CloudFront Embedder Guide


This document describes how to apply PallyCon watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.

    participant A as End user
    participant C as Cloud Front CDN
    A ->> C: Start playback of Session URL (request segments)
    Note right of C: Watermark embedder 
    C -->> C: Segments mixing by Session URL
    C ->> A: Send mixed segments
    Note right of A: Playback of mixed content

Set up CloudFront Embedder using AWS CDK

This AWS CDK sample contains the source code which generates the aws resources needed to set up the CloudFront embedder.

CloudFront Embedder CDK sample

Set up CloudFront Embedder yourself

CloudFront Embedder files needed for setting up Lambda@Edge can be downloaded from the Sample download page.

The content of this document may become outdated due to future updates from AWS. If there is a part different from the actual AWS console UI or there is a broken link to AWS guide document, please contact us through the Help Desk.

Tutorial Video

This video is a tutorial about how to embed Forensic Watermarking using CloudFront Embedder.

Lambda@Edge User Guide

If you are unfamiliar with using Lambda@Edge with Amazon CloudFront CDN, it is recommended to make yourself familiar with the usage by referring to the AWS online documents below before proceeding to the next step.

Create IAM Permissions and Roles

First, you need to create the required IAM permissions and execution role to configure Lambda@Edge. In the IAM service screen of the AWS console, create the permissions and roles as follows by refer to the AWS guide.

  • Create a role by adding the permissions lambda:GetFunction, lambda:EnableReplication*, iam:CreateServiceLinkedRole, cloudfront:UpdateDistribution, and cloudfront:CreateDistribution.

To add permission, you must first specify the target service (Lambda). Also, to add lambda:EnableReplication* permission, first add lambda:EnableReplication permission and then modify the JSON code.

  • Add log-related permission to collect Lambda access log into cloudwatch logs.

        "Effect": "Allow",
        "Action": [
        "Resource": "arn:aws:logs:*:*:*"
  • Add the following roles to the Trust Relationship tab of the created Role.

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Principal": { 
                    "Service": [
                "Action": "sts:AssumeRole"

Create Lambda@Edge function

  • Go to the Lambda service in the AWS console and click the Create function button.
  • Select US East (N. Virginia) as the AWS Region in the upper right corner of the console. (Lambda@Edge must be created in the Virginia Region to use it.)

1. Function name and Runtime settings

  • Function Name: Enter any name to identify the function. (e.g. fwm-cf-embedder)
  • Runtime: Select Node.js 12.x or later. (12.x, 14.x, 16.x, etc.) The default at the time of this writing is Node.js 16.x.
  • Architecture: use the default x86_64.

2. Set the execution role

  • Click Change default execution role, select Use existing role, and select the IAM role created in the previous step.
  • Click the Create function button at the bottom of the screen to create a Lambda@Edge function.

3. Upload and edit sample code

  • Click the Upload from > .zip file button on the Code source screen to upload the CloudFront Embedder zip file downloaded from the Sample Download Page.

  • Check the uploaded sample code and modify the following items.

Please be aware that if you modify a source other than those listed below, an error may occur.

  • In the config.json source, set the value of the corresponding variables as below.
Name Required Description
aesKey True Enter the site key value provided by the PallyCon console site.
type True Enter unlabeled_a_variant if preprocessed A/B version segments are stored together in one folder, and enter directory_prefix if they are packaged in separate 0 and 1 folders. If you use the latest version of the FWM CLI packager or if you are a new customer of PallyCon SaaS packaging service, it is basically packaged in the form of Unlabeled A Variant. (default: unlabeled_a_variant)
availableInterval True The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp. If set to 0, the timestamp validity period is not checked. (Unit: minutes)
prefixFolder False Set the name of the parent folder where the A/B version contents are stored
- For contents packaged with old version packaging service: dldzkdpsxmdnjrtm
- For contents packaged with the new T&P service: wm-contents
The default value is ["dldzkdpsxmdnjrtm", "wm-contents"], which supports both cases.
wmPublicKey False Set when using the wmt token type. Use the Akamai public key issued from the PallyCon site. It can be requested the helpdesk.
wmPassword False Set when using the wmt token type. Use the Akamai password issued from the PallyCon site. It can be requested the helpdesk.
  • After saving, click Publish new version of Action button to create version.

  • Copy the ARN containing the generated version. It is displayed in the upper right corner.

    • e.g. arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}

Configure CloudFront

This guide assumes that you already created your CloudFront.

Apply Lambda@Edge

Connect to the AWS console, select the CloudFront menu and select CloudFront to apply Lambda@Edge.

1. Set Behaviors

  • Select the Behaviors tab, check the check box displayed and click the Edit button.

  • Configure Lambda Function Associations items.

    • EventType : select Viewer Request
    • Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.
  • Click the Yes, Edit button.

2. Finish configuration

The status of CloudFront is changed to InProgress, and when Lambda@Edge is applied, status is changed to Deployed and all settings are completed.

For more information about Lambda@Edge, please refer to CloudFront guide from AWS.