search close

AWS Lambda

access_time Updated Jun 29, 2022

Fastly’s Next-Gen WAF (powered by Signal Sciences) supports any Lambda function on Amazon Web Services (AWS). Our Lambda extension acts as an HTTP proxy between the AWS Lambda service and runtime and will allow or block traffic after inspecting the JSON payload of the web API event used by the Lambda runtime.

Note: This information is part of a beta release. For more information, read our product and feature lifecycle descriptions.

The Fastly WAF Lambda extension is configured by using environment variables. You can download Fastly’s WAF binaries to create a layer that a Lambda function can use.

Fastly Agent Access Keys configuration

Before adding the Fastly WAF Lambda extension, you must first set the Agent Access Key and Secret Key by setting environment variables in the general configuration of the Lambda function.

  1. Log in to the AWS Console.

  2. Click Services. Select Compute, then select Lambda.

  3. Select your Lambda function.

  4. Click Configuration. The Configuration menu pane appears.

  5. Click Environment variables.

  6. Click Edit. The Edit environment variables menu page appears.

  7. Locate the Agent Keys for your Signal Sciences site:

    1. Log in to the Signal Sciences console.

    2. Select a site if you have more than one site.

    3. Click Agents in the navigation bar. The agents page appears.

    4. Click View agent keys. The agent keys window appears.

      The 'View agent keys' button.
    5. Copy the Agent Access Key and Agent Secret Key.

      The agent keys window.
  8. In the Edit environment variables menu page of the Lambda function, add the following variables as key/value pairs:

    Key Value
    SIGSCI_ACCESSKEYID accesskeyid from Signal Sciences console
    SIGSCI_SECRETACCESSKEY secretaccesskey from Signal Sciences console
    AWS_LAMBDA_EXEC_WRAPPER /opt/sigsci-wrapper
  9. Click Save.

Install the Fastly WAF Lambda extension

  1. Download the latest version of the Agent for your particular architecture.

    x86_64

       AGENT_VER=`curl --fail  -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`
       curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_amd64.zip
       

    arm64

       AGENT_VER=`curl --fail  -Ss https://dl.signalsciences.net/sigsci-agent/VERSION`
       curl --fail -O -Ss https://dl.signalsciences.net/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_arm64.zip
       
  2. Publish the Lambda agent zip file as a layer.

    Note: An example is shown below using the AWS Command Line Interface. The layer name and compatible-runtimes are at your discretion.

            aws lambda publish-layer-version --layer-name "my-sigsci-lambda-layer" --zip-file "fileb://sigsci-agent_latest~lambda_amd64.zip" --compatible-runtimes nodejs14.x
            

  3. Once the layer is successfully published, return to your Lambda function page within AWS.

  4. Click Add a layer towards the bottom of the page in the Layers pane.

  5. Add the layer that matches the published layer-name in the previous steps.

  6. Click Save.

Troubleshooting

All of our agent logging can be found in the Lambda logs in AWS' CloudWatch. On the Lambda function page, select Monitor, then View logs in CloudWatch. Logs can be viewed and captured here.