---
title: "CloudFront Embedder Guide"
description: "This document describes how to apply DoveRunner watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN."
---
> For the complete documentation index, see [llms.txt](/llms.txt).

import YouTubeEmbed from '../../../../../components/YouTubeEmbed.astro';

This document describes how to apply DoveRunner watermark embedder with Lambda@Edge for service sites using the Amazon CloudFront CDN.

:::caution[Region requirement]
The Lambda@Edge function **must be created in the US East (N. Virginia) `us-east-1` region** — this is a hard AWS requirement for Lambda@Edge, not a DoveRunner-specific choice. If you create the function in another region, you cannot associate it with CloudFront and will need to delete it and start over in `us-east-1`.
:::

```mermaid
sequenceDiagram
    participant A as End user
    participant C as Cloud Front CDN
    A ->> C: Start playback of Session URL (request segments)
    Note right of C: Watermark embedder 
    C -->> C: Segments mixing by Session URL
    C ->> A: Send mixed segments
    Note right of A: Playback of mixed content
```

## Set up CloudFront Embedder using AWS CDK
This AWS CDK sample contains the source code which generates the aws resources needed to set up the CloudFront embedder.

[**CloudFront Embedder CDK sample**](https://github.com/inka-pallycon/fwm-cdn-embedder-generator)


## Set up CloudFront Embedder yourself
CloudFront Embedder files needed for setting up Lambda@Edge can be downloaded from the [Sample download page](/content-security/forensic-watermarking/getting-started/fwm-downloads/).

:::note 

The content of this document may become outdated due to future updates from AWS. If there is a part different from the actual AWS console UI or there is a broken link to AWS guide document, please contact us through the [Help Desk](https://support.doverunner.com).

:::

## Tutorial Video

This video is a tutorial about how to embed Forensic Watermarking using CloudFront Embedder.

<YouTubeEmbed videoId="50FDxtyXrD8" />

## Lambda@Edge User Guide

If you are unfamiliar with using Lambda@Edge with Amazon CloudFront CDN, it is recommended to make yourself familiar with the usage by referring to the AWS online documents below before proceeding to the next step.

  - [Get started creating and using Lambda@Edge functions](https://docs.aws.amazon.com/en_us/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works.html)
  - [Tutorial: Creating a simple Lambda@Edge function](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-how-it-works-tutorial.html)

## Create IAM Permissions and Roles

First, you need to create the required IAM permissions and execution role to configure Lambda@Edge. In the `IAM` service screen of the AWS console, create the permissions and roles as follows by refer to the [AWS guide](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html).

 - Create a role by adding the permissions `lambda:GetFunction`, `lambda:EnableReplication*`, `iam:CreateServiceLinkedRole`, `cloudfront:UpdateDistribution`, and `cloudfront:CreateDistribution`.

> To add permission, you must first specify the target service (Lambda). Also, to add `lambda:EnableReplication*` permission, first add `lambda:EnableReplication` permission and then modify the JSON code.

 - Add log-related permission to collect Lambda access log into cloudwatch logs.
    ```json
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }
    ```

 - Add the following roles to the `Trust Relationship` tab of the created Role.
    ```json
    { 
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": { 
                    "Service": [
                        "lambda.amazonaws.com", 
                        "edgelambda.amazonaws.com" 
                    ] 
                }, 
                "Action": "sts:AssumeRole"
            } 
        ] 
    }
    ```

## Create Lambda@Edge function

- Go to the `Lambda` service in the AWS console and click the `Create function` button.
- Select `US East (N. Virginia)` as the AWS Region in the upper right corner of the console. (Lambda@Edge must be created in the Virginia Region to use it.)

### 1. Function name and Runtime settings

- `Function Name`: Enter any name to identify the function. (e.g. fwm-cf-embedder)
- `Runtime`: Select `Node.js 12.x` or later. (12.x, 14.x, 16.x, etc.) The default at the time of this writing is `Node.js 16.x`.
- `Architecture`: use the default `x86_64`.

### 2. Set the execution role

- Click `Change default execution role`, select `Use existing role`, and select the IAM role created in the previous step.
- Click the `Create function` button at the bottom of the screen to create a Lambda@Edge function.

### 3. Upload and edit sample code

- Click the `Upload from > .zip file` button on the `Code source` screen to upload the CloudFront Embedder zip file downloaded from the [Sample Download Page](/content-security/forensic-watermarking/getting-started/fwm-downloads/).

- Check the uploaded sample code and modify the following items.

> Please be aware that if you modify a source other than those listed below, an error may occur.

- In the `config.json` source, set the value of the corresponding variables as below.

| Name | Required | Description |
|:---|:---|:-----------|
| `aesKey` | True     | Enter the site key value provided by the DoveRunner console site. |
| `type` | True     | Enter `unlabeled_a_variant` if preprocessed A/B version segments are stored together in one folder, and enter `directory_prefix` if they are packaged in separate `0` and `1` folders. If you are a new customer of DoveRunner SaaS packaging service, it is basically packaged in the form of `Unlabeled A Variant`. (default: `unlabeled_a_variant`) |
| `availableInterval` | True     | The URL requested for watermarking contains a timestamp value. This item is the value for checking the validity of the timestamp. If set to `0`, the timestamp validity period is not checked. (Unit: minutes) |
| `prefixFolder` | True    | Set the name of the parent folder where the A/B version contents are stored<br/> - For contents packaged with old version packaging service: `dldzkdpsxmdnjrtm` <br/> - For contents packaged with the new T&P service: `wm-contents`<br/>The default value is `["dldzkdpsxmdnjrtm", "wm-contents"]`, which supports both cases. |
| wmPublicKey         | False    | Set when using the wmt token type. Use the Akamai public key issued from the DoveRunner site. It can be requested the helpdesk. |
| wmPassword          | False    | Set when using the wmt token type. Use the Akamai password issued from the DoveRunner site. It can be requested the helpdesk. |

- After saving, click `Publish new version` of `Action` button to create version.

- Copy the ARN containing the generated version. It is displayed in the upper right corner.
    - e.g. `arn:aws:lambda:us-east-1:{account no.}:function:{lambda name}:{version}`

## Configure CloudFront

This guide assumes that you already created your CloudFront.

### Apply Lambda@Edge

Connect to the AWS console, select the `CloudFront` menu and select CloudFront to apply Lambda@Edge.

#### 1. Set Behaviors

- Select the `Behaviors` tab, check the check box displayed and click the Edit button.

- Configure `Lambda Function Associations` items.
	- EventType : select `Viewer Request`
	- Lambda Function ARN : input the ARN copied during Lambda@Edge creation process.

- Click the `Yes, Edit` button.

#### 2. Finish configuration

The status of CloudFront is changed to `InProgress`, and when Lambda@Edge is applied, status is changed to `Deployed` and all settings are completed.

> For more information about Lambda@Edge, please refer to [CloudFront guide](https://docs.aws.amazon.com/ko_kr/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html) from AWS.