# Deploy the solution
AWS Launch Wizard is the recommended deployment method for this solution. It provides:
+ A guided configuration experience with detailed help panels at each step
+ A centralized page to monitor the health of all your deployments
+ Indication when there is a more recent version of the solution available for deployment or upgrade
Alternatively, you can deploy the solution directly using an [AWS CloudFormation template](deploy-using-aws-cloudformation.md).
## Deployment process overview
Before you deploy the solution, review the [cost](cost.md), [architecture](architecture-overview.md), [security](security.md), and other considerations discussed earlier in this guide. Additionally, review the [deployment architecture options](choosing-deployment-architecture.md) to determine which template best meets your requirements.
**Time to deploy:** Approximately 20 minutes.
**Note**
This solution includes data collection metrics to AWS. We use this data to better understand how customers use this solution and related services and products. AWS owns the data gathered through this survey. Data collection is subject to the [AWS Privacy Notice](https://aws.amazon.com/privacy/).
**Note**
You are responsible for the cost of the AWS services used while running this solution. For more details, visit the [Cost](https://docs.aws.amazon.com/solutions/latest/dynamic-image-transformation-for-amazon-cloudfront/cost.html) section in this guide and refer to the pricing webpage for each AWS service used in this solution.
# Deploy using AWS Launch Wizard
This solution features a guided deployment process using AWS Launch Wizard. Follow these steps to deploy Dynamic Image Transformation for Amazon CloudFront into your account.
1. Sign in to the AWS Management Console and select the button below to start the deployment process.
[https://console.aws.amazon.com/launchwizard/home#/deployment/create/SO0023](https://console.aws.amazon.com/launchwizard/home#/deployment/create/SO0023)
1. If there are more than one deployment patterns available for the solution, select the one that’s most applicable to your use case.
1. Select a version to deploy. The latest version is recommended.
1. Click on the **Launch deployment wizard** button.
You will then follow a series of steps to collect the information needed to deploy the solution. It will take approximately 20 minutes to provision the required resources. Select your deployment from the [Deployment list](https://console.aws.amazon.com/launchwizard/home#/deployment/list) to view its status.
# Deploy using AWS CloudFormation
This solution uses [CloudFormation templates and stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. The solution provides two CloudFormation templates, each optimized for different deployment architectures. The CloudFormation stack provisions the resources that are described in the templates.
# AWS CloudFormation templates
This solution provides two CloudFormation templates, each designed for a specific deployment architecture:
**Lambda Architecture Template** [https://solutions-reference.s3.amazonaws.com/dynamic-image-transformation-for-amazon-cloudfront/latest/dynamic-image-transformation-for-amazon-cloudfront-lambda.template](https://solutions-reference.s3.amazonaws.com/dynamic-image-transformation-for-amazon-cloudfront/latest/dynamic-image-transformation-for-amazon-cloudfront-lambda.template) - Use this template for cost-optimized deployments with images up to 6 MB. The configuration deploys CloudFront, API Gateway, Lambda, CloudWatch, and EventBridge.
**ECS Architecture Template** [https://solutions-reference.s3.amazonaws.com/dynamic-image-transformation-for-amazon-cloudfront/latest/dynamic-image-transformation-for-amazon-cloudfront-ecs.template](https://solutions-reference.s3.amazonaws.com/dynamic-image-transformation-for-amazon-cloudfront/latest/dynamic-image-transformation-for-amazon-cloudfront-ecs.template) - Use this template for high-performance deployments with images up to 100 MB. The configuration deploys CloudFront, Application Load Balancer, ECS with Fargate, DynamoDB, Amplify Admin UI, Cognito, CloudWatch, and EventBridge.
**Note**
CloudFormation resources are created from AWS CDK constructs.
**Template selection guidance:** - Choose the **Lambda template** for cost-optimized deployments with basic transformation needs - Choose the **ECS template** for advanced features including transformation policies, non-S3 origins, and administrative interface - Refer to the [deployment architecture guide](choosing-deployment-architecture.md) for detailed comparison
Before you launch the solution’s AWS CloudFormation template, you must specify an S3 bucket in the **Source Buckets** template parameter. Use this S3 bucket to store the images that you want to manipulate. If you have multiple image source S3 buckets, you can specify them as comma-separated values. For lower latency, use an S3 bucket in the same AWS Region where you launch your CloudFormation template. Additional cross-region data transfer costs may apply if the solution is not deployed in the same AWS Region as the S3 bucket(s) provided in the Source Buckets template parameter.
**Note**
If you are launching from a [supported opt-in Region](opt-in-regions.md), the source S3 bucket you created and provided as the **Source Buckets** template parameter must be in the same Region where you’re launching the CloudFormation template.
We recommend deploying the optional demo UI when you first deploy the solution to test the solution’s functionality. For more information, refer to [Use the demo UI](use-the-demo-ui.md).
**Note**
If you have previously deployed this solution, see [Update the solution](update-the-solution.md) for update instructions.
Dynamic Image Transformation for Amazon CloudFront version 6.0 and newer include significant changes, and you can’t update the solution from versions before 6.0 to version 6.0 or later. To use version 6.0 or later, launch a new stack using version 6.x of the CloudFormation template and [uninstall](uninstall-the-solution.md) your previous version of this solution.
# Deploy Lambda architecture
Follow the step-by-step instructions in this section to configure and deploy the cost-optimized Lambda architecture into your account.
**Time to deploy:** Approximately 15 minutes
1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `dynamic-image-transformation-for-amazon-cloudfront-lambda` AWS CloudFormation template.
1. Sign into [AWS Management Console](https://aws.amazon.com/console) and select the button to launch `dynamic-image-transformation-for-amazon-cloudfront-lambda` CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=DynamicImageTransformationForAmazonCloudFront&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fdynamic-image-transformation-for-amazon-cloudfront%2Flatest%2Fdynamic-image-transformation-for-amazon-cloudfront-ecs.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=DynamicImageTransformationForAmazonCloudFront&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fdynamic-image-transformation-for-amazon-cloudfront%2Flatest%2Fdynamic-image-transformation-for-amazon-cloudfront-ecs.template&redirectId=ImplementationGuide)
1. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. For a list of which AWS Regions support this solution, see [Supported AWS Regions](supported-aws-regions.md).
1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and choose **Next**.
1. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the *AWS Identity and Access Management User Guide*.
1. Under **Parameters**, review the parameters for this solution template and modify them as necessary.
# Lambda architecture template parameters
\$1
| **Parameter** | **Default** | **Description** |
| --- | --- | --- |
| **CORS Enabled** | No | Choose whether to activate CORS. For information about this parameter, refer to . |
| **CORS Origin** | `*` | This value is returned by the API in the **Access-Control-Allow-Origin** header. An asterisk value supports any origin. We recommend specifying a specific origin (Ex: http://example.domain) to restrict cross-site access to your API. **Note:** This value is ignored if **CORS\$1ENABLED** is set to `No`. |
| **Source Buckets** | | Specifies the S3 bucket (or buckets) in your account that contain(s) the images that you manipulate. To specify multiple buckets, separate them by commas. |
| **Enable S3 Object Lambda (Deprecated)** | `No` | This option has been deprecated. Amazon S3 Object Lambda will no longer be open to new customers starting on November 7, 2025. If you were not an existing user of S3 Object Lambda before November 7, 2025, select 'No'. For more information, please visit https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazons3-ol-change.html. Determines which component to use to use as the CloudFront distribution origin. No uses API gateway, Yes uses an S3 Object Lambda Access Point, which supports images larger than the existing 6 MB size limit. Only the origin in use will be created by the template. |
| **Deploy Demo UI** | Yes | The demo UI that deploys to the `Demo` S3 bucket. For more information refer to [Use the demo UI](use-the-demo-ui.md). |
| **Log Retention Period** | 180 | Specifies the number of days to retain Lambda log data in CloudWatch logs. |
| **Enable Signature** | No | Choose whether to activate the image URL signature feature. For information about this feature, refer to . |
| **SecretsManager Secret** | ** | Define the Secrets Manager secret name that contains the secret key for the image URL signature. **Note:** This value is ignored if the **Enable Signature** parameter is set to `No`. |
| **SecretsManager Key** | ** | Define the Secrets Manager secret key that contains the secret value to create the image URL signature. **Note:** This value is ignored if the **Enable Signature** parameter is set to `No`. |
| **Enable Default Fallback Image** | No | Choose whether to activate the default fallback image feature. For information about this feature, refer to . |
| **Fallback Image S3 Bucket** | ** | Specify the S3 bucket which contains the default fallback image. **Note:** This value is ignored if the **Enable Default Fallback Image** parameter is set to `No`. |
| **Fallback Image S3 Key** | ** | Specify the default fallback image S3 object key, including prefix. See [Creating object key names](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html) for more information. **Note:** This value is ignored if the **Enable Default Fallback Image** parameter is set to `No`. |
| **AutoWebP** | `No` | Choose whether to automatically convert responses to the [WebP](https://developers.google.com/speed/webp) image formats if the Accept request header allows it. |
| **Origin Shield Region** | `Disabled` | The Region to set up the Origin Shield caching layer for the CloudFront distribution. May result in a better cache hit ratio, as well as lower latency on repeat requests in new regions. For more information on choosing an Origin Shield region, see the [Amazon CloudFront Developer Guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html). |
| **CloudFront PriceClass** | PriceClass\$1All | The CloudFront price class to use. For more information, refer to [Choosing the price class for a CloudFront distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PriceClass.html) in the *Amazon CloudFront Developer Guide*. |
| **Use Existing CloudFront Distribution** | `No` | Choose whether to deploy the solution in a way that it can be attached to an existing CloudFront distribution. If `No` is selected, a CloudFront distribution will be created for you. If you have selected `Yes`, manual action will need to be performed to finish the attachment, refer to [Attaching an Existing CloudFront distribution](attaching-existing-distribution.md) for more information. |
| **Existing CloudFront Distribution ID** | `` | The Distribution ID for the existing CloudFront distribution being attached to. This field is required if Use Existing CloudFront Distribution is set to Yes, and will be used to set up IAM permissions, metrics, and CloudFormation template outputs. **Note:** This value is ignored if **Use Existing CloudFront Distribution** is set to `No`. |
1. Choose **Next**.
1. On the **Configure stack options** page, choose **Next**.
1. On the **Review and create** page, review and confirm the settings. Select the box acknowledging that the template creates IAM resources.
1. Choose **Submit** to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 15 minutes.
# Deploy ECS architecture
Follow the step-by-step instructions in this section to configure and deploy the high-performance ECS architecture into your account.
**Time to deploy:** Approximately 20 minutes
1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `dynamic-image-transformation-for-amazon-cloudfront-ecs` AWS CloudFormation template.
1. Sign into [AWS Management Console](https://aws.amazon.com/console) and select the button to launch `dynamic-image-transformation-for-amazon-cloudfront-ecs` CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=DynamicImageTransformationForAmazonCloudFront&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fdynamic-image-transformation-for-amazon-cloudfront%2Flatest%2Fdynamic-image-transformation-for-amazon-cloudfront-ecs.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=DynamicImageTransformationForAmazonCloudFront&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fdynamic-image-transformation-for-amazon-cloudfront%2Flatest%2Fdynamic-image-transformation-for-amazon-cloudfront-ecs.template&redirectId=ImplementationGuide)
1. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. For a list of which AWS Regions support this solution, see [Supported AWS Regions](supported-aws-regions.md).
1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box and choose **Next**.
1. On the **Specify stack details** page, assign a name to your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the *AWS Identity and Access Management User Guide*.
1. Under **Parameters**, review the parameters for this solution template and modify them as necessary.
# ECS architecture template parameters
\$1
| **Parameter** | **Default** | **Description** |
| --- | --- | --- |
| **Admin Email** | | The email address of the admin user for the Admin UI. Must be a valid email address (7-100 characters). This email will receive the initial login credentials for the administrative interface. |
| **Deployment Size** | small | T-shirt sizing for ECS Fargate deployment configuration. Options: small, medium, large, xlarge. This determines the number of ECS tasks, CPU, and memory allocation. Refer to [sizing guidance](choosing-deployment-architecture.md) for details. |
| **Origin Override Header** | ** | HTTP header name used to override the origin destination for image requests. Must be a valid HTTP header name or empty. Useful for routing requests to different origins based on custom headers. |
| **Cors Origin Parameter** | ** | If you would like to specify an origin to use for CORS, please specify an origin value here. We recommend specifying an origin (i.e. https://example.domain) to restrict cross-site access to your API. Leave empty to default to wildcard (\$1). |
1. Choose **Next**.
1. On the **Configure stack options** page, choose **Next**.
1. On the **Review and create** page, review and confirm the settings. Select the box acknowledging that the template creates IAM resources.
1. Choose **Submit** to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the **Status** column. You should receive a CREATE\$1COMPLETE status in approximately 20 minutes.
# Post-deployment configuration (ECS architecture)
After deploying the ECS template, additional configuration steps are required to fully utilize the advanced features:
**Admin UI Access:** The Admin UI link is available in the CloudFormation stack outputs section. Access the Admin UI from there and sign in using the provided Cognito credentials.
**Initial Configuration:**
+ **Configure Origins**: Use the Admin UI to add your S3 buckets and external origins
+ **Create Mappings**: Set up path-based or host-header mappings to route requests to origins
+ **Define Policies**: Create transformation policies for consistent image processing
# Attaching an existing CloudFront distribution
This section provides instructions for integrating the solution with your existing CloudFront distribution for both architectures.
**Note**
In the following instructions, UUID is used to reference the deployment UUID of your Dynamic Image Transformation for Amazon CloudFront stack. You can find this value by inspecting the Physical ID of a `AWS::CloudFront::Function` deployed in your stack, and extracting the value found after the word `modifier-`.
# Lambda architecture
If you’ve deployed the Lambda architecture stack and have set the Use Existing CloudFront Distribution template parameter to Yes, use the following instructions to complete your setup.
## Setting the Origin
1. In the CloudFront console, navigate to the distribution you indicated in the Existing CloudFront Distribution ID template parameter.
1. Select the Origins tab and click **Create origin**.
1. Set the Origin domain as the API Gateway execution link. This value can be found by placing the Physical ID of the stack’s AWS::ApiGateway::RestApi in the search field and selecting LambdaRestApi under API Gateway.
1. Set the Origin path to `/image`.
1. Select **Create origin**.
## Setting the behavior
1. In the CloudFront console, navigate to the distribution you indicated in the Existing CloudFront Distribution ID template parameter.
1. Select the Behaviors tab and choose **Create behavior**
1. Set the Path pattern you’d like to point to your solution instance, in a Solution created distribution, this is Default (\$1)
1. Set the Origin to the Origin created in the previous section.
1. Set the Viewer Protocol policy to `Redirect HTTP to HTTPS`
1. Set the Cache Policy to the one named `ServerlessImageHandler-${UUID}`.
1. Set the Origin request policy to the one named `ServerlessImageHandler-${UUID}`.
1. Set the Viewer request Function type to CloudFront Functions, and the Function ARN to the one named `sih-apig-request-modifier-${UUID}`.
1. Select **Create behavior**.
# ECS architecture
For the ECS architecture, deploy the solution as-is to provision all necessary resources. Then manually configure your existing CloudFront distribution to use the solution’s resources.
## Deploy the solution
1. Deploy the ECS architecture CloudFormation template without specifying an existing CloudFront distribution.
1. The solution will create its own CloudFront distribution along with all required resources including the Application Load Balancer and CloudFront function.
## Configure your existing distribution
After the solution deployment is complete:
1. In the CloudFront console, navigate to your existing CloudFront distribution.
1. Select the Origins tab and click **Create origin**.
1. Set the Origin domain as the Application Load Balancer DNS name. This value can be found in the CloudFormation stack outputs under the key `LoadBalancerDNS`.
1. Leave the Origin path empty (default).
1. Select **Create origin**.
## Create behavior for image processing
1. In your existing CloudFront distribution, select the Behaviors tab and choose **Create behavior**.
1. Set the Path pattern for image requests (e.g., `/images/*` or your preferred pattern).
1. Set the Origin to the ALB origin created in the previous step.
1. Set the Viewer Protocol policy to `Redirect HTTP to HTTPS`.
1. Set the Cache Policy to the one named `dit-chache-policy` (created by the solution).
1. Set the Response headers policy to the one named `SecurityHeadersPolicy` (created by the solution).
1. Set the Viewer request Function type to CloudFront Functions, and the Function ARN to the one named `dit-header-normalization` (created by the solution).
1. Select **Create behavior**.
This approach allows you to leverage the solution’s provisioned resources while maintaining control over your existing CloudFront distribution configuration.