Restrictions on CloudFront Functions

The following restrictions apply only to CloudFront Functions.

For information about quotas (formerly referred to as limits), see Quotas on CloudFront Functions.

Logs

Function logs in CloudFront Functions are truncated at 10 KB.

Request body

CloudFront Functions cannot access the body of the HTTP request.

Regional AWS Security Token Service endpoints when using the CloudFront KeyValueStore API

When you call the CloudFront KeyValueStore API by using Signature Version 4A (SigV4A) with temporary security credentials—for example, when using AWS Identity and Access Management (IAM) roles—make sure that you request the temporary credentials from a Regional endpoint in AWS STS. If you use the global endpoint for AWS STS (sts.amazonaws.com), AWS STS will generate temporary credentials from a global endpoint, which isn't supported by SigV4A. As a result, you will receive an authentication error. To resolve this issue, use any of the listed Regional endpoints for AWS STS in the IAM User Guide. If you're configuring SAML to use AWS STS regional endpoints, see the How to use regional SAML endpoints for failover blog post.

Runtime

The CloudFront Functions runtime environment does not support dynamic code evaluation, and it restricts access to the network, file system, and timers. For more information, see Restricted features.

Compute utilization

CloudFront Functions have a limit on the time they can take to run, measured as compute utilization. Compute utilization is a number between 0 and 100 that indicates the amount of time that the function took to run as a percentage of the maximum allowed time. For example, a compute utilization of 35 means that the function completed in 35% of the maximum allowed time.

When you test a function, you can see the compute utilization value in the output of the test event. For production functions, you can view the compute utilization metric on the Monitoring page in the CloudFront console, or in CloudWatch.