View a markdown version of this page

Lambda Architecture - Dynamic Image Transformation for Amazon CloudFront

Lambda Architecture

This cost-optimized serverless architecture is suitable for most image transformation workloads with images up to 6 MB.

Important

This solution is intended for customers with public applications who want to provide an option to dynamically change or manipulate their public images. Because of these public requirements, this template creates a publicly accessible, unauthenticated CloudFront distribution and Amazon API Gateway endpoint in your account, allowing anyone to access it. For more information on API Gateway authorization, refer to the Security section. This solution supports signing requests, which can serve to restrict unauthorized requests, for more information, refer to the Image URL Signature section.

Lambda architecture for cost-optimized image processing

serverless image handler architecture
Note

AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) constructs.

The high-level process flow for the Lambda architecture is as follows:

  1. An Amazon CloudFront distribution provides a caching layer to reduce the cost of image processing and the latency of subsequent image delivery.

  2. Amazon API Gateway provides endpoint resources and initiates the AWS Lambda function.

  3. A Lambda function retrieves the image from a customer’s existing Amazon S3 bucket and uses sharp to return a modified version of the image to the API Gateway.

  4. A solution-created S3 bucket provides log storage, separate from your customer-created S3 bucket for storing images.

  5. (Optional) If you enter Yes for the Enable Signature template parameter, the Lambda function retrieves the secret value from your existing AWS Secrets Manager secret to validate the signature.

  6. (Optional) If you use the smart crop or content moderation features, the Lambda function calls Amazon Rekognition to analyze your image and returns the results.

  7. The viewer request is proxied through an Amazon CloudFront function to normalize headers and query parameters for improved cache hit rates.