Contents x
    Installing the Enforcer
    • 10 Nov 2023
    • Print
    • Dark
      Light
    Contents

    Installing the Enforcer

    • Updated on 10 Nov 2023
    • Print
    • Dark
      Light
    Article Summary

    Prerequisites

    Installing & configuring HUMAN AWS Lambda Edge Enforcer requires basic knowledge in the following AWS services - CloudFront, Lambda, CloudWatch, IAM. Basic knowledge is also required in NodeJS for configuring the enforcer, adding custom functions, etc.

    An AWS Account with necessary permissions for CloudFront, Lambda, CloudWatch, and IAM services is a prerequisite to install HUMANAWS Lambda Edge Enforcer. This should include the necessary permissions to create and edit IAM roles. The application does not require the use of root privileges for deployment or operation.

    Completing the enforcer deployment is estimated to take between 30-60 mins and will result with creating 1-3 new lambda functions, with a max size of 250kb (each), which are billable services according to your agreement with Amazon. There is no need to change current set service limits in relation to HUMAN added Lambda functions. More information can be found here & here. The HUMANEnforcer Lambda function is the only mandatory function in order to enable HUMAN Bot Defender solution on AWS.

    IAM Specifications

    The minimum required IAM specifications for using the HUMAN AWSLambda Edge Enforcer are the same as they would be for anyLambda Edge function as mentioned here. Required services include Lambda, CloudFront, IAM (to create the necessaryLambda Edge role and permissions), and CloudWatch (forLambda Edge logging).

    In order to use the HUMAN CDN Deploy Tool to upload the HUMANEnforcer Lambda function and associate it with the distribution, an API Access Key is necessary. This may require permissions to create, update, and list access keys in IAM as well. The access key used for the enforcer installation must be associated with a user that has read and write access to Lambda Functions, CloudFront, and CloudWatch.

    Secrets Manager

    HUMAN provides you with an application ID (px_app_id) along with two sensitive tokens: an authentication token (px_auth_token) used for validating requests sent to HUMAN servers and a cookie secret (px_cookie_secret) used for encrypting and decrypting the HUMAN cookie. Both of these secrets must be accessed in the HUMAN enforcer as part of the AWSLambda Edge Function.

    While it is possible to hard-code these strings in the HUMAN AWS Lambda Enforcer, it is best practice to store sensitive tokens in the AWS Secrets Manager. For more information on how to use the AWS Secrets Manager with Lambda Edge click here.

    Enforcer Installation

    Creating the Lambda Function on AWS

    1. In the AWS console, click Services > Compute > Lambda.
    2. Click Create function.
    3. Set the Name field to HUMANEnforcer, set Runtime to Node.js 16.x, and select an existing role or create a new role.
    4. Click Create function.

    Uploading the HUMAN Lambda Function and Required Configuration

    1. Under Code entry type select Upload a .ZIP file.
    2. Click Upload, navigate to the PXEnforcer.zip file provided to you by HUMAN, and click Save.
    3. If you haven't already, add the following mandatory parameters to the pxConfig object in the custom/config.js file:
    const pxConfig = {
    px_app_id: '<your app ID>',
    px_cookie_secret: '<your cookie key>',
    px_auth_token: '<your auth token>',
    px_first_party_enabled: false,
}

    Where:

    Parameter

    Description

    px_app_id

    The HUMAN custom application id in the format of PX__

    px_cookie_secret

    The key used by the cookie signing page. The cookie key is generated in the HUMAN Console policy page

    px_auth_token

    The JWT token for REST API. The Authentication Token is generated in the HUMAN Console application page

    px_first_party_enabled

    first-party mode must be set to false

    1. Click Save.
    2. Click Actions and select Publish New Version. Fill in a description for the version and click Publish.
    Where Can I Find the App ID, the Cookie Secret, and the Auth Token?

    The HUMAN Application ID / AppId and HUMAN Token / Auth Token can be found in the Portal, under Platform Settings -> Applications.

    HUMAN Risk Cookie / Cookie Key can be found in the Portal, under Platform Settings -> Policies.

    The Policy from where the Risk Cookie / Cookie Key is taken must correspond with the Application from where the Application ID / AppId and HUMAN Token / Auth Token are taken.

    Adding the HUMAN Lambda Function Trigger

    1. Select CloudFront from the menu on the left side of the screen.
    2. Set CloudFront event to Viewer request.
    3. Ensure the box under Enable trigger and replicate is checked.
    4. Click Add and then Save.

    First Party Installation

    First party mode enables the module to send/receive data to/from the sensor, acting as a reverse-proxy for client requests and sensor activities. To setup First party mode for the HUMAN AWSLambda Edge Function, follow the steps below.

    Please Note
    Installing First Party is highly recommended but not mandatory to get the enforcer deployed successfully. The following steps are required only for first party mode configurations where the HUMANEnforcer Lambda function is triggered on the viewer-request event. If the HUMANEnforcer Lambda is triggered on the origin-request event or if your setup is in third party mode, the following steps are not required.

    Configuring the HUMAN First Party Cache Policy

    1. In the AWS console, navigate to the Cloudfront service.
    2. Create a new cache policy called PXFirstPartyCachePolicy with the following field values:

    Field

    Value

    Name

    PXFirstPartyCachePolicy

    Description

    HUMAN cache policy for first party requests

    Minimum TTL

    0

    Maximum TTL

    10

    Default TTL

    5

    Headers

    Include the following: Host, User-Agent

    Cookies

    Include specified cookies: *_px*, px**

    Query Strings

    All

    Creating the First-Party Lambda Function on AWS

    1. In the AWS console Click Services > Compute > Lambda.
    2. Click Create function.
    3. set the Name field to HUMANFirstParty, set Runtime to Node.js 16.x, and select an existing role or create a new role.
    4. Click Create function.

    Uploading and Configuring the First-Party Lambda Function

    1. Under Code entry type select Upload a .ZIP file.
    2. Click Upload, navigate to the PXFirstParty.zip file provided to you by HUMAN, and click Save.
    3. If you haven't already, add the px_app_id field to the pxConfig object in the custom/config.js file. (Only the px_app_id is used for this function, so it is not necessary to add your other configurations.)
    4. Click Save.
    5. Click Actions and select Publish new version. Fill in a description for the version and click Publish.

    Creating the First Party Cloudfront Behavior

    1. Select CloudFront from the menu on the left side of the screen.
    2. Click into the Cloudfront distribution.
    3. Create a new Cloudfront Behavior with the following field values:

    Field

    Value

    Path Pattern

    /<PerimeterX app id without the first 2 letters>/* (e.g., if your AppID is PX1234567 the path would be /1234567/*)

    Allowed HTTP Methods

    GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

    Cache Key and Origin Requests

    Cache policy and origin request policy

    Cache Policy: PXFirstPartyCachePolicy
    Origin Request Policy: none

    Function Associations

    Event: Origin Request
    Function Type:Lambda Edge
    Function ARN/Name: The ARN of the published PXFirstParty Lambda function (e.g., arn:aws:lambda:us-east-1:<aws_id>:function:PXFirstParty:<version_number>
    Include Body: Checked

    1. Create the behavior.

    HUMANActivities Installation

    As part of Credentials Intelligence, the HUMAN AWS Lambda module can send the additional_s2s activity to HUMAN on the origin-response event, allowing HUMAN to analyze data related to the origin response and not just the request. This includes information about the returned HTTP status code and whether an attempted login was successful.

    Please Note
    The following steps are required only for configurations where credentials intelligence is enabled and the additional_s2s activity should be sent automatically to HUMAN. If credentials intelligence is not enabled or if the additional_s2s activity will be sent manually, the following steps are not required.

    Creating the HUMANActivities Lambda Function on AWS

    1. In the AWS console Click Services > Compute > Lambda.
    2. Click Create function.
    3. Set the Name field to HUMANActivities, set Runtime to Node.js 16.x, and select an existing role or create a new role.
    4. Click Create function.

    Uploading and Configuring the HUMANActivities Lambda Function

    1. Under Code entry type select Upload a .ZIP file.
    2. Click Upload, navigate to the PXActivities.zip file provided to you by HUMAN, and click Save.
    3. If you haven't already, add the px_app_id field to the pxConfig object in the custom/config.js file. (Only the px_app_id is used for this function, so it is not necessary to add your other configurations.)
    4. Click Save.
    5. Click Actions and select Publish new version. Fill in a description for the version and click Publish.

    Adding the HUMANActivities Lambda Function Trigger

    1. Select CloudFront from the menu on the left side of the screen.
    2. Set CloudFront event to Origin Response.
    3. Check the Confirm deploy toLambda Edge checkbox.
    4. Click Add and then Save.
    Was this article helpful?
    What's Next