CloudFront
DataDome CloudFront integration detects and protects against bot activity
This module is to be used on the CloudFront distribution, using the [email protected] service: https://aws.amazon.com/fr/lambda/edge/
Before the regular CloudFront process starts, an event is triggered at the viewer's request and executes the DataDome logic in a [email protected] function.
The module makes a call to the closest Regional Endpoints using a KeepAlive connection. Depending on the API's response, the module either blocks the request or lets CloudFront proceed with its regular process.
The module has been implemented to ensure the best user experience for the visitors, therefore if any errors were to occur, or if a timeout is reached, the module will automatically disable its blocking mechanism and allow the regular CloudFront process to proceed.
Supported languages
We support both Node.js and Python.
How to install and configure
- Connect to your AWS console and go to the [email protected] homepage
AWS automatically selects US-EAST-1 region when you go on [email protected] portal. Please don't change the region. The function must be created on this one.
- Click on the "Create function" button, then select "Author from scratch"

- In the "Basic information" section:
- Enter a name for your Lambda function, e.g.: "DataDomeModule{YOUR WEBSITE NAME}"
- Select "Node.js 14.x" or "Python 3.9" as Runtime
- Click on "Create function"

- In the Function code tab:
- Choose Upload a file from Amazon S3 and paste the following URL for the Node.js module:
https://s3.amazonaws.com/dd-lambda-edge/datadome-lambda-edge-latest.zip
Or for the python module:
https://s3.amazonaws.com/dd-lambda-edge/datadome-lambda-edge-py-latest.zip

- Open the file datadome.js or datadome.py
The first code block in the file contains the module configuration.
You need to replace DATADOME_LICENSE_KEY with your own License Key, which is available in your DataDome dashboard.

- In the Runtime settings tab:
- Set "datadome.handler" for the Handler

- In the Configuration tab and General configuration menu:
- Set "Timeout" to 0 min 1 sec
- Select an existing role with the required permissions. To confirm that the role has the required permissions, click on View the [ROLE NAME] role and refer to this section.
- Click on "Save"

Optional settings are described in the following list below
- Click on "Actions" and select "Publish new version". You can set a version description and click on "Publish"

- In the "Configuration" tab click on "Add trigger".
- Choose CloudFront as trigger and click on "Deploy [email protected]"
- Select the CloudFront distribution that will send events to the Lambda function
- Select "Viewer Request" for "CloudFront Event"
- Do not check the
Include body
box - Check the
Confirm deploy to [email protected]
box - Click on "Deploy"

- In
CloudFront Distributions
at theErrors
tab you should create a new error page for HTTP code403
with minimal TTL0
without any customization of the content:

Congrats!
Your CloudFront distribution will now deploy the new settings and your DataDome installation is completed!
Settings
Setting | Description | Required | Default |
---|---|---|---|
DATADOME_LICENSE_KEY | Your DataDome License key | Yes | |
DATADOME_TIMEOUT | The request timeout to DataDome API, in milliseconds | Optional | 100 |
DATADOME_URI_REGEX | Processes matching URIs only | Optional | |
DATADOME_URI_REGEX_EXCLUSION | Ignores all matching URIs | Optional | exclude static asset |
DATADOME_LOG_BOT_INFO | Logs the matching bots' info in CloudWatch (premium feature) | Optional | false |
Logging
All logs are stored in your CloudWatch dashboards, in the "Logs" section.
FAQ
Can I get Bot Name, Bot Type and Bot/Human flags in my application?
The DataDome module can inject headers in the HTTP Request that can be read by your application.
This information is recorded in your CloudWatch logs.
To enable this Premium feature, please contact DataDome Support.
DataDome information | Description | Value |
---|---|---|
X-DataDome-isbot | Is it a Bot? | 0 -> Human1 -> BotNA -> Detection not activated on this segment |
X-DataDome-botname | The Bot name | String |
X-DataDome-botfamily | The Bot family | good_bot / bad_bot / commercial_bot |
How to only protect part of a CloudFront Distribution ?
In order to only protect part of a CloudFront Distribution, you can :
- Set an exclusion based on file extension: modify the DATADOME_URI_REGEX_EXCLUSION in order to exclude hits to the Datadome API. In this case, the Lambda is still executed (and billed) at Amazon infrastructure
- Set an exclusion based on path: define behavior in Cloudfront Distribution and attach Lambda only to the needed behavior. In this case, there is no Lambda execution at Amazon infrastructure nor at Datadome API
How to configure the role?
As per AWS documentation, the needed permissions are listed here: documentation
In the role section:
- click on the Permissions tab and select Add inline policy

Select the JSON view and paste the following actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"lambda:GetFunction",
"cloudfront:UpdateDistribution",
"lambda:EnableReplication"
],
"Resource": "*"
}
]
}
Input a name for the permissions and save.
- Click on the Trust relationships tab and Edit the trust relationship

Paste the following trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"edgelambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Stream lambda logs to Cloudwatch
If the lambda doesn't trigger any logs in the different region used, please check your IAM role and add the following configuration:
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
Can DataDome be integrated on a multi-account architecture?
If you have several CloudFront distributions deployed on different AWS accounts, one [email protected] function per account is required. You can repeat steps 1 to 10 for every account.
Updated 6 months ago