Why Technology Spa

Technology Spa was born out of a digital marketing agency managing hundreds of public facing web application services over the last 20 years.  Technology Spa has worked with a number of technologies to improve security, availability, functionality, efficiencies, and performance.  AWS CloudFront has become one of Technology Spa’s go-to tools to assist with many of these benefits for its customers Internet facing workloads.

Once deployed, Technology Spa provides full managed services for AWS CloudFront that include monitoring the efficiency and availability of AWS CloudFront CDN services via custom CloudWatch dashboards and alerts to maintain optimal configurations to ensure maximum caching efficiency, traffic offload, and cost benefit.

Contact us today to learn about applicable use cases and how we can help implement and manage AWS CloudFront CDN services.  Below are some advanced configurations possible with AWS CloudFront CDN services.

Using AWS Lambda with CloudFront Lambda@Edge

Lambda@Edge lets you run Node.js and Python Lambda functions to customize content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events, without provisioning or managing servers. You can use Lambda functions to change CloudFront requests and responses at the following points:

  • After CloudFront receives a request from a viewer (viewer request)
  • Before CloudFront forwards the request to the origin (origin request)
  • After CloudFront receives the response from the origin (origin response)
  • Before CloudFront forwards the response to the viewer (viewer response)

With Lambda@Edge, you can build a variety of solutions, for example:

  • Inspect cookies to rewrite URLs to different versions of a site for A/B testing.
  • Send different objects to your users based on the User-Agent header, which contains information about the device that submitted the request. For example, you can send images in different resolutions to users based on their devices.
  • Inspect headers or authorized tokens, inserting a corresponding header and allowing access control before forwarding a request to the origin.
  • Add, delete, and modify headers, and rewrite the URL path to direct users to different objects in the cache.
  • Generate new HTTP responses to do things like redirect unauthenticated users to login pages, or create and deliver static web pages right from the edge.

Using AWS WAF to Control Access to Your Content

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked.

Restricting the Geographic Distribution of Your Content

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you’re distributing through a CloudFront web distribution. To use geo restriction, you have two options:

  • Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
  • Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level.

Using Field-Level Encryption to Help Protect Sensitive Data

You can already configure CloudFront to help enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security along with HTTPS that lets you protect specific data throughout system processing so that only certain applications can see it.

Field-level encryption allows you to securely upload user-submitted sensitive information to your web servers. The sensitive information provided by your clients is encrypted at the edge closer to the user and remains encrypted throughout your entire application stack, ensuring that only applications that need the data—and have the credentials to decrypt it—are able to do so.

To use field-level encryption, you configure your CloudFront distribution to specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)

When the HTTPS request with field-level encryption is forwarded to the origin, and the request is routed throughout your origin sub-system, the sensitive data is still encrypted, reducing the risk of a data breach or accidental data loss of the sensitive data. Components that need access to the sensitive data for business reasons, such as a payment processing system needing access to a credit number, can use the appropriate private key to decrypt and access the data.