or by creating and validating user-generated tokens.

  • Redirects: Redirect users to a different URL - eg.: If you change to a new website structure you can redirect the user to the new URL.

  • Header Manipulation: Add, modify, or delete any of the request/response headers - eg.: foward the IP of the client using the Header to your origin.

CloudFront Functions versus Lambda@Edge


Most important differences - if you need more information check this docs: Choosing between CloudFront Functions and Lambda@Edge.

CloudFront FunctionsLambda@Edge
Execution locationCloudFront Edge LocationsCloudFront Regional Edge Caches
Programming languagesPython, Nodejs
Event sourcesViewer request Viewer responseViewer request Viewer response Origin request Origin response
Memory2 MB128 MB (viewer triggers) – 10 GB (origin triggers)
Max size of Function10 KB1 MB (viewer request / response) 50 MB (origin request / response)
Max execution time1 ms 5 seconds (viewer request / response) 30 seconds (origin request / response)
Access to geolocation and device data❌ (viewer request) ✅ (viewer response) ✅ (origin request) ✅ (origin response)
Access to the request body

Pricing example

Service Price per 1 million InvocationsPrice per Duration (for every GB-second)InvocationsDurationAllocated MemoryTotal Cost
CloudFront Function$0.1-20 Million1ms-$2.0
Lambda@Edge$0.6 $0,0000500120 Million10ms128MB$12.26

The prices were checked on 30.05.2021 from Lambda@Edge pricing and CloudFront Function pricing

Example template for Basic Auth with CloudFront Functions

Following you will find a CloudFront Function for Basic Auth - I am using it as a second layer of security for private CloudFront origins. For example I am generating exports of Jira content to S3 using a Lambda as a Backup. In Front of CloudFront I have a WAF to restrict to specify IPs plus these CloudFront functions.

AWSTemplateFormatVersion: 2010-09-09
Description: Creates a Base CloudFront Function for Authentification
    Description: David Krohn

    Description: Username CloudFront
    Type: String
    Description: Password CloudFront
    Type: String
    NoEcho: true
    Type: AWS::CloudFront::Function
      AutoPublish: true
      FunctionCode: !Sub |
        var USERS = {
            Website: [{
                username: '${CloudFrountUsername}',
                password: '${CloudFrountPassword}',

        //Response when auth is not valid.
        var response401 = { 
            statusCode: 401,
            statusDescription: 'Unauthorized',
            headers: {
                'www-authenticate': {
                    value: 'Basic'

        var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

        function btoa(input) {
            input = String(input);
            var bitmap, a, b, c,
                result = "",
                i = 0,
                rest = input.length % 3; // To determine the final padding

            for (; i < input.length;) {
                if ((a = input.charCodeAt(i++)) > 255 ||
                    (b = input.charCodeAt(i++)) > 255 ||
                    (c = input.charCodeAt(i++)) > 255)
                    throw new TypeError("Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.");

                bitmap = (a << 16) | (b << 8) | c;
                result += b64.charAt(bitmap >> 18 & 63) + b64.charAt(bitmap >> 12 & 63) +
                    b64.charAt(bitmap >> 6 & 63) + b64.charAt(bitmap & 63);

            // If there's need of padding, replace the last 'A's with equal signs
            return rest ? result.slice(0, rest - 3) + "===".substring(rest) : result;

        function handler(event) {
            var request = event.request;
            var headers = request.headers;

            var auth = request.headers.authorization && request.headers.authorization.value;

            var users = USERS['Website'];

            if (users) {
                if (!auth || !auth.startsWith('Basic ')) {
                    return response401;
                if(!users.find(function(user) {

                        // Construct the Basic Auth string
                        var authString = 'Basic ' + btoa(user.username + ':' + user.password);

                        return authString === auth;
                    })) {
                    return response401;
            return request;

        Comment: !Sub 'Basic Auth for S3 Bucket ${MyWebsiteBucket}'
        Runtime: cloudfront-js-1.0

More samples can be found here: Amazon CloudFront Functions Samples.

globaldatanetCloud Development, Optimization & Automation



  • follow globaldatanet on instagram
  • follow globaldatanet on facebook
  • follow globaldatanet on twitter
  • follow globaldatanet on linkendin
  • follow globaldatanet on twitch
  •  listen to our serverless world podcast
  • follow globaldatanet's tech rss feed
  • follow globaldatanet at github
© 2024 by globaldatanet. All Right Reserved
Your privacy is important to us!

We use cookies on our website. Some of them are essential,while others help us to improve our online offer.
You can find more information in our Privacy policy