Delivering updated content to your users is crucial in the fast-paced digital world. Amazon CloudFront, a robust content delivery network (CDN), caches your content at edge locations for faster access. However, when your content changes, you must invalidate the cache to ensure users see the latest version. Manually invalidating caches can be cumbersome and prone to errors. This blog post will guide you through automating CloudFront cache invalidation using AWS services, saving you time and ensuring your users always have the most up-to-date content.

The Need for Automated Cache Invalidation: Overcoming Manual Challenges

Manual cache invalidation is tedious, especially for dynamic websites where content changes frequently. Each time an update is made, you must manually create an invalidation request in CloudFront. This approach is time-consuming and prone to human error, leading to outdated content being served to users. Automated cache invalidation eliminates these challenges, ensuring your content is consistently fresh and reducing the risk of serving stale data.

Leveraging AWS Services for Automation

AWS provides several services that can be leveraged to automate the cache invalidation process. Integrating these services allows you to create a seamless workflow that automatically tracks content changes and triggers cache invalidation.

S3 Object-Level Logging and CloudTrail for Event Tracking

The first step in automating cache invalidation is to track changes to the content stored in Amazon S3. By enabling S3 object-level logging and integrating it with AWS CloudTrail, you can monitor when objects are added, updated, or deleted. CloudTrail records these events, providing the necessary triggers for the invalidation process.

SNS Topic and EventBridge Rule for Event Forwarding

Once CloudTrail captures the relevant events, Amazon Simple Notification Service (SNS) and EventBridge come into play. SNS can forward these events to other AWS services. At the same time, EventBridge rules can filter and route these events to the appropriate target, such as a Lambda function that handles cache invalidation.

Creating and Configuring the Invalidation Mechanism

After tracking and forwarding the events, the next step is to set up the invalidation mechanism that automatically clears the CloudFront cache whenever content changes.

CloudFront Invalidation Setup

If you haven’t already, start by creating a CloudFront distribution. This distribution serves your content from the edge locations. Ensure your distribution is linked to the S3 bucket where your content is stored. This setup is crucial because the invalidation requests will target this distribution.

Lambda Function for Invalidation (CreateInvalidationFn)

To automate the invalidation process, you’ll need an AWS Lambda function. This function will receive events from EventBridge, determine which objects have changed, and then create an invalidation request for the CloudFront distribution.

Execution Role and Permissions for Lambda

The Lambda function requires specific permissions to create invalidation requests in CloudFront. Create an execution role for the Lambda function with the necessary permissions. The IAM policy should allow the cloudfront:CreateInvalidation action on the specified CloudFront distribution.

Lambda Function Implementation (Boto3): Python Code for Invalidation Logic

The core of the automation is the Lambda function, which is implemented using Python and the Boto3 library. Below is an example of the Lambda function code:

import boto3

import json

import os

cloudfront = boto3.client(‘cloudfront’)

def lambda_handler(event, context):

    distribution_id = os.getenv(‘DISTRIBUTION_ID’)

    paths_to_invalidate = []

    

    for record in event[‘Records’]:

        if ‘s3’ in record:

            bucket_name = record[‘s3’][‘bucket’][‘name’]

            object_key = record[‘s3’][‘object’][‘key’]

            paths_to_invalidate.append(f’/{object_key}’)

    

    if paths_to_invalidate:

        invalidation = cloudfront.create_invalidation(

            DistributionId=distribution_id,

            InvalidationBatch={

                ‘Paths’: {

                    ‘Quantity’: len(paths_to_invalidate),

                    ‘Items’: paths_to_invalidate

                },

                ‘CallerReference’: str(context.aws_request_id)

            }

        )

        

        return {

            ‘statusCode’: 200,

            ‘body’: json.dumps(f”Invalidation created: {invalidation[‘Invalidation’][‘Id’]}”)

        }

    else:

        return {

            ‘statusCode’: 200,

            ‘body’: json.dumps(“No files to invalidate”)

        }

Notification and Monitoring

You must do more than automate the invalidation process; you must monitor it and receive notifications when invalidations occur.

SNS Topic for Success Notifications (CreateInvalidationNotify)

Create an SNS topic that the Lambda function can use to publish messages when an invalidation is successfully created. This ensures you know the invalidation activity and can troubleshoot if necessary.

Email Subscription for Invalidation Status

Subscribe to the SNS topic with your email address to receive notifications. This way, every time an invalidation is created, you’ll receive an email with details of the action, allowing you to monitor the process in real-time.

Code Examples: EventBridge Rule, Lambda Code, Execution Role Policy

EventBridge Rule

Here’s a sample EventBridge rule that triggers the Lambda function:

{

  “Source”: [“aws.s3”],

  “DetailType”: [“AWS API Call via CloudTrail”],

  “Detail”: {

    “eventSource”: [“s3.amazonaws.com”],

    “eventName”: [“PutObject”, “DeleteObject”]

  },

  “Target”: [

    {

      “Arn”: “arn:aws:lambda:region:account-id:function:function-name”,

      “Id”: “TargetId”

    }

  ]

}

 

Execution Role Policy

{

  “Version”: “2012-10-17”,

  “Statement”: [

    {

      “Effect”: “Allow”,

      “Action”: “cloudfront:CreateInvalidation”,

      “Resource”: “arn:aws:cloudfront::account-id:distribution/distribution-id”

    }

  ]

}

Conclusion: Streamlined Efficiency with Automated Cache Invalidation

Automating CloudFront cache invalidation is a game-changer for developers and administrators managing dynamic content. By leveraging AWS services such as S3, CloudTrail, Lambda, and SNS, you can ensure that your users always receive the most up-to-date content without the hassle of manual invalidation. This automation saves time and enhances the reliability and performance of your content delivery strategy.

References

Invalidate files to remove content

Caching Best Practices