AWS solutions documentation change
Summary
Restructured the document to detail both Lambda and ECS architectures for image transformation. Added sections on Lambda architecture details, ECS architecture details, and AWS services used. Included a warning about security risks of the origin override header feature in ECS.
Security assessment
Added explicit security warning about origin override header potentially allowing requests to unauthorized origins. Also maintained documentation for existing security features (URL signatures, CORS). No evidence of addressing a specific vulnerability.
Diff
diff --git a/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/architecture-details.md b/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/architecture-details.md index 4154f8ccb..f48712f3f 100644 --- a//solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/architecture-details.md +++ b//solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/architecture-details.md @@ -5 +5 @@ -Demo UISmart croppingContent moderationCross-origin resource sharingImage URL signatureDefault fallback image +Lambda architecture detailsECS architecture detailsECS architecture detailsAWS services used in ECS architecture @@ -11 +11,40 @@ This section describes the components and AWS services that make up this solutio -## Demo UI +## Lambda architecture details + +The Lambda architecture provides cost-optimized serverless image processing for images up to 6 MB with pay-per-request pricing and automatic scaling. + +### Core components + +**Amazon API Gateway** \- RESTful API endpoint for image transformation requests \- Request validation and parameter parsing \- Integration with AWS Lambda for processing \- Built-in throttling and caching capabilities + +**AWS Lambda** \- Serverless compute for image processing using Sharp library \- Automatic scaling based on request volume \- 6 MB payload limit for requests and responses \- Memory allocation from 128 MB to 10,240 MB + +**Amazon CloudFront** \- Global content delivery network for caching processed images \- Edge locations reduce latency for end users \- Custom cache behaviors for different request types \- Origin Shield for additional caching layer + +**Amazon S3** \- Source image storage with versioning and encryption support \- Processed image caching (optional) \- Static website hosting for Demo UI \- Cross-region replication capabilities + +### Request processing workflow + +**Lambda processing steps:** + + 1. API Gateway receives image transformation request + + 2. Request parameters are validated and parsed + + 3. Lambda function is invoked with transformation parameters + + 4. Original image is fetched from S3 bucket + + 5. Sharp library applies transformations (resize, crop, format conversion, etc.) + + 6. Processed image is returned through API Gateway + + 7. CloudFront caches the processed image for future requests + + + + +**Supported transformations:** \- Resize with various fit options (cover, contain, fill, inside, outside) \- Crop with precise coordinates or smart cropping using Amazon Rekognition \- Format conversion ("jpg", "jpeg", "heic", "png", "raw", "tiff", "webp", "gif", "avif") \- Quality optimization and compression \- Rotation and flip operations \- Watermarking and overlay effects \- Content moderation using Amazon Rekognition + +### Lambda architecture features + +**Demo UI** @@ -15 +54 @@ This solution optionally deploys a demo UI into your account to demonstrate the -This solution’s template contains a **Deploy Demo UI** parameter that’s activated (set to `Yes`) by default. If activated, this option deploys an additional Amazon S3 bucket and associated CloudFront distribution into your account. +This solution’s template contains a Deploy Demo UI parameter that’s activated (set to Yes) by default. If activated, this option deploys an additional Amazon S3 bucket and associated CloudFront distribution into your account. @@ -17 +56 @@ This solution’s template contains a **Deploy Demo UI** parameter that’s acti -## Smart cropping +**Smart cropping** @@ -25 +64 @@ Amazon Rekognition supports only JPEG and PNG file formats for smart cropping. W -## Content moderation +**Content moderation** @@ -33 +72 @@ Amazon Rekognition supports only JPEG and PNG file formats for content moderatio -## Cross-origin resource sharing +**Cross-origin resource sharing** @@ -35 +74 @@ Amazon Rekognition supports only JPEG and PNG file formats for content moderatio -This solution’s template contains two parameters that activate [Cross-origin resource sharing (CORS)](./concepts-and-definitions.html) for your image handler API: **CorsEnabledParameter** and **CorsOriginParameter**. CORS defines how client web applications loaded in one domain can interact with resources in a different domain. You can [activate CORS for your image handler API](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html) to make requests to your image handler API from outside the domain space of the API. +This solution’s template contains two parameters that activate Cross-origin resource sharing (CORS) for your image handler API: CorsEnabledParameter and CorsOriginParameter. CORS defines how client web applications loaded in one domain can interact with resources in a different domain. You can activate CORS for your image handler API to make requests to your image handler API from outside the domain space of the API. @@ -41 +80 @@ For example, if you have a public web application hosted on either a custom doma -If you want to change your CORS configuration after deployment, you can activate or deactivate CORS by editing the `CORS_ENABLED (Yes/No)` and `CORS_ORIGIN` environment variables of the Lambda image handler function. See [Using AWS Lambda environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html) in the _AWS Lambda Developer Guide_ for more information. +If you want to change your CORS configuration after deployment, you can activate or deactivate CORS by editing the CORS_ENABLED (Yes/No) and CORS_ORIGIN environment variables of the Lambda image handler function. See Using AWS Lambda environment variables in the AWS Lambda Developer Guide for more information. @@ -43 +82 @@ If you want to change your CORS configuration after deployment, you can activate -## Image URL signature +**Image URL signature** @@ -45 +84 @@ If you want to change your CORS configuration after deployment, you can activate -This solution’s template contains three parameters that are required for the image URL signature functionality: **EnableSignatureParameter** , **SecretsManagerSecretParameter** , and **SecretsManagerKeyParameter**. To activate this feature: +This solution’s template contains three parameters that are required for the image URL signature functionality: EnableSignatureParameter, SecretsManagerSecretParameter, and SecretsManagerKeyParameter. To activate this feature: @@ -47 +86 @@ This solution’s template contains three parameters that are required for the i - * Set the **EnableSignatureParameter** parameter to `Yes` + * Set the EnableSignatureParameter parameter to Yes @@ -49 +88 @@ This solution’s template contains three parameters that are required for the i - * Set the **SecretsManagerSecretParameter** and **SecretsManagerKeyParameter** parameters to a valid secret and key that you originally created in Secrets Manager + * Set the SecretsManagerSecretParameter and SecretsManagerKeyParameter parameters to a valid secret and key that you originally created in Secrets Manager @@ -56 +95 @@ This solution’s template contains three parameters that are required for the i -You are responsible for creating the Secrets Manager secret and key. For more information about Secrets Manager secret creation, refer to [Create and manage secrets with AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) in the _AWS Secrets Manager User Guide_. +You are responsible for creating the Secrets Manager secret and key. For more information about Secrets Manager secret creation, refer to [Create and manage secrets with AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html) in the AWS Secrets Manager User Guide. @@ -58 +97 @@ You are responsible for creating the Secrets Manager secret and key. For more in -When you activate this feature, the image handler AWS Lambda function checks for a valid signature in the image request. If the signature doesn’t match, the solution returns an error message. When activating the image URL signature, you must provide the `signature` query string to your URL. For example, you can create the signature using the following Node.js code: +When you activate this feature, the image handler AWS Lambda function checks for a valid signature in the image request. If the signature doesn’t match, the solution returns an error message. When activating the image URL signature, you must provide the signature query string to your URL. For example, you can create the signature using the following Node.js code: @@ -78 +117 @@ You can request your image using the image URL signature: -If you update your existing solution deployment and activate the image URL signature, the updated stack will no longer be compatible with the existing URLs. You must update your application to provide the correct signature query string to your URLs. To update the solution stack, refer to [Update the solution](./update-the-solution.html). +If you update your existing solution deployment and activate the image URL signature, the updated stack will no longer be compatible with the existing URLs. You must update your application to provide the correct signature query string to your URLs. To update the solution stack, refer to Update the solution. @@ -82 +121 @@ If you update your existing solution deployment and activate the image URL signa -If you plan to use the Expires query parameter alongside signed requests, ensure you include the expiration when creating your signature. For more information, refer to [Include request expiration](./create-and-use-image-requests.html#include-request-expiration). +If you plan to use the Expires query parameter alongside signed requests, ensure you include the expiration when creating your signature. For more information, refer to Include request expiration. @@ -84 +123 @@ If you plan to use the Expires query parameter alongside signed requests, ensure -## Default fallback image +**Default fallback image** @@ -86 +125 @@ If you plan to use the Expires query parameter alongside signed requests, ensure -This solution provides a default [fallback image](./concepts-and-definitions.html) feature that returns the specified fallback image as a result of errors occur during processing, rather than a JSON object error message. This solution’s template contains three parameters that are required for the default fallback image feature: **EnableDefaultFallbackImageParameter** , **FallbackImageS3BucketParameter** , and **FallbackImageS3KeyParameters**. +This solution provides a default fallback image feature that returns the specified fallback image as a result of errors occur during processing, rather than a JSON object error message. This solution’s template contains three parameters that are required for the default fallback image feature: EnableDefaultFallbackImageParameter, FallbackImageS3BucketParameter, and FallbackImageS3KeyParameters. @@ -89,0 +129,7 @@ By default, this feature is deactivated. To activate this feature: + * Set the EnableDefaultFallbackImageParameter parameter to Yes + + * Set the FallbackImageS3BucketParameter and FallbackImageS3KeyParameter parameters to a valid S3 bucket and object key + + + + @@ -92 +138,130 @@ By default, this feature is deactivated. To activate this feature: -Before activating this feature, if you use an S3 bucket policy in the fallback image S3 bucket, you must edit the bucket policy to allow the `CustomResourceFunction` and `ImageHandlerFunction` AWS Lambda functions to get the default fallback image object. For more information, see [Adding a bucket policy by using the Amazon S3 console](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html). +Before activating this feature, if you use an S3 bucket policy in the fallback image S3 bucket, you must edit the bucket policy to allow the CustomResourceFunction and ImageHandlerFunction AWS Lambda functions to get the default fallback image object. For more information, see Adding a bucket policy by using the Amazon S3 console. + +## ECS architecture details + +The ECS architecture provides high-performance image processing capabilities for demanding workloads and large images up to 100 MB. + +### Key concepts + +#### Origins + +An origin defines the source location where original images are stored. The solution supports two types of origins: + +**Amazon S3 origins** \- S3 buckets containing your original images \- Configured with valid S3 endpoint URL and optional path prefix \- Supports all S3 features including versioning and encryption + +**External origins** \- HTTP-accessible domains hosting images \- Content management systems, CDNs, or web servers \- Must use HTTPS with valid SSL certificates from trusted certificate authorities \- Self-signed certificates are not supported + +Origins are configured with the following properties: + + * **Origin name** : A descriptive identifier for management purposes + + * **Origin domain** : A valid S3 endpoint URL or external domain (e.g., `images.example.com`) + + * **Origin path** (optional): A path prefix appended to all requests (e.g., `/assets/images`) + + * **Origin headers** (optional): Custom headers sent with each origin request for authentication or routing + + + + +#### Transformation policies + +Transformation policies are reusable configurations that define sets of image transformations, output settings, and conditional logic. They enable consistent image processing across applications without requiring transformation parameters in each request. + +**Policy structure:** + + * **Transformations** : Array of image operations (resize, crop, format conversion, etc.) with optional conditional logic based on request headers + + * **Output settings** : Quality, format, and optimization configurations + + * **Default policy** : Only one policy can be designated as default (applied when no specific policy is requested) + + + + +**Example policy capabilities:** + + * Automatic format selection (WebP for supported browsers, JPEG for others) + + * Quality optimization based on device pixel ratio + + + + +**Policy application precedence:** + + 1. Explicit transformations in request query parameters (highest) + + 2. Named policy specified in request + + 3. Policy configured in the mapping + + 4. Default policy (lowest) + + + + +#### Mappings + +Mappings define how incoming image requests are routed to specific origins. The solution supports two types of mappings with different precedence rules: + +**Host-header mappings** (highest precedence) + + * Route requests based on the `Host` header in the incoming request + + * Support exact matches (`images.mysite.com`) and wildcard patterns (`*.mysite.com`) + + * Useful for multi-tenant applications or domain-based routing + + * Example: `images.customer1.com` → Customer 1’s S3 bucket + + + + +**Path-based mappings** (lower precedence) + + * Route requests based on URL path patterns + + * Support exact paths (`/thumbnails`) and wildcard patterns (`/customer-123/*`) + + * Enable content-based routing within a single domain + + * Example: `/product-images/*` → Product catalog origin +