I am refactoring a project from a third-party company where they add two different Lambda@Edge functions which are triggered by CloudFront.
Basically, the flow is following:
- When users call S3 file from web app -> CloutFront fire event which will call Lambda@Edge.
- There are two Lambdas: one for counting downloads per user and another one to restrict access.
The problem is that solution is not working and missing a download count check.
What is the execution workflow for Lambda@Edge attached to the same event? I am thinking of placing all the logic inside of one Lambda as I am afraid that counting can happen earlier than access denied. However taking in consideration that lambda@edge have execution time limitation
CodePudding user response:
The documentation is available 
When a user requests a file there is a viewer request. If the file is in the cache, then a viewer response follows. There is no origin request. For this reason you should authenticate your users on a viewer request.
When the file isn't in the cache, there is an origin request. This is when the file is downloaded from S3.
You could have the logic in a single Lamda@Edge, but you could also:
- Authenticate users on Viewer Request.
- Count downloads on Viewer Response. A Viewer Response event will be triggered regardless, if there is cache hit or not, but not when the origin returns an HTTP status code of 400 or higher.