Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Requirements and Restrictions on Lambda Functions

Note the following requirements and restrictions on using Lambda functions with CloudFront:

CloudFront Distributions and Associations
  • You can create triggers (associations) for Lambda functions for a maximum of 25 distributions per AWS account.

  • You can create a maximum of 100 triggers (associations) for a distribution.

CloudFront Triggers for Lambda Functions
  • You can add triggers only for a numbered version, not for $LATEST or for aliases.

  • You can add triggers only for functions in the US East (N. Virginia) Region.

  • To add triggers, the IAM execution role associated with your Lambda function must be assumable by the service principals and For more information, see Setting IAM Permissions and Roles for Lambda@Edge in the IAM User Guide.

CloudWatch Logs

For information about Amazon CloudWatch Logs limits, see CloudWatch Logs Limits in the Amazon CloudWatch User Guide.

HTTP Status Codes

CloudFront doesn't execute Lambda functions for origin response and viewer response events if the origin returns HTTP status code 400 or higher.

Lambda Function Configuration and Execution Environment
  • You must create functions with the nodejs6.10 runtime property.

  • A function can use a maximum of 128 MB of memory.

  • You can't configure your Lambda function to access resources inside your VPC.

  • The maximum execution timeout for CloudFront origin request and origin response events is 3 seconds.

  • The maximum execution timeout for CloudFront viewer request events and viewer response events is 1 second.

  • Lambda limits apply, including the limit on concurrent executions. For more information, see AWS Lambda Limits in the AWS Lambda Developer Guide.

  • The Dead Letter Queue (DLQ) isn't supported.

  • The maximum compressed size of your Lambda function and any included libraries is 1 MB.

  • Environment variables aren't supported.

Microsoft Smooth Streaming

You can't create triggers for a CloudFront distribution that you're using for on-demand streaming of media files that you've transcoded into the Microsoft Smooth Streaming format.

Network Access

Functions triggered by origin request and origin response events can make network calls to resources on the internet and services in AWS regions such as S3 buckets, DynamoDB tables, or EC2 instances.

We don't support network calls for viewer request and viewer response events.

Response Size Limits

The maximum size of a response that is generated by a Lambda function (including the headers and body) depends on the event that triggered the function:

  • Viewer request events – 40 KB

  • Origin request events – 256 KB

If the response is larger than the allowed size, CloudFront returns an HTTP 502 status code (Bad Gateway) to the viewer.


If a function changes the URI for a request, that doesn't change the cache behavior for the request or the origin that the request is forwarded to.