While you could potentially build some automation to update the value on the CloudFront distribution, this update would be eventually consistent as the change propagates to all CloudFront edge PoPs. I suspect this would cause some issues for you. Instead, as you alluded to, you can use Lambda@Edge to do a lookup on each viewer response and append the appropriate security header. Please check out this blog for some guidance on appending security headers using Lambda@Edge and Amazon CloudFront.
Another blog was published demonstrating Lambda@Edge and SecretsManager along with secret rotation, How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager . The rotation process adds a new version of the secret while retaining the original version. The downstream systems, API GW authorizer in your case, check if the the header value matches the new **or ** previous versions of the secret to allow for some propagation delay.
Regarding your performance and Secrets Manager request cost concerns, Lambda functions can be optimized to cache the secrets values after the first invocation in a new execution environment. The Operating Lambda: Performance optimization – Part 2 blog post has a great overview in the Optimizing static initialization section.
- Accepted AnswerEXPERTasked 3 years ago
- I set custom object caching on my CloudFront distribution. Why is my distribution using the cache settings of my origin?AWS OFFICIALUpdated a year ago
- How can I pass a connectionId or custom token to VPC Link integration as a header for Amazon API Gateway WebSocket APIs?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- EXPERTpublished 4 months ago