CloudFront Embedder Guide


This document describes how to apply PallyCon watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.

    participant A as End user
    participant C as Cloud Front CDN
    A ->> C: Start playback of Session URL (request segments)
    Note right of C: Watermark embedder 
    C -->> C: Segments mixing by Session URL
    C ->> A: Send mixed segments
    Note right of A: Playback of mixed content

CloudFront Embedder files needed for setting up Lambda@Edge can be downloaded from the Sample download page.

Create Lambda@Edge

  • Connect to the AWS console, select the lambda menu, and click the create function button.
  • Select region to N. Virginia. (Lambda@Edge must be created in the Virginia Region.)

1. Select runtime

  • Choose a Node.JS runtime later than v10. (10.x, 12.x, or 14.x)

2. Set roles

  • Select Create a custom role.

  • Create a Role by adding the permissions lambda:GetFunction, lambda:EnableReplication*, iam:CreateServiceLinkedRole, cloudfront:UpdateDistribution, and cloudfront:CreateDistribution as explained in CloudFront Guide.

  • Add logs related permission to collect Lambda access log into cloudwatch logs.

        "Effect": "Allow",
        "Action": [
        "Resource": "arn:aws:logs:*:*:*"
  • Add the following roles to the Trust Relationship tab of the created Role.

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Principal": { 
                    "Service": [
                "Action": "sts:AssumeRole"
  • Apply the generated role to the lambda role.

3. Upload function

  • Click Create Function button to create lambda.

  • Select Upload a .ZIP file of Function Code - Code entry Type and add the lambda source downloaded from Console site.

  • Click the Save button to upload the source and modify the uploaded source via Cloud9.

4. Modify function source

Please be aware that if you modify a source other than those listed below, an error may occur.

  • In the config.json source, set the value of the corresponding variables as below.

    Name Required Description
    aesKey True Enter the site key value provided by the PallyCon console site.
    type True Enter unlabeled_a_variant if preprocessed A/B version segments are stored together in one folder, and enter directory_prefix if they are packaged in separate 0 and 1 folders. If you use the latest version of the FWM CLI packager or if you are a new customer of PallyCon SaaS packaging service, it is basically packaged in the form of Unlabeled A Variant. (default: unlabeled_a_variant)
    availableInterval True The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp.
    If set to 0, the timestamp validity period is not checked.
    Unit: (minutes)
  • After saving, click Publish new version of Action button to create version.

  • Copy the ARN containing the generated version. It is displayed in the upper right corner.

    • e.g. arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}

Configure CloudFront

This guide assumes that you already created your CloudFront.

Apply Lambda@Edge

Connect to the AWS console, select the CloudFront menu and select CloudFront to apply Lambda@Edge.

1. Set Behaviors

  • Select the Behaviors tab, check the check box displayed and click the Edit button.

  • Configure Lambda Function Associations items.

    • EventType : select Viewer Request
    • Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.
  • Click the Yes, Edit button.

2. Finish configuration

The status of CloudFront is changed to InProgress, and when Lambda@Edge is applied, status is changed to Deployed and all settings are completed.

For more information about Lambda@Edge, please refer to CloudFront guide from AWS.