17: Global Content Delivery + Optimization

Securing CF and S3 with OAI

OAI: Origin Access Identity.

We can use this to prevent direct access to an S3 bucket using OAI.

We can allow an explicit allow for the OAI and everything else is an implicity DENY for the bucket policy.


  • You can run lightweight Lambda at edge locations.
  • Adjust data between the Viewer & Origin.
  • Currently supports Node.js and Python.
  • Runs in the AWS Public Space (Not VPC).
  • Layers are not supported.
  • Different limits vs Standard Lambda.

Use cases

Some from the AWS website.

  • A/B testing - Viewer Request.
  • Migration between S3 Origins - Origin Request.
  • Different Objects Based on Device - Origin Request.
  • Content By Country - Origin Request.

Global Accelerator