AWS Lambda
Last updated 2023-09-21
Fastly's Next-Gen WAF (powered by Signal Sciences) supports any Lambda function on Amazon Web Services (AWS). Our Lambda extension acts as an HTTP proxy between the AWS Lambda service and runtime and will allow or block traffic after inspecting the JSON payload of the web API event used by the Lambda runtime.
The Fastly WAF Lambda extension is configured by using the AWS Secrets Manager. You can download Fastly's WAF binaries to create a layer that a Lambda function can use.
Recommendations
For reduced latency and improved performance, we recommend setting the memory for your Lambda function to at least 512 MB.
Configure the AWS Secrets Manager
Log in to the AWS Management Console.
From the Services menu, select Security, Identify, & Compliance, and then select Secrets Manager.
Click the Store a new secret button. The Choose secret type window appears.
For the Secret type, select Other type of secret. This option allows you to create a secret that can store credentials or other information by defining key-value strings.
Locate the Agent Keys for your Signal Sciences site:
Log in to the Signal Sciences console.
From the Sites menu, select a site if you have more than one site.
Click Agents in the navigation bar. The agents page appears.
Click View agent keys. The agent keys window appears.
Copy the Agent Access Key and Agent Secret Key.
In the AWS Management Console, enter the follow variables in the Key/value pairs fields:
Key Value SIGSCI_ACCESSKEYID
accesskeyid
from Signal Sciences consoleSIGSCI_SECRETACCESSKEY
secretaccesskey
from Signal Sciences consoleClick the Next button. The Configure secret window appears.
In the Secret name and Description fields, enter a human-readable name and description for the secret (e.g.,
Fastly secret for Lambda extension
).Locate the Execute role of your Lambda function:
- In another tab, log in to the AWS Management Console.
- From the Services menu, select Compute, and then select Lambda.
- Select your Lambda function.
- Click Configuration. The Configuration page appears.
- From the sidebar, click Permissions, and then click the role name link for your Lambda function in the Execution role area.
- From the Identity and Access Management (IAM) page that appears, copy the ARN displayed on the page.
Back on the Configure secret page in the AWS Management Console, click the Edit permissions button.
Modify the configuration shown below to allow your Lambda function role to access this secret.
1{2 "Version" : "2012-10-17",3 "Statement" : [ {4 "Effect" : "Allow",5 "Principal" : {6 "AWS" : "arn:aws:iam::role/service-role/YOUR_LAMBDA_FUNCTION_ROLE"7 },8 "Action" : "secretsmanager:GetSecretValue",9 "Resource" : "*"10 } ]11}Click the Save button, and then click the Next button. The Configure rotation page appears.
Click the Next button.
Review the secret, and then click the Store button.
Configure the Fastly WAF Lambda extension
Log in to the AWS Management Console.
Click Services. Select Compute, then select Lambda.
Select your Lambda function.
Click Configuration. The Configuration menu pane appears.
Click Environment variables.
Click Edit. The Edit environment variables menu page appears.
Add the following variables in the Key/value pairs fields:
Key Value SECRET_ARN
Secret ARN of the newly created secret
Example:
arn:aws:secretsmanager:us-west-2:secret:lambda_secrets-kMxqBgSECRET_REGION
Region where the newly created secret resides
Example:
us-west-2AWS_LAMBDA_EXEC_WRAPPER
/opt/sigsci-wrapper
SIGSCI_KEYSTORE_WRAPPER
/opt/fetch-aws-secrets
Only needed if using AWS Secrets ManagerClick Save.
Install the Fastly WAF Lambda extension
Download the latest version of the Agent for your particular architecture or use the public regional layer.
x86_64
AGENT_VER=`curl --fail -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_amd64.ziparm64
AGENT_VER=`curl --fail -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_arm64.zipLambda Layers
arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_amd64:13
arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_arm64:18
arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_amd64:13
arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_arm64:13
arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_amd64:13
arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_arm64:13
arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_amd64:13
arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_arm64:13
If the Lambda Agent is configured to retrieve secrets from the AWS Secrets Manager, add the appropriate regional layer, making sure this layer is ordered before the lambda extension.
arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_amd64:1
arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_arm64:1
arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_amd64:1
arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_arm64:1
arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_amd64:1
arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_arm64:1
arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_amd64:1
arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_arm64:1
Publish the Lambda agent zip file as a layer if downloaded.
NOTE
An example is shown below using the AWS Command Line Interface. The layer name and compatible-runtimes are at your discretion.
aws lambda publish-layer-version --layer-name "my-sigsci-lambda-layer" --zip-file "fileb://sigsci-agent_latest~lambda_amd64.zip" --compatible-runtimes nodejs14.xOnce the layer is successfully published, return to your Lambda function page within AWS.
Click Add a layer towards the bottom of the page in the Layers pane.
Add the layer that matches the published layer-name in the previous steps.
Click Save.
Troubleshooting
Take note of the ordering of the layers. If using the sigsci-get-aws-secrets
layer, make sure it's ordered before the Lambda extension.
All of our agent logging can be found in the Lambda logs in AWS' CloudWatch. On the Lambda function page, select Monitor, then View logs in CloudWatch. Logs can be viewed and captured here.
In development environments, the Fastly WAF Lambda extension can use the SIGSCI_ACCESSKEYID
and SIGSCI_SECRETACCESSKEY
key/value pairs as environment variables in the Lambda function configuration to avoid using the AWS Secrets Manager. However, this is not recommended for production environments.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.