AWS Lambda

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.

Fastly's Next-Gen WAF supports any Lambda function on Amazon Web Services (AWS). Our Lambda extension acts as an HTTP proxy between the AWS Lambda service and runtime and will allow or block traffic after inspecting the JSON payload of the web API event used by the Lambda runtime.

The Fastly WAF Lambda extension is configured by using the AWS Secrets Manager. You can download Fastly's WAF binaries to create a layer that a Lambda function can use.

Prerequisites

Copy the agent keys for your site (also known as workspace). You will need them when configuring the AWS Secrets Manager.

Recommendations

For reduced latency and improved performance, we recommend setting the memory for your Lambda function to at least 512 MB.

How the Fastly WAF extension works

The Lambda function invokes the Fastly WAF extension, which then follows the life cycle of the execution environment.

Life cycle phaseDescription
initThe Lambda function creates or unfreezes the execution environment.
restoreNot applicable. The SnapStart function is never invoked.
invokeThe Lambda function invokes the Fastly WAF extension and then the Next-Gen WAF agent:
  • uses your active rules and site alerts to determine whether to allow, block, rate limit, or tag requests.
  • tags requests and redacts sensitive information from requests.
  • allows, blocks, and rate limits requests.
  • uploads redacted request and response data to the cloud engine per our data storage policy and downloads new rules and configurations from the cloud engine every 30 seconds.
shutdownThe Lambda function shuts down the runtime and alerts the Fastly WAF extension so it can stop cleanly. The Next-Gen WAF agent uploads redacted request and response data to the cloud engine per our data storage policy.

Configure the AWS Secrets Manager

  1. Log in to the AWS Management Console.

  2. From the Services menu, select Security, Identify, & Compliance and then select Secrets Manager.

  3. Click Store a new secret.

  4. For the Secret type, select Other type of secret. This option allows you to create a secret that can store credentials or other information by defining key-value strings.

  5. In the Key/value pairs fields, enter your agent keys:

    KeyValue
    SIGSCI_ACCESSKEYIDaccesskeyid from the Next-Gen WAF control panel
    SIGSCI_SECRETACCESSKEYsecretaccesskey from the Next-Gen WAF control panel
  6. Click Next.

  7. In the Secret name and Description fields, enter a human-readable name and description for the secret (e.g., Fastly secret for Lambda extension).

  8. Locate the Execute role of your Lambda function:

    • In another tab, log in to the AWS Management Console.
    • From the Services menu, select Compute and then select Lambda.
    • Select your Lambda function.
    • Click Configuration.
    • From the sidebar, click Permissions and then click the role name for your Lambda function in the Execution role area.
    • From the Identity and Access Management (IAM) page that appears, copy the ARN displayed on the page.
  9. Back on the Configure secret page in the AWS Management Console, click Edit permissions.

  10. Modify the configuration shown below to allow your Lambda function role to access this secret.

    1{
    2 "Version" : "2012-10-17",
    3 "Statement" : [ {
    4 "Effect" : "Allow",
    5 "Principal" : {
    6 "AWS" : "arn:aws:iam::role/service-role/YOUR_LAMBDA_FUNCTION_ROLE"
    7 },
    8 "Action" : "secretsmanager:GetSecretValue",
    9 "Resource" : "*"
    10 } ]
    11}
  11. Click Save and then click Next.

  12. Click Next.

  13. Review the secret and then click Store.

Configure the Fastly WAF Lambda extension

  1. Log in to the AWS Management Console.

  2. Click Services. Select Compute, then select Lambda.

  3. Select your Lambda function.

  4. Click Configuration.

  5. Click Environment variables.

  6. Click Edit.

  7. Add the following variables in the Key/value pairs fields:

    KeyValue
    SECRET_ARNSecret ARN of the newly created secret
    Example:
    arn:aws:secretsmanager:us-west-2:secret:lambda_secrets-kMxqBg
    SECRET_REGIONRegion where the newly created secret resides
    Example:
    us-west-2
    AWS_LAMBDA_EXEC_WRAPPER/opt/sigsci-wrapper
    SIGSCI_KEYSTORE_WRAPPER/opt/fetch-aws-secrets
    Only needed if using AWS Secrets Manager
  8. Click Save.

Install the Fastly WAF Lambda extension

  1. Download the latest version of the Agent for your particular architecture or use the public regional layer.

    x86_64

    AGENT_VER=`curl --fail -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`
    curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_amd64.zip

    arm64

    AGENT_VER=`curl --fail -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`
    curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_arm64.zip

    Lambda Layers

    arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_amd64:16

    arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_arm64:25

    arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_amd64:16

    arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_arm64:16

    arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_amd64:16

    arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_arm64:16

    arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_amd64:16

    arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_arm64:16

  2. If the Lambda Agent is configured to retrieve secrets from the AWS Secrets Manager, add the appropriate regional layer, making sure this layer is ordered before the lambda extension.

    arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_amd64:1

    arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_arm64:1

    arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_amd64:1

    arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_arm64:1

    arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_amd64:1

    arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_arm64:1

    arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_amd64:1

    arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_arm64:1

  3. Publish the Lambda agent zip file as a layer if downloaded.

    NOTE

    An example is shown below using the AWS Command Line Interface. The layer name and compatible-runtimes are at your discretion.

    $ aws lambda publish-layer-version --layer-name "my-sigsci-lambda-layer" --zip-file "fileb://sigsci-agent_latest~lambda_amd64.zip" --compatible-runtimes nodejs14.x
  4. Once the layer is successfully published, return to your Lambda function page within AWS.

  5. Click Add a layer towards the bottom of the page in the Layers pane.

  6. Add the layer that matches the published layer-name in the previous steps.

  7. Click Save.

Troubleshooting

Take note of the ordering of the layers. If using the sigsci-get-aws-secrets layer, make sure it's ordered before the Lambda extension.

All of our agent logging can be found in the Lambda logs in AWS' CloudWatch. On the Lambda function page, select Monitor, then View logs in CloudWatch. Logs can be viewed and captured here.

In development environments, the Fastly WAF Lambda extension can use the SIGSCI_ACCESSKEYID and SIGSCI_SECRETACCESSKEY key/value pairs as environment variables in the Lambda function configuration to avoid using the AWS Secrets Manager. However, this is not recommended for production environments.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.