DataDome CloudFront integration detects and protects against bot activity

This module is to be used on the CloudFront distribution, using the [email protected] service:

Before the regular CloudFront process starts, an event is triggered at the viewer's request and executes the DataDome logic in a [email protected] function.
The module makes a call to the closest Regional Endpoints using a KeepAlive connection. Depending on the API's response, the module either blocks the request or lets CloudFront proceed with its regular process.

The module has been implemented to ensure the best user experience for the visitors, therefore if any errors were to occur, or if a timeout is reached, the module will automatically disable its blocking mechanism and allow the regular CloudFront process to proceed.


Supported languages

We support both Node.js and Python.

How to install and configure

  1. Connect to your AWS console and go to the [email protected] homepage


AWS automatically selects US-EAST-1 region when you go on [email protected] portal. Please don't change the region. The function must be created on this one.

  1. Click on the "Create function" button, then select "Author from scratch"
  1. In the "Basic information" section:
  • Enter a name for your Lambda function, e.g.: "DataDomeModule{YOUR WEBSITE NAME}"
  • Select "Node.js 14.x" or "Python 3.9" as Runtime
  • Click on "Create function"
  1. In the Function code tab:
  • Choose Upload a file from Amazon S3 and paste the following URL for the Node.js module:

Or for the python module:
  1. Open the file datadome.js or
    The first code block in the file contains the module configuration.
    You need to replace DATADOME_LICENSE_KEY with your own License Key, which is available in your DataDome dashboard.
  1. In the Runtime settings tab:
  • Set "datadome.handler" for the Handler
  1. In the Configuration tab and General configuration menu:
  • Set "Timeout" to 0 min 1 sec
  • Select an existing role with the required permissions. To confirm that the role has the required permissions, click on View the [ROLE NAME] role and refer to this section.
  • Click on "Save"

Optional settings are described in the following list below

  1. Click on "Actions" and select "Publish new version". You can set a version description and click on "Publish"
  1. In the "Configuration" tab click on "Add trigger".
  • Choose CloudFront as trigger and click on "Deploy [email protected]"
  • Select the CloudFront distribution that will send events to the Lambda function
  • Select "Viewer Request" for "CloudFront Event"
  • Do not check the Include body box
  • Check the Confirm deploy to [email protected] box
  • Click on "Deploy"
  1. In CloudFront Distributions at the Errors tab you should create a new error page for HTTP code 403 with minimal TTL 0 without any customization of the content:


Your CloudFront distribution will now deploy the new settings and your DataDome installation is completed!


DATADOME_LICENSE_KEYYour DataDome License keyYes
DATADOME_TIMEOUTThe request timeout to DataDome API, in millisecondsOptional100
DATADOME_URI_REGEXProcesses matching URIs onlyOptional
DATADOME_URI_REGEX_EXCLUSIONIgnores all matching URIsOptionalexclude static asset
DATADOME_LOG_BOT_INFOLogs the matching bots' info in CloudWatch (premium feature)Optionalfalse


All logs are stored in your CloudWatch dashboards, in the "Logs" section.


Can I get Bot Name, Bot Type and Bot/Human flags in my application?

The DataDome module can inject headers in the HTTP Request that can be read by your application.
This information is recorded in your CloudWatch logs.

To enable this Premium feature, please contact DataDome Support.

DataDome informationDescriptionValue
X-DataDome-isbotIs it a Bot?0 -> Human
1 -> Bot
NA -> Detection not activated on this segment
X-DataDome-botnameThe Bot nameString
X-DataDome-botfamilyThe Bot familygood_bot / bad_bot / commercial_bot

How to only protect part of a CloudFront Distribution ?

In order to only protect part of a CloudFront Distribution, you can :

  • Set an exclusion based on file extension: modify the DATADOME_URI_REGEX_EXCLUSION in order to exclude hits to the Datadome API. In this case, the Lambda is still executed (and billed) at Amazon infrastructure
  • Set an exclusion based on path: define behavior in Cloudfront Distribution and attach Lambda only to the needed behavior. In this case, there is no Lambda execution at Amazon infrastructure nor at Datadome API

How to configure the role?

As per AWS documentation, the needed permissions are listed here: documentation

In the role section:

  • click on the Permissions tab and select Add inline policy

Select the JSON view and paste the following actions:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

Input a name for the permissions and save.

  • Click on the Trust relationships tab and Edit the trust relationship

Paste the following trusted entities:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Service": [
      "Action": "sts:AssumeRole"

Stream lambda logs to Cloudwatch

If the lambda doesn't trigger any logs in the different region used, please check your IAM role and add the following configuration:

        "Effect": "Allow",
        "Action": [
        "Resource": [

Can DataDome be integrated on a multi-account architecture?

If you have several CloudFront distributions deployed on different AWS accounts, one [email protected] function per account is required. You can repeat steps 1 to 10 for every account.