CloudFront

This module is to be used on the CloudFront distribution, using the [email protected] service: https://aws.amazon.com/fr/lambda/edge/

Before the regular CloudFront process starts, an event is triggered at the viewer's request and executes the DataDome logic in a [email protected] function.
The module makes a call to the closest Regional Endpoints using a KeepAlive connection. Depending on the API's response, the module either blocks the request or lets CloudFront proceed with its regular process.

The module has been implemented to ensure the best user experience for the visitors, therefore if any errors were to occur, or if a timeout is reached, the module will automatically disable its blocking mechanism and allow the regular CloudFront process to proceed.

📘

Supported languages

We support both Node.js and Python.

How to install and configure

1. Connect to your AWS console and go to the [email protected] homepage

📘

AWS automatically selects US-EAST-1 region when you go on [email protected] portal. Please don't change the region. The function must be created on this one.

2. Click on the "Create function" button, then select "Author from scratch"

3. In the "Basic information" section:

• Enter a name for your Lambda function, e.g.: "DataDomeModule{YOUR WEBSITE NAME}"
• Select "Node.js 14.x" or "Python 3.9" as Runtime
• Click on "Create function"

4. In the Function code tab:

• Choose Upload a file from Amazon S3 and paste the following URL for the Node.js module:

https://s3.amazonaws.com/dd-lambda-edge/datadome-lambda-edge-latest.zip

Or for the python module:

https://s3.amazonaws.com/dd-lambda-edge/datadome-lambda-edge-py-latest.zip

5. Open the file datadome.js or datadome.py
   The first code block in the file contains the module configuration.
   You need to replace DATADOME_LICENSE_KEY with your own License Key, which is available in your DataDome dashboard.

6. In the Runtime settings tab:

• Set "datadome.handler" for the Handler

7. In the Configuration tab and General configuration menu:

• Set "Timeout" to 0 min 1 sec
• Select an existing role with the required permissions. To confirm that the role has the required permissions, click on View the [ROLE NAME] role and refer to this section.
• Click on "Save"

Optional settings are described in the following list below

8. Click on "Actions" and select "Publish new version". You can set a version description and click on "Publish"

9. In the "Configuration" tab click on "Add trigger".

• Choose CloudFront as trigger and click on "Deploy [email protected]"
• Select the CloudFront distribution that will send events to the Lambda function
• Select "Viewer Request" for "CloudFront Event"
• Do not check the Include body box
• Check the Confirm deploy to [email protected] box
• Click on "Deploy"

10. In CloudFront Distributions at the Errors tab you should create a new error page for HTTP code 403 with minimal TTL 0 without any customization of the content:

Congrats!

Your CloudFront distribution will now deploy the new settings and your DataDome installation is completed!

Settings

Logging

All logs are stored in your CloudWatch dashboards, in the "Logs" section.

FAQ

Can I get Bot Name, Bot Type and Bot/Human flags in my application?

The DataDome module can inject headers in the HTTP Request that can be read by your application.
This information is recorded in your CloudWatch logs.

To enable this Premium feature, please contact DataDome Support.

How to only protect part of a CloudFront Distribution ?

In order to only protect part of a CloudFront Distribution, you can :

• Set an exclusion based on file extension: modify the DATADOME_URI_REGEX_EXCLUSION in order to exclude hits to the Datadome API. In this case, the Lambda is still executed (and billed) at Amazon infrastructure
• Set an exclusion based on path: define behavior in Cloudfront Distribution and attach Lambda only to the needed behavior. In this case, there is no Lambda execution at Amazon infrastructure nor at Datadome API

How to configure the role?

As per AWS documentation, the needed permissions are listed here: documentation

In the role section:

• click on the Permissions tab and select Add inline policy

Select the JSON view and paste the following actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "lambda:GetFunction",
                "cloudfront:UpdateDistribution",
                "lambda:EnableReplication"
            ],
            "Resource": "*"
        }
    ]
}

Input a name for the permissions and save.

• Click on the Trust relationships tab and Edit the trust relationship

Paste the following trusted entities:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com",
          "edgelambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Stream lambda logs to Cloudwatch

If the lambda doesn't trigger any logs in the different region used, please check your IAM role and add the following configuration:

{
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": [
            "*"
        ]
    }

Can DataDome be integrated on a multi-account architecture?

If you have several CloudFront distributions deployed on different AWS accounts, one [email protected] function per account is required. You can repeat steps 1 to 10 for every account.