Update CF custom header value


Hi team,

I have a lambda authorizer that validates the **value ** of a header: x-origin-verify (custom header added in Cloud Front distribution) which is in secret manager.

in my Scenario, the value x-origin-verify on the secret manager is rotated each hour.

how can I update the value of the custom header x-origin-verify in Cloud Front with the latest value rotated from the secret manager?

in my CDK can I just reference the value in a secret manager? or that will work only one time

otherwise what is the best way to update the custom header (x-origin-verify) value in CF distribution as soon as this value is rotated on the secret manager.

otherwise, how can I implement that using lambda at edge? an example for it would be very helpful

Thank you :)

2 Answers


While you could potentially build some automation to update the value on the CloudFront distribution, this update would be eventually consistent as the change propagates to all CloudFront edge PoPs. I suspect this would cause some issues for you. Instead, as you alluded to, you can use Lambda@Edge to do a lookup on each viewer response and append the appropriate security header. Please check out this blog for some guidance on appending security headers using Lambda@Edge and Amazon CloudFront.

answered 2 years ago
  • Thank you, but with this solution, the lambda function needs to pull the secret from the secret manager every millisecond though. That would not be a bit lot?

    • lambda 1 (lambda edge responsible for setting the secret in headers) needs to pull from secret manager. We cannot pull secret on every request or that would be too expensive and slow.
    • lambda 2 (lambda for API GW authorizer) needs to pull secret to validate the header and at least the response can be cached, if we cache lambda 1, then we can get into synchronization issue.

Another blog was published demonstrating Lambda@Edge and SecretsManager along with secret rotation, How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager . The rotation process adds a new version of the secret while retaining the original version. The downstream systems, API GW authorizer in your case, check if the the header value matches the new **or ** previous versions of the secret to allow for some propagation delay.

Regarding your performance and Secrets Manager request cost concerns, Lambda functions can be optimized to cache the secrets values after the first invocation in a new execution environment. The Operating Lambda: Performance optimization – Part 2 blog post has a great overview in the Optimizing static initialization section.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions