---
title: AWS Lambda
summary: null
url: >-
https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/aws-lambda
---
Fastly's Next-Gen WAF supports any Lambda function on Amazon Web Services (AWS). Our Lambda extension acts as an HTTP proxy between the AWS Lambda service and runtime and will allow or block traffic after inspecting the JSON payload of the web API event used by the Lambda runtime.
The Fastly WAF Lambda extension is configured by using the AWS Secrets Manager. You can download Fastly's WAF binaries to create a layer that a Lambda function can use.
## Prerequisites
[Copy the agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys) for your site (also known as workspace). You will need them when configuring the AWS Secrets Manager.
## Recommendations
For reduced latency and improved performance, we recommend setting the memory for your Lambda function to at least 512 MB.
## How the Fastly WAF extension works
The Lambda function invokes the Fastly WAF extension, which then follows the life cycle of the [execution environment](https://docs.aws.amazon.com/lambda/latest/dg/lambda-extensions.html).
| Life cycle phase | Description |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `init` | The Lambda function creates or unfreezes the execution environment. |
| `restore` | Not applicable. The SnapStart function is never invoked. |
| `invoke` | The Lambda function invokes the Fastly WAF extension and then the Next-Gen WAF agent: |
| `shutdown` | The Lambda function shuts down the runtime and alerts the Fastly WAF extension so it can stop cleanly. The Next-Gen WAF agent uploads redacted request and response data to the cloud engine per our data storage policy. |
## Configure the AWS Secrets Manager
1. Log in to the AWS Management Console.
2. From the **Services** menu, select **Security, Identify, & Compliance** and then select **Secrets Manager**.
3. Click **Store a new secret**.
4. For the Secret type, select **Other type of secret**. This option allows you to create a secret that can store credentials or other information by defining key-value strings.
5. In the **Key/value pairs** fields, enter your [agent keys](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/accessing-agent-keys).
6. Click **Next**.
7. In the **Secret name** and **Description** fields, enter a human-readable name and description for the secret (e.g., `Fastly secret for Lambda extension`).
8. Locate the **Execute role** of your Lambda function:
- In another tab, log in to the AWS Management Console.
- From the **Services** menu, select **Compute** and then select **Lambda**.
- Select your Lambda function.
- Click **Configuration**.
- From the sidebar, click **Permissions** and then click the role name for your Lambda function in the Execution role area.
- From the Identity and Access Management (IAM) page that appears, copy the ARN displayed on the page.
9. Back on the Configure secret page in the AWS Management Console, click **Edit permissions**.
10. Modify the configuration shown below to allow your Lambda function role to access this secret.
```json
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::role/service-role/YOUR_LAMBDA_FUNCTION_ROLE"
},
"Action" : "secretsmanager:GetSecretValue",
"Resource" : "*"
} ]
}
```
11. Click **Save** and then click **Next**.
12. Click **Next**.
13. Review the secret and then click **Store**.
## Configure the Fastly WAF Lambda extension
1. Log in to the AWS Management Console.
2. Click **Services**. Select **Compute**, then select **Lambda**.
3. Select your Lambda function.
4. Click **Configuration**.
5. Click **Environment variables**.
6. Click **Edit**.
7. Add the following variables in the **Key/value pairs** fields:
| Key | Value |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------- |
| `SECRET_ARN` | Secret ARN of the newly created secret
Example:
arn:aws:secretsmanager:us-west-2:secret:lambda_secrets-kMxqBg |
| `SECRET_REGION` | Region where the newly created secret resides
Example:
us-west-2 |
| `AWS_LAMBDA_EXEC_WRAPPER` | `/opt/sigsci-wrapper` |
| `SIGSCI_KEYSTORE_WRAPPER` | `/opt/fetch-aws-secrets`
Only needed if using AWS Secrets Manager |
8. Click **Save**.
## Install the Fastly WAF Lambda extension
1. Download the latest version of the Agent for your particular architecture from [dl.security.fastly.com](https://dl.security.fastly.com) or use the public regional layer.
> **NOTE:**
>
> You can find the same package repositories at [https://dl.signalsciences.net](https://dl.signalsciences.net). To configure your package manager to pull from [https://dl.signalsciences.net](https://dl.signalsciences.net), replace all instances of `security.fastly.com` with `signalsciences.net` in the relevant code sample.
>
>
### x86_64
```term
AGENT_VER=`curl --fail -Ss https://dl.security.fastly.com/sigsci-agent/VERSION`
curl --fail -O -Ss https://dl.security.fastly.com/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_amd64.zip
```
### arm64
```term
AGENT_VER=`curl --fail -Ss https://dl.security.fastly.com/sigsci-agent/VERSION`
curl --fail -O -Ss https://dl.security.fastly.com/sigsci-agent/${AGENT_VER}/linux/sigsci-agent_${AGENT_VER}_lambda_arm64.zip
```
### Lambda Layers
`arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_amd64:21`
`arn:aws:lambda:us-east-1:303561444828:layer:sigsci-agent-lambda_arm64:30`
`arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_amd64:21`
`arn:aws:lambda:us-east-2:303561444828:layer:sigsci-agent-lambda_arm64:21`
`arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_amd64:20`
`arn:aws:lambda:us-west-1:303561444828:layer:sigsci-agent-lambda_arm64:20`
`arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_amd64:20`
`arn:aws:lambda:us-west-2:303561444828:layer:sigsci-agent-lambda_arm64:20`
2. If the Lambda Agent is configured to retrieve secrets from the AWS Secrets Manager, add the appropriate regional layer, making sure this layer is ordered before the lambda extension.
`arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_amd64:2`
`arn:aws:lambda:us-east-1:303561444828:layer:sigsci-get-aws-secrets_arm64:2`
`arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_amd64:2`
`arn:aws:lambda:us-east-2:303561444828:layer:sigsci-get-aws-secrets_arm64:2`
`arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_amd64:2`
`arn:aws:lambda:us-west-1:303561444828:layer:sigsci-get-aws-secrets_arm64:2`
`arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_amd64:2`
`arn:aws:lambda:us-west-2:303561444828:layer:sigsci-get-aws-secrets_arm64:3`
3. Publish the Lambda agent zip file as a layer _if downloaded_.
> **NOTE:** An example is shown below using the AWS Command Line Interface. The layer name and compatible-runtimes are at your discretion.
```term copy
$ aws lambda publish-layer-version --layer-name "my-sigsci-lambda-layer" --zip-file "fileb://sigsci-agent_latest~lambda_amd64.zip" --compatible-runtimes nodejs14.x
```
4. Once the layer is successfully published, return to your Lambda function page within AWS.
5. Click **Add a layer** towards the bottom of the page in the **Layers** pane.
6. Add the layer that matches the published layer-name in the previous steps.
7. Click **Save**.
## Troubleshooting
Take note of the ordering of the layers. If using the `sigsci-get-aws-secrets` layer, make sure it's ordered before the Lambda extension.
All of our agent logging can be found in the Lambda logs in AWS' CloudWatch. On the Lambda function page, select **Monitor**, then **View logs in CloudWatch**. Logs can be viewed and captured here.
In development environments, the Fastly WAF Lambda extension can use the `SIGSCI_ACCESSKEYID` and `SIGSCI_SECRETACCESSKEY` key/value pairs as environment variables in the Lambda function configuration to avoid using the AWS Secrets Manager. However, this is not recommended for production environments.
## Related content
- [PaaS overview](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/paas/paas-install-intro)
- [Getting started with the agent](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/getting-started-with-the-agent)