CloudFront CDN Watermark Embedder Guide


This document describes how to apply PallyCon watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.

    participant A as End user
    participant C as CDN
    A ->> C: Start playback of Session URL (request segments)
    Note right of C: Watermark embedder module
    C -->> C: Segments mixing by Session URL
    C ->> A: Send mixed segments
    Note right of A: Playback of mixed content

The source files needed for setting up Lambda@Edge can be downloaded from the Sample download page.

Create Lambda@Edge

  • Connect to the AWS console, select the lambda menu, and click the create function button.
  • Select region to N. Virginia. (Lambda@Edge must be created in the Virginia Region.)

1. Select runtime

  • Choose a Node.JS runtime later than v10. (10.x, 12.x, or 14.x)

2. Set roles

  • Select Create a custom role.

  • Create a Role by adding the permissions lambda:GetFunction, lambda:EnableReplication*, iam:CreateServiceLinkedRole, cloudfront:UpdateDistribution, and cloudfront:CreateDistribution as explained in CloudFront Guide.

  • Add logs related permission to collect Lambda access log into cloudwatch logs.

        "Effect": "Allow",
        "Action": [
        "Resource": "arn:aws:logs:*:*:*"
  • Add the following roles to the Trust Relationship tab of the created Role.

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Principal": { 
                    "Service": [
                "Action": "sts:AssumeRole"
  • Apply the generated role to the lambda role.

3. Upload function

  • Click Create Function button to create lambda.

  • Select Upload a .ZIP file of Function Code - Code entry Type and add the lambda source downloaded from Console site.

  • Click the Save button to upload the source and modify the uploaded source via Cloud9.

4. Modify function source

Please be aware that if you modify a source other than those listed below, an error may occur.

  • Set the value of the corresponding variable in the table below.

    Source Line
    3 AVAILABLE_INTERVAL True The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp.
    If set to 0, the timestamp validity period is not checked.
    Unit: (minutes)
    4 AES_KEY True Enter the site key value provided by the PallyCon console site.
  • After saving, click Publish new version of Action button to create version.

  • Copy the ARN containing the generated version. It is displayed in the upper right corner.

    • e.g. arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}

Configure CloudFront

This guide assumes that you already created your CloudFront.

Apply Lambda@Edge

Connect to the AWS console, select the CloudFront menu and select CloudFront to apply Lambda@Edge.

1. Set Behaviors

  • Select the Behaviors tab, check the check box displayed and click the Edit button.

  • Configure Lambda Function Associations items.

    • EventType : select Viewer Request
    • Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.
  • Click the Yes, Edit button.

2. Finish configuration

The status of CloudFront is changed to InProgress, and when Lambda@Edge is applied, status is changed to Deployed and all settings are completed.

For more information about Lambda@Edge, please refer to CloudFront guide from AWS.