Let's make it happen
Dive deep into the implementation guide for additional customization options and service configurations to tailor to your specific needs.
Overview
overview
How it works
These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.
Step 1
Client authenticates using an Amazon Cognito user pool (or another identity provider).
Step 2
During authentication, the pre-token generation process for Cognito invokes an AWS Lambda function.
Step 3
Lambda function looks up the user's subscription information in Amazon DynamoDB and adds it to the JSON Web Token (JWT) as a custom claim.
Step 4
Cognito returns JWT to the Client, which stores it in a cookie to authorize content requests.
Step 5
Client initiates a request for content, such as a news article, served by Amazon CloudFront. To authorize the request, the client includes the JWT in a cookie.
Step 6
CloudFront invokes a Lambda@Edge function to update the viewer request headers based on whether the user is authorized to view the content.
Step 7
Lambda@Edge validates the JWT and adds a custom header to the request indicating whether user has access to the content based on subscription's data in the JWT.
Step 8
CloudFront creates a cache key based on the custom header added in Step 7. If content is not found in cache, it sends an origin request to Amazon API Gateway; otherwise, it skips to Step 12.
Step 9
API Gateway invokes a Lambda function to retrieve content.
Step 10
Lambda function examines the request header, added in Step 7, to determine if the user has a subscription. If the user has a subscription, it retrieves content from Amazon Simple Storage Service (Amazon S3) or DynamoDB based on an identity provided in the request URL. If the user does not have a subscription, the function returns a message that the user is not authorized to view the content.
Step 11
API Gateway returns the response generated by the Lambda function, which will either be the full content or a message saying that the user is not authorized to access the item.
Step 12
After serving content to the client, CloudFront caches it using a key that includes the custom header added in Step 7, thus enabling different versions of the content to be cached for subscribers and non-subscribers.
Deploy with confidence
Everything you need to launch this Guidance in your account is right here.
Well-Architected Pillars
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
Operational Excellence
API Gateway, CloudFront, DynamoDB, Amazon S3, and Lambda are services purpose-built to enhance your operational excellence framework when deploying this Guidance. These services allow for publishing new versions and configurations through an automated pipeline, such as AWS CloudFormation. These services also provide Amazon CloudWatch metrics, or can be configured to send events to CloudWatch logs, which can be used to monitor individual components of the Guidance.
Security
Cognito and API Gateway are two services deployed in this Guidance to enhance the security of your workloads. Cognito provides an authentication framework that issues digitally signed JSON Web Tokens (JWTs ). API Gateway can be configured to require an API key. Cognito provides a secure, tamperproof mechanism for listing user subscriptions in a JWT, which can then be used to authorize requests for content. A Lambda@Edge function uses the JWT on each request and sets a request header showing that the request has been authorized. By configuring the API Gateway to require an API key, you can ensure that the authorization header was set by your own CloudFront distribution.
Reliability
Lambda, DynamoDB, Amazon S3, Cognito, API Gateway, CloudFront, and Lambda@Edge are highly available at a Regional or global level. Each AWS Region is fully isolated and consists of multiple Availability Zones, which are also isolated in the infrastructure. This helps you deploy this Guidance with high resiliency and protect your workloads from issues such as outages and failures.
Performance Efficiency
CloudFront and Lambda@Edge can enhance the performance efficiency of your workloads, as they both handle requests at the network edge. This reduces network latency, helping you deliver content as quickly as possible.
Cost Optimization
Lambda and Lambda@Edge are serverless architectures that run and scale on demand, helping to ensure that your workloads are able to continually match the demand with only the minimum resources required. By using these services, you do not pay for compute instances that are not being used.
Sustainability
Lambda, API Gateway, Cognito, and DynamoDB are serverless architectures, which means these services minimize resource consumption, scale on demand, and include patterns for maintaining consistent high utilization of deployed resources. This helps to ensure you meet the needs of your present workloads without compromising the ability of future generations to meet theirs.