ghost
commented
2 years ago Per https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions-restrictions.html#lambda-at-edge-function-restrictions, the CloudFront edge Lambda must be deployed in us-east-1.
This Lambda does not process sensitive data - all such data is exclusively sent separately to the API Gateway API located in the region you deploy the template in. And for the little user data it could see, the edge Lambda can't do anything with it.
- It only handles responses to requests to static assets common to all users from an S3 bucket.
- It sits behind the CloudFront cache, not in front, meaning invocations do not map one-to-one with actual fetches.
- It only adds properties to the response, and is otherwise stateless. It additionally only logs responses, not requests.
- It only contains the minimum permissions necessary to allow itself to be executed at all due to the IAM role given to it. This also implies it lacks any ability to persist anything it sees beyond mere writing to logs, even in the unlikely event it somehow gets compromised with a runtime code execution vulnerability.
If you have a need to ensure no request leaves the EU at all, I would recommend reaching out to AWS sales and/or support for further guidance, as I'm not sufficiently aware of the specifics of CloudFront to respond to that.
jwurm
Hello everyone,
is there a way to install the developer portal without making use of the us-east-1 region?
Most resources do appear to get created in the region that i usually use (eu-central-1), but the installation via serverless application repository does appear to try to create lambdas in us-east-1.
For legal reasons my organization does not allow data to leave the EU, so creating lambdas in the US is forbidden by policies.
Is there a way to install the developer portal with those lambdas in the same region as the rest of the installation? The template does seem to treat us-east-1 in a special way, but it does not appear to be related to the creation of the lambdas, at least i don't understand the connection there (i'm a noob).
Thanks a lot in advance!
Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::REDACTED:assumed-role/serverlessrepo-api-gw-por-CloudFrontEdgeReplicator-PMHDNM7LBRA7/serverlessrepo-api-gw-por-CloudFrontSecurityHeader-kKla1kofsaqM is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:us-east-1:REDACTED:function:serverlessrepo-api-gw-por-CloudFormationEdgeLambda-kKla1kofsaqM with an explicit deny in a service control policy