Skip to content

Sahilfs17/CDNtoServeImagesFromPrivateS3

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
README.md
README.md
Β 
Β 
lambda_function.py
lambda_function.py
Β 
Β 

Repository files navigation

🌐 Serverless CDN Proxy for Private S3-Compatible Buckets

Securely serve private content globally using AWS CloudFront + Lambda Function URLs β€” without managing any servers.

πŸš€ Overview

This project demonstrates how to proxy and cache content from any third-party S3-compatible object storage (e.g., MinIO, Wasabi, Backblaze, Yotta) using:

  • πŸ› οΈ AWS Lambda for credentialed access to private buckets
  • ⚑ CloudFront as a global CDN with long-term edge caching
  • 🧰 boto3 for S3-compatible API integration
  • πŸ”’ No EC2, NGINX, or load balancers required!

🧠 Use Cases

  • Replace EC2-based proxies with a fully serverless, zero-maintenance solution
  • Safely expose private assets to the public via secure intermediaries
  • Seamlessly integrate with custom websites or frontend apps

πŸ—οΈ Architecture

CloudFront β†’ Lambda Function URL β†’ Authenticated S3-Compatible Bucket

βš™οΈ How It Works

  1. CloudFront receives a request like:
    https://<distribution>.cloudfront.net/images/banner.webp

  2. It forwards the request to your Lambda Function URL

  3. Lambda uses boto3 and stored credentials to fetch the image object securely from a private S3-compatible store

  4. It returns the image with proper headers (e.g., Cache-Control, Content-Type)

  5. CloudFront caches and serves the response globally 🌍

πŸ”§ Setup Instructions

1. Deploy Lambda

  • Create a Lambda function (Python 3.12+)

  • Add environment variables:

    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • S3_ENDPOINT_URL
    • S3_BUCKET_NAME

  • Copy code from lambda/lambda_function.py

  • Enable Function URL with Auth type = NONE

2. Configure CloudFront

  • Create a CloudFront distribution
  • Set origin domain to your Lambda URL (without https://)
  • Use HTTPS only for the origin protocol policy
  • Add behavior for path pattern /images/* (or as needed)

3. Test Your CDN URL

https://your-distribution.cloudfront.net/images/sample.img

πŸ›‘οΈ Security Considerations

  • Use environment variables or AWS Secrets Manager for credentials
  • Optionally implement:
    • Header-based access checks in Lambda
    • Signed URLs
    • Origin Access Control (OAC) in CloudFront

πŸ’‘ Future Enhancements

  • βœ… Add image transformation (resize/compress) on-the-fly
  • βœ… Support for Signed CDN URLs
  • βœ… CloudFormation/Terraform IaC templates
  • βœ… Logging and analytics via CloudWatch

πŸ“š Related Blog Post

πŸ‘‰ Medium Post β€” β€œHow I Built a Serverless CDN for S3-Compatible Storage Using Lambda and CloudFront”

πŸͺͺ License

This project is licensed under the MIT License. See LICENSE for details.

Built with ☁️ AWS, πŸ” Python, and a passion for clean architecture.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages