The latest articles on Forem by Matia Rašetina (@mate32). https://forem.com/mate32 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3233301%2F2a66710a-6966-49ca-990a-bb1f25f92218.jpg https://forem.com/mate32 en Matia Rašetina Mon, 13 Apr 2026 07:00:00 +0000 https://forem.com/aws-builders/documentdb-vs-dynamodb-in-a-serverless-stack-i-benchmarked-both-so-you-dont-have-to-3jnj https://forem.com/aws-builders/documentdb-vs-dynamodb-in-a-serverless-stack-i-benchmarked-both-so-you-dont-have-to-3jnj <p>If you Google or chat with any of the LLMs about “DynamoDB vs DocumentDB”, most answers are theoretical.</p> <p>DynamoDB is <em>supposed</em> to be faster because it’s serverless. DocumentDB is <em>supposed</em> to be slower because it runs in a VPC, but no one is showing hard proof that this truly is the case. That’s why I built this experiment with 1000 requests with 200 concurrent users with two simple operations — writes and reads. And here are the results!</p> <p>Full GitHub code is available <a href="https://github.com/mate329/documentdb-vs-dynamodb-benchmark" rel="noopener noreferrer">here</a>.</p> <h2> Experimental Setup </h2> <p>Both databases sit behind the same architecture: an API Gateway REST API invoking a Python 3.12 Lambda function inside a VPC, the Lambda connects to the database, executes the requested operation and returns the information back to our testing script.</p> <p>For the DocumentDB stack, there are some additions — the DocumentDB instance needs to be inside a VPC, since it can only be set up in this way, and to use it, it requires credentials (username and password in this case). The database credentials are stored safely inside the Secrets Manager, which the Lambda will use to write and read from the DocumentDB instance.</p> <p>DynamoDB is serverless by design — it scales automatically and you pay only for what you use. To make the comparison fair, I configured DocumentDB in Serverless mode as well (0.5–16 DCU, scaling on demand), so neither database has a fixed instance sitting idle between requests.</p> <p>To make this experiment as reliable as possible, cold starts for Lambdas won’t be counted in the final result for both scenarios.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>DocumentDB</th> <th>DynamoDB</th> </tr> </thead> <tbody> <tr> <td>Instance / Mode</td> <td>Serverless (0.5–16 DCU)</td> <td>Serverless (pay-per-request)</td> </tr> <tr> <td>Region</td> <td>us-east-1</td> <td>us-east-1</td> </tr> <tr> <td>Lambda runtime</td> <td>Python 3.12</td> <td>Python 3.12</td> </tr> <tr> <td>Lambda memory</td> <td>512 MB</td> <td>512 MB</td> </tr> <tr> <td>Lambda timeout</td> <td>30 s</td> <td>30 s</td> </tr> <tr> <td>Lambda location</td> <td>Private subnet, VPC</td> <td>Private subnet, VPC</td> </tr> <tr> <td>Client library</td> <td>pymongo</td> <td>boto3</td> </tr> <tr> <td>Storage</td> <td>Encrypted at rest</td> <td>Managed by AWS</td> </tr> <tr> <td>Test volume</td> <td>1,000 requests</td> <td>1,000 requests</td> </tr> <tr> <td>Concurrency</td> <td>200</td> <td>200</td> </tr> <tr> <td>Data</td> <td>User records, ~400 bytes</td> <td>Same schema, same payload</td> </tr> </tbody> </table></div> <p>Another few details to optimize the Lambda runtime and keep the experiment fair:</p> <ul> <li>MongoDB and DynamoDB clients are created outside the handler to allow connection reuse across invocations</li> <li>DynamoDB client is configured to have <code>ConsistentRead</code> flag as <code>False</code> , to have quicker responses from the database</li> </ul> <p>Here is the architecture diagram of this experiment, together with a short CDK snippet for creating a DocumentDB cluster and instance. The full code is available in the GitHub repository provided in the introduction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkr2fighze2421t1as91b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkr2fighze2421t1as91b.png" alt=" " width="800" height="879"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># DocumentDB cluster # Minimal 0.5 DCU configuration, maximum 16 DCU </span><span class="n">self</span><span class="p">.</span><span class="n">docdb_cluster</span> <span class="o">=</span> <span class="n">docdb</span><span class="p">.</span><span class="nc">CfnDBCluster</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DocDbCluster</span><span class="sh">"</span><span class="p">,</span> <span class="n">master_username</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">docdb_secret</span><span class="p">.</span><span class="nf">secret_value_from_json</span><span class="p">(</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span> <span class="p">).</span><span class="nf">unsafe_unwrap</span><span class="p">(),</span> <span class="n">master_user_password</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">docdb_secret</span><span class="p">.</span><span class="nf">secret_value_from_json</span><span class="p">(</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span> <span class="p">).</span><span class="nf">unsafe_unwrap</span><span class="p">(),</span> <span class="n">db_subnet_group_name</span><span class="o">=</span><span class="n">subnet_group</span><span class="p">.</span><span class="n">ref</span><span class="p">,</span> <span class="n">vpc_security_group_ids</span><span class="o">=</span><span class="p">[</span><span class="n">self</span><span class="p">.</span><span class="n">docdb_sg</span><span class="p">.</span><span class="n">security_group_id</span><span class="p">],</span> <span class="n">storage_encrypted</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">engine_version</span><span class="o">=</span><span class="sh">"</span><span class="s">5.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="n">deletion_protection</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">serverless_v2_scaling_configuration</span><span class="o">=</span><span class="n">docdb</span><span class="p">.</span><span class="n">CfnDBCluster</span><span class="p">.</span><span class="nc">ServerlessV2ScalingConfigurationProperty</span><span class="p">(</span> <span class="n">min_capacity</span><span class="o">=</span><span class="mf">0.5</span><span class="p">,</span> <span class="n">max_capacity</span><span class="o">=</span><span class="mi">16</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">docdb_cluster</span><span class="p">.</span><span class="nf">apply_removal_policy</span><span class="p">(</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">)</span> <span class="c1"># Serverless DocumentDB instance </span><span class="n">docdb_instance</span> <span class="o">=</span> <span class="n">docdb</span><span class="p">.</span><span class="nc">CfnDBInstance</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DocDbInstance</span><span class="sh">"</span><span class="p">,</span> <span class="n">db_cluster_identifier</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">docdb_cluster</span><span class="p">.</span><span class="n">ref</span><span class="p">,</span> <span class="n">db_instance_class</span><span class="o">=</span><span class="sh">"</span><span class="s">db.serverless</span><span class="sh">"</span><span class="p">,</span> <span class="n">auto_minor_version_upgrade</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">docdb_instance</span><span class="p">.</span><span class="nf">add_dependency</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">docdb_cluster</span><span class="p">)</span> </code></pre> </div> <h2> The Results </h2> <h3> POST — Writing Data </h3> <p>This is the operation that creates a user record in the database, with a payload very similar to this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a1b2c3d4-e5f6-7890-abcd-ef1234567890"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user-47291"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1710249600</span><span class="p">,</span><span class="w"> </span><span class="nl">"payload"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xK9mN2pQr5sTvW7yZbCdFgHjL4nPqRsTuVwXyZ0123456789AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMnOpQrStUvWxYz01"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>And here are the results:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>DocumentDB</th> <th>DynamoDB</th> <th>Winner</th> </tr> </thead> <tbody> <tr> <td>P50</td> <td><strong>354.9 ms</strong></td> <td>358.4 ms</td> <td>DocumentDB (-1%)</td> </tr> <tr> <td>P90</td> <td><strong>523.9 ms</strong></td> <td>585.3 ms</td> <td>DocumentDB (-10%)</td> </tr> <tr> <td>P95</td> <td>913.9 ms</td> <td><strong>602.3 ms</strong></td> <td>DynamoDB (-34%)</td> </tr> <tr> <td>P99</td> <td>977.4 ms</td> <td><strong>605.7 ms</strong></td> <td>DynamoDB (-38%)</td> </tr> <tr> <td>Mean</td> <td>347.4 ms</td> <td><strong>324.8 ms</strong></td> <td>DynamoDB (-7%)</td> </tr> <tr> <td>Max</td> <td>3,033 ms</td> <td><strong>905.4 ms</strong></td> <td>DynamoDB (-70%)</td> </tr> <tr> <td>Throughput</td> <td>217 RPS</td> <td><strong>508 RPS</strong></td> <td>DynamoDB (2.3x)</td> </tr> <tr> <td>Failures</td> <td>0 / 1000</td> <td>0 / 1000</td> <td>Tie</td> </tr> </tbody> </table></div> <p>Looking at P50, both databases have very identical performance — DocumentDB at 354ms, DynamoDB at 358ms. Up to P90, DocumentDB holds a slight edge, but nothing really dramatic.</p> <p>Now we get to P95, where we start to see the difference — DocumentDB jumps to 913ms, while DynamoDB handles traffic 34% better by staying around the 600ms mark. In addition, P99 further confirms the wide gap between the write performances of these two NoSQL databases, DocumentDB almost hits a second, while DynamoDB stays in the 600ms range. The max duration of the request is the most dramatic part, DocumentDB takes 3 seconds, while DynamoDB stays under a second for the same operation.</p> <p>Regarding the throughput, DynamoDB beats DocumentDB by 2.3x, which is a huge difference since the rest of the configuration is identical — similar VPC, Lambda and payloads. This is the VPC + connection model showing up under write pressure. </p> <p>Both databases hit 100% success rate with no dropped requests.</p> <h3> GET — Reading Data </h3> <p>However, this is where things get interesting — the scenario is simple, Lambda gets invoked and fetches the user record by ID inside the database.</p> <p>For DocumentDB, that's a <code>find_one</code> by indexed field. For DynamoDB, a <code>get_item</code> by partition key.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>DocumentDB</th> <th>DynamoDB</th> <th>Winner</th> </tr> </thead> <tbody> <tr> <td>P50</td> <td><strong>461.1 ms</strong></td> <td>466.4 ms</td> <td>DocumentDB (-1%)</td> </tr> <tr> <td>P90</td> <td><strong>796.1 ms</strong></td> <td>1,387.7 ms</td> <td>DocumentDB (-43%)</td> </tr> <tr> <td>P95</td> <td><strong>830.2 ms</strong></td> <td>1,427.4 ms</td> <td>DocumentDB (-42%)</td> </tr> <tr> <td>P99</td> <td>2,102.2 ms</td> <td><strong>1,543.7 ms</strong></td> <td>DynamoDB (+36%)</td> </tr> <tr> <td>Mean</td> <td><strong>443.8 ms</strong></td> <td>535.3 ms</td> <td>DocumentDB (-17%)</td> </tr> <tr> <td>Max</td> <td>2,394.7 ms</td> <td><strong>1,786.3 ms</strong></td> <td>DynamoDB</td> </tr> <tr> <td>Throughput</td> <td><strong>380 RPS</strong></td> <td>285 RPS</td> <td>DocumentDB (1.3x)</td> </tr> <tr> <td>Failures</td> <td>0 / 1000</td> <td>0 / 1000</td> <td>Tie</td> </tr> </tbody> </table></div> <p>This result truly surprised me. At P50, DynamoDB has a small edge on reads, which was expected, however the difference at P90 and later changed the way I look at DocumentDB, as it provided better read performance than DynamoDB by around 40% — if you look at P90, DocumentDB just stays below the 800ms mark, while DynamoDB almost hits the 1.4 second mark, and the situation is very similar for P95. </p> <p>A possible explanation of why DocumentDB beat DynamoDB for reads is the buffer cache. DocumentDB keeps frequently accessed documents in memory on the instance. Once the cache is warm — which is exactly the steady-state condition in production — repeated reads on the same dataset are served from RAM rather than storage.</p> <p>At P99, DynamoDB regains its composure and beats DocumentDB by being faster 36%. A likely explanation is connection pool exhaustion, as the slowest 1% of requests are possibly queued and are waiting for a pymongo connection to free up.</p> <p>Regarding the throughput, DocumentDB processes the read requests faster by 1.3x.</p> <p>Again, as before, both databases maintained 100% success rate.</p> <h2> What the Numbers Actually Tell You </h2> <p><strong>For writes under load:</strong> DynamoDB is the clear winner here. The tail latency difference is too significant and is going to impact user experience in every way. If you need a database for ingesting events, logging and creating records which have unstructured data, DynamoDB is the definite winner.</p> <p><strong>For reads under load:</strong> DocumentDB wins, and by a meaningful margin at the tail. The throughput gap is also notable, as DocumentDB serves 33% more read requests per second in this test.</p> <p>An important statistic to mention — P50. Why? Because both databases have it within 10% of each other in both operations, so if you stopped here, you might have an argument that they have identical performances. However, the true difference live in P95 and P99 stats, where your slowest users are impacted the most.</p> <h2> Pricing: What Does This Actually Cost? </h2> <p>Performance is only a part of your architectural decision. Here's what running each database actually costs at the scale tested.</p> <h3> Lambda (same for both) </h3> <p>Lambda pricing is identical regardless of which database you use:</p> <ul> <li> <strong>Compute:</strong> $0.0000166667 per GB-second. At 512 MB and ~700ms average duration: roughly <strong>$0.006 per 1,000 requests</strong> </li> <li> <strong>Requests:</strong> $0.20 per million invocations</li> <li>At 1 million requests/month: ~<strong>$6 in compute + $0.20 in requests = ~$6.20/month</strong> </li> </ul> <p>Lambda is not the cost driver here. The database is.</p> <h3> DynamoDB (On-Demand, us-east-1) </h3> <p>DynamoDB on-demand charges per request:</p> <ul> <li> <strong>Writes:</strong> $0.625 per million write request units (1 WRU = 1 KB write)</li> <li> <strong>Reads:</strong> $0.125 per million read request units (1 RRU = 4 KB strongly consistent read)</li> <li> <strong>Storage:</strong> $0.25 per GB-month</li> </ul> <p>For our ~400 byte payload (rounds up to 1 KB write, well under 4 KB read):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Volume</th> <th>Writes</th> <th>Reads</th> <th>Storage (10GB)</th> <th>Monthly Total</th> </tr> </thead> <tbody> <tr> <td>100K req/day (~3M/month)</td> <td>$1.88</td> <td>$0.38</td> <td>$2.50</td> <td><strong>~$4.76</strong></td> </tr> <tr> <td>1M req/day (~30M/month)</td> <td>$18.75</td> <td>$3.75</td> <td>$2.50</td> <td><strong>~$25</strong></td> </tr> <tr> <td>10M req/day (~300M/month)</td> <td>$187.50</td> <td>$37.50</td> <td>$2.50</td> <td><strong>~$227</strong></td> </tr> </tbody> </table></div> <p>No instance cost, as DynamoDB is a serverless NoSQL database.</p> <h3> DocumentDB (Serverless, us-east-1) </h3> <p>Pricing dimensions:</p> <ul> <li> <strong>Compute:</strong> ~$0.0822 per DCU-hour (Standard config, us-east-1)</li> <li> <strong>Storage:</strong> $0.10 per GB-month</li> <li> <strong>I/O:</strong> $0.20 per million requests</li> <li> <strong>Minimum capacity:</strong> 0.5 DCU (~1 GB RAM equivalent)</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Volume</th> <th>Avg DCU</th> <th>Compute</th> <th>Storage (10GB)</th> <th>I/O</th> <th>Monthly Total</th> </tr> </thead> <tbody> <tr> <td>100K req/day (~3M/month)</td> <td>0.5</td> <td><strong>$29.59</strong></td> <td>$1.00</td> <td>$0.60</td> <td><strong>~$31.19</strong></td> </tr> <tr> <td>1M req/day (~30M/month)</td> <td>1</td> <td><strong>$59.18</strong></td> <td>$1.00</td> <td>$6.00</td> <td><strong>~$66.18</strong></td> </tr> <tr> <td>10M req/day (~300M/month)</td> <td>2</td> <td><strong>$118.37</strong></td> <td>$1.00</td> <td>$60.00</td> <td><strong>~$179.37</strong></td> </tr> </tbody> </table></div> <p>This table is based on my CloudWatch statistics, where the database with 200 concurrent request reached 9.15 DCU, and during testing my random testing to see if the database works, the average DCU was 4.66 as seen in the image below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkyqjodk6gp2xa465slv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvkyqjodk6gp2xa465slv.png" alt=" " width="800" height="97"></a></p> <h3> The Cost Crossover </h3> <p>At low volumes, DynamoDB is dramatically cheaper, however, at very high traffic volumes, DocumentDB's per-I/O pricing ($0.20/million) becomes competitive with DynamoDB's per-request pricing ($0.625/million writes). </p> <p>For this benchmark workload, the crossover point appeared around 5–10M requests/day.</p> <h2> When to Use Each </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Recommendation</th> </tr> </thead> <tbody> <tr> <td>Low traffic, unpredictable spikes</td> <td>DynamoDB — zero idle cost</td> </tr> <tr> <td>High write concurrency</td> <td>DynamoDB — better tail latency on writes</td> </tr> <tr> <td>High read concurrency</td> <td>DocumentDB — better tail latency and throughput on reads</td> </tr> <tr> <td>Simple key-value access patterns</td> <td>DynamoDB — purpose-built for this</td> </tr> <tr> <td>Complex queries, aggregations</td> <td>DocumentDB — native <code>$match</code>, <code>$group</code>, <code>$sort</code> pipeline</td> </tr> <tr> <td>Existing MongoDB codebase</td> <td>DocumentDB — minimal migration friction</td> </tr> </tbody> </table></div> <h2> Lessons Learned </h2> <p><strong>Measure before assuming.</strong> From my experience, it was always assumed that DynamoDB always provides best performance in the serverless infrastructure, but as we’ve proven with the read results at high concurrency, DocumentDB’s warm connection pool and buffer cache provide better tail latency than DynamoDB on-demand.</p> <p><strong>Tail latency is the real benchmark.</strong> Both databases are within 10% of each other at P50. The decision lives at P95 and P99. For write-heavy apps, that tail strongly favours DynamoDB. For read-heavy apps, it favours DocumentDB.</p> <p><strong>VPC overhead is real but manageable.</strong> DocumentDB lives in a VPC. The TCP/TLS handshake on cold starts adds latency. These are architectural decisions you have to live with if you go with DocumentDB, knowing that your reads are going to be better for your tail users.</p> <h2> Reproducing This Yourself </h2> <p>The full CDK stack (Python) and benchmark script are available on GitHub. Deploy it in your own account and run the same test — the numbers will vary by region, instance size, and concurrency, which is exactly the point. Your workload will tell you which database wins for your use case.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy from the CDK folder</span> <span class="nb">cd </span>cdk <span class="o">&amp;&amp;</span> cdk deploy <span class="c"># Seed the databases with random data</span> python scripts/seed_dynamodb.py <span class="nt">--table-name</span> benchmark-users <span class="nt">--count</span> 1000 python scripts/seed_documentdb.py <span class="nt">--stack-name</span> DocDbApiStack <span class="nt">--region</span> us-east-1 <span class="nt">--count</span> 1000 <span class="c"># Run the benchmark for write operations</span> python api_load_test.py <span class="se">\</span> <span class="nt">--endpoint</span> https://&lt;API_ENDPOINT_DYNAMODB_STACK&gt;/prod/users <span class="se">\</span> <span class="nt">--requests</span> 1000 <span class="nt">--concurrency</span> 200 <span class="se">\</span> <span class="nt">--method</span> POST <span class="nt">--output</span> results_dynamodb_post.json python api_load_test.py <span class="se">\</span> <span class="nt">--endpoint</span> https://&lt;API_ENDPOINT_DOCUMENTDB_STACK&gt;/prod/users <span class="se">\</span> <span class="nt">--requests</span> 1000 <span class="nt">--concurrency</span> 200 <span class="se">\</span> <span class="nt">--method</span> POST <span class="nt">--output</span> results_docdb_post.json <span class="c"># Run the benchmark for read operations</span> python api_load_test.py <span class="se">\</span> <span class="nt">--endpoint</span> https://&lt;API_ENDPOINT_DYNAMODB_STACK&gt;/prod/users <span class="se">\</span> <span class="nt">--requests</span> 1000 <span class="nt">--concurrency</span> 200 <span class="se">\</span> <span class="nt">--method</span> GET <span class="nt">--output</span> results_dynamodb_post.json python api_load_test.py <span class="se">\</span> <span class="nt">--endpoint</span> https://&lt;API_ENDPOINT_DOCUMENTDB_STACK&gt;/prod/users <span class="se">\</span> <span class="nt">--requests</span> 1000 <span class="nt">--concurrency</span> 200 <span class="se">\</span> <span class="nt">--method</span> GET <span class="nt">--output</span> results_docdb_get.json </code></pre> </div> aws webdev programming architecture Matia Rašetina Mon, 06 Apr 2026 07:00:00 +0000 https://forem.com/aws-builders/aws-lambda-pii-handling-in-production-dynamodb-field-encryption-with-kms-3oa6 https://forem.com/aws-builders/aws-lambda-pii-handling-in-production-dynamodb-field-encryption-with-kms-3oa6 <p>Handling Personally Identifiable Information (or PII for short) in AWS Lambda-backed systems is not difficult because AWS lacks security primitives. It is difficult because the default patterns in backend development encourage storing sensitive data in places where access control is only enforced at the infrastructure boundary — DynamoDB encryption at rest protects disks, but not application data, and once PII enters any of the database solutions inside the system, every principal with read access becomes a major threat.</p> <p>This article demonstrates a production-tested pattern — encrypting sensitive data categorized as PII (user’s home address, email, name, surname, date of birth etc.) in AWS Lambda before they are stored in DynamoDB, using customer-managed KMS keys and infrastructure entirely defined in Python AWS CDK. The goal of this pattern is to ensure that if ever a data breach happens to your application, that the data is encrypted security inside DynamoDB, and that only chosen parts of the system can decrypt the data if necessary. This pattern can be adjusted to be used with any other database solution available on AWS.</p> <p>This post will have most important snippets of the whole pattern, but the full code, where the Lambda handles all CRUD operations with DynamoDB, is available <a href="https://github.com/mate329/pii-location-service" rel="noopener noreferrer">here</a>.</p> <h2> <strong>Why are we going over this pattern?</strong> </h2> <p>There are many examples of existing serverless systems built on AWS Lambda and DynamoDB where some of the data, which gets stored inside the database, qualifies as PII and must not be stored in a human-readable format. As previously mentioned, the infrastructure in this pattern is defined using AWS CDK in Python, with a Lambda runtime in Python as well. Encryption keys are stored in AWS Key Management Service (KMS) and are customer-managed with explicit key policies, together with a strictly defined Lambda execution role.</p> <p>This design does not attempt to solve encrypted search or complex querying over sensitive fields, as those problems require different tradeoffs. The scope here is to deliberately limit access to certain fields which are categorized as PII and could give you a legal headache in case of a data breach.</p> <p>Moreover, DynamoDB server-side encryption is a must in any environment, but insufficient for PII or any field which needs protection by encryption. It protects against physical and low-level threats, but it does nothing to prevent plaintext access through IAM — any resource which has IAM access to the table and can scan or query the data, which can be a weakness in your infrastructure.</p> <p>The only way to tip the scales in your favor here is to make sure that the sensitive fields are never stored in plaintext anywhere in your infrastructure. Once encryption happens in the application layer, any database solution becomes a persistence layer for ciphertext, and access to the data is no longer enough to expose PII. Data decryption process then becomes an explicit operation, which only authorized compute resources with correct IAM permissions can decrypt the data.</p> <p>From this point forward, you are responsible for key rotation, correct IAM scoping and making sure that the application doesn’t leak any plain text information.</p> <h2> <strong>Architecture Overview</strong> </h2> <p>At a high level, the flow is simple:</p> <ol> <li>User’s payload enter a Lambda function from API Gateway</li> <li>Sensitive fields are encrypted immediately using AWS KMS</li> <li>Encrypted data is written to DynamoDB</li> </ol> <p>When data must be read and interpreted, the Lambda function explicitly decrypts the fields using the same KMS key from the encryption context.</p> <p>Basically, there are 3 crucial operations:</p> <ol> <li> Lambda calling KMS to encrypt and decrypt</li> <li>Lambda reading and writing encrypted attributes in DynamoDB</li> <li>IAM enforcing which principals are allowed to perform those operations</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihklu16sirezcubypbik.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fihklu16sirezcubypbik.png" alt="Architecture Diagram" width="800" height="850"></a></p> <h2> <strong>KMS Key Design in AWS CDK</strong> </h2> <p>In this pattern, the symmetric KMS key is the foundation. If its policy is overly permissive, field-level encryption becomes meaningless. The following CDK code is an example of creating a single customer-managed key dedicated for encryption and decryption processes for one service, with key rotation enabled and environment separation handled outside the snippet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Creation of a symmetric-key in KMS </span><span class="n">pii_key</span> <span class="o">=</span> <span class="n">kms</span><span class="p">.</span><span class="nc">Key</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PiiEncryptionKey</span><span class="sh">"</span><span class="p">,</span> <span class="n">alias</span><span class="o">=</span><span class="sh">"</span><span class="s">pii-encryption-key</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">KMS key for encrypting PII data (latitude/longitude)</span><span class="sh">"</span><span class="p">,</span> <span class="n">enable_key_rotation</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="c1"># RETAIN for prod </span><span class="p">)</span> </code></pre> </div> <p>At this layer, the key policy should be strict. Humans should not have decrypt permissions by default, and the Lambda execution role should be the primary and only consumer. CDK makes it easy to wire this correctly, but it also makes it easy to accidentally grant too much access if you are not careful enough.</p> <h2> <strong>Enabling Lambda IAM Access via Least Privilege</strong> </h2> <p>With the key in place, the next constraint is IAM. Encryption only works if decryption is tightly controlled. The Lambda execution role should have permission to encrypt and decrypt using exactly one KMS key and to read and write only the DynamoDB table it needs.</p> <p>The following CDK code shows the Lambda function definition and the explicit grants for DynamoDB and KMS. There are no wildcards and no implicit permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># CDK code for the Lambda + IAM Least Privilege Access </span><span class="n">pii_handler</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PiiHandler</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">__file__</span><span class="p">),</span> <span class="sh">"</span><span class="s">PIIHandler</span><span class="sh">"</span><span class="p">),</span> <span class="p">),</span> <span class="n">layers</span><span class="o">=</span><span class="p">[</span><span class="n">powertools_layer</span><span class="p">],</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">15</span><span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">256</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">POWERTOOLS_SERVICE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pii-service</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">POWERTOOLS_LOG_LEVEL</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">PII_TABLE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="n">pii_table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">KMS_KEY_ARN</span><span class="sh">"</span><span class="p">:</span> <span class="n">pii_key</span><span class="p">.</span><span class="n">key_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># Enable the PIIHandler Lambda access to DynamoDB table # and the KMS key to encrypt/decrypt the data </span><span class="n">pii_table</span><span class="p">.</span><span class="nf">grant_read_write_data</span><span class="p">(</span><span class="n">pii_handler</span><span class="p">)</span> <span class="n">pii_key</span><span class="p">.</span><span class="nf">grant_encrypt_decrypt</span><span class="p">(</span><span class="n">pii_handler</span><span class="p">)</span> </code></pre> </div> <h2> How to encrypt and decrypt data inside the AWS Lambda? </h2> <p>All encryption and decryption logic lives in the Lambda function, close to where data enters and leaves the system. The key rule is that plaintext PII should exist only in memory and only for as long as necessary.</p> <p>The following Python Lambda code uses the KMS client to directly to encrypt and decrypt fields which are sensitive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">client</span><span class="p">,</span> <span class="n">resource</span> <span class="c1"># Environment variables, AWS Client and AWS resources </span><span class="n">TABLE_NAME</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">PII_TABLE_NAME</span><span class="sh">"</span><span class="p">)</span> <span class="n">KMS_KEY_ARN</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">KMS_KEY_ARN</span><span class="sh">"</span><span class="p">)</span> <span class="n">KMS_CLIENT</span> <span class="o">=</span> <span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">kms</span><span class="sh">'</span><span class="p">)</span> <span class="n">DDB_RESOURCE</span> <span class="o">=</span> <span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">TABLE</span> <span class="o">=</span> <span class="n">DDB_RESOURCE</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">TABLE_NAME</span><span class="p">)</span> <span class="k">def</span> <span class="nf">encrypt_data</span><span class="p">(</span><span class="n">plaintext</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Encrypt data using KMS and return base64-encoded ciphertext.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">KMS_CLIENT</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span> <span class="n">KeyId</span><span class="o">=</span><span class="n">KMS_KEY_ARN</span><span class="p">,</span> <span class="n">Plaintext</span><span class="o">=</span><span class="n">plaintext</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">),</span> <span class="n">EncryptionContext</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">purpose</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pii-location-encryption</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pii-service</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">CiphertextBlob</span><span class="sh">"</span><span class="p">]).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decrypt_data</span><span class="p">(</span><span class="n">encrypted_data</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Decrypt base64-encoded ciphertext using KMS.</span><span class="sh">"""</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">encrypted_data</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">KMS_CLIENT</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span> <span class="n">CiphertextBlob</span><span class="o">=</span><span class="n">ciphertext</span><span class="p">,</span> <span class="n">KeyId</span><span class="o">=</span><span class="n">KMS_KEY_ARN</span><span class="p">,</span> <span class="n">EncryptionContext</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">purpose</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pii-location-encryption</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pii-service</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Plaintext</span><span class="sh">"</span><span class="p">].</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> <strong>Writing Encrypted Data to DynamoDB</strong> </h2> <p>Encryption happens before saving data anywhere in the system and only the <code>PIIHandler</code> Lambda has access to encrypt and decrypt the data, meaning that DynamoDB never sees plaintext latitude or longitude values, only base64-encoded cipher text.</p> <p>The following code snippet shows you the usage of the <code>encrypt_data</code> method I’ve shown above and the process of saving the sensitive information inside the DynamoDB table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">handle_create_location</span><span class="p">(</span><span class="n">event</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Handle POST /locations - Store encrypted PII location data.</span><span class="sh">"""</span> <span class="n">event_body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">))</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">event_body</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">]</span> <span class="n">latitude</span> <span class="o">=</span> <span class="n">event_body</span><span class="p">[</span><span class="sh">"</span><span class="s">latitude</span><span class="sh">"</span><span class="p">]</span> <span class="n">longitude</span> <span class="o">=</span> <span class="n">event_body</span><span class="p">[</span><span class="sh">"</span><span class="s">longitude</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># .. </span> <span class="c1"># Encrypt PII fields (latitude and longitude) </span> <span class="n">coordinates</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">latitude</span><span class="sh">"</span><span class="p">:</span> <span class="n">latitude</span><span class="p">,</span> <span class="sh">"</span><span class="s">longitude</span><span class="sh">"</span><span class="p">:</span> <span class="n">longitude</span><span class="p">})</span> <span class="n">encrypted_coordinates</span> <span class="o">=</span> <span class="nf">encrypt_data</span><span class="p">(</span><span class="n">coordinates</span><span class="p">)</span> <span class="n">item</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">pk</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">USER#</span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sk</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">LOCATION#</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">encrypted_coordinates</span><span class="sh">"</span><span class="p">:</span> <span class="n">encrypted_coordinates</span> <span class="p">}</span> <span class="n">TABLE</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="n">item</span><span class="p">)</span> <span class="c1"># ... </span></code></pre> </div> <h2> <strong>AWS KMS Operational Considerations and Pricing</strong> </h2> <p>Now, to talk about some of the considerations. This approach does introduce some latency and cost because of the KMS calls, and fetching encrypted data inside the DynamoDB will increase item size overall. However, these are normal and predictable tradeoffs, which are rarely a limiting factor unless you have a system which is already operating at a very high scale.</p> <p>More importantly, this pattern makes PII access, or any access to sensitive fields for that matter, explicit. Every decrypt operation is visible in CloudTrail, and access can be revoked centrally by modifying the KMS key policy. That property is far more valuable in production than marginal performance gains.</p> <p>Regarding pricing, when writing this in February 2026, the price for one KMS key is $1USD per month (prorated hourly) and operations cost only $0.03USD per 10 000 requests, more information about pricing can be found by clicking on the link <a href="https://aws.amazon.com/kms/pricing/" rel="noopener noreferrer">here</a>. It’s worth mentioning that KMS operations are free for 20 000 operations in every AWS region which has KMS.</p> <p>This pattern has key rotation enabled, meaning that every 365 days a new key will be generated and used for encrypting new data, which increases your cost per month by $1 USD. You don’t have to worry about the older data encrypted with the old key — KMS will save your older key which gets replaced and it will still be used to decrypt your data.</p> <h2> <strong>Conclusion</strong> </h2> <p>Field-level encryption in Lambda isn't advanced security — it should be a baseline for any system handling PII information.</p> <p>The pattern above is made simple on purpose, but the constraints it enforces are fundamental: DynamoDB read access no longer implies an insight into sensitive data and any compliance audits shift straight to concrete log analysis, making your job easier to do.</p> <p>As we’ve already discussed, the tradeoffs are real but manageable — KMS client calls add tens of milliseconds per operation and are relatively cheap (with a very generous Free tier as well!), meaning that this overhead is totally worth it because of the risk mitigation it provides.</p> <p>The real question in a production environment isn’t whether encryption exists, but whether which computing resources have access to your KMS key and which resources are authorized to decrypt the sensitive data. By using this pattern, your future self (and your legal team if you have it in your company!) will thank you when the inevitable security questionnaire arrives.</p> aws webdev security programming Matia Rašetina Mon, 02 Mar 2026 08:00:00 +0000 https://forem.com/mate32/designing-a-serverless-publishing-backend-on-aws-fan-out-as-a-first-class-architecture-pattern-3mab https://forem.com/mate32/designing-a-serverless-publishing-backend-on-aws-fan-out-as-a-first-class-architecture-pattern-3mab <p>Building a simple social platform where users can post about anything seems simple at first glance, until you reach the hardest problem: distributing content efficiently.</p> <p>When you publish a blog post on any platform, did you ever wonder what happens next? For most of the platforms, many systems react to you publishing a post — content gets moderated, notifications about your activity sent, user’s feed updates. The real challenge here is doing everything without blocking the user or coupling the services together.</p> <p>In this post, I’m going to tell you about fan-out architecture pattern — a strong pattern used to decouple services and enable data processing in multiple services at the same time.</p> <p>This pattern will be used inside a full-stack blog post platform, like Medium, <a href="http://dev.to">dev.to</a> and others. The full-stack application will be covered in the next post.</p> <p>Code for the whole backend is available by clicking on the link here.</p> <h2> Core AWS Services and Their Roles </h2> <p>At a high level, the system follows a simple rule:</p> <blockquote> <p>APIs handle commands. Events handle consequences.</p> </blockquote> <p>The backend is implemented using <strong>AWS CDK (Python)</strong> and relies exclusively on managed, serverless services. There are no always-on servers, no shared stateful services, and no synchronous dependency chains beyond the API boundary.</p> <p>When a user publishes a post, the API does only three things:</p> <ol> <li>Validate the request</li> <li>Persist the post</li> <li>Emit a <em>Post Published</em> event</li> </ol> <p>Everything else — fetching the user’s feed, search indexing, notifications, post content moderation, analytics — happening in parallel and independent of each other.</p> <p>This architecture uses the following serverless AWS services:</p> <ul> <li> <strong>AWS Lambda (Python 3.12)</strong> for computing</li> <li> <strong>AWS Cognito</strong> as a user management solution</li> <li> <strong>Amazon DynamoDB</strong> as a database solution</li> <li> <strong>Amazon SNS</strong> as the event bus (think of it as a "broadcast channel")</li> <li> <strong>Amazon SQS</strong> for isolated, scalable workers</li> <li> <strong>API Gateway</strong> for opening up the Lambdas to the Internet</li> <li> <strong>AWS Bedrock</strong> for post content moderation via available LLMs</li> </ul> <p>Here is the architecture diagram of the full-stack whole project, which we are going to take a closer look in the next blog post:</p> <p><a href="" class="article-body-image-wrapper"><img alt="publishing_platform_simple.png"></a></p> <h2> The Fan-Out Pattern: The Heart of the System </h2> <p>When a post is published, a single event is emitted to an SNS topic which sends the published post information to multiple SQS queues, as you can see in the architecture diagram.</p> <p><a href="" class="article-body-image-wrapper"><img alt="fanout.drawio.png"></a></p> <p>Each downstream service subscribes via it’s own SQS queue, backed by a dedicated Lambda function worker.</p> <p>This design has several important properties:</p> <ul> <li> <strong>Loose coupling</strong>: Workers know nothing about each other and are completely independent</li> <li> <strong>Fault isolation</strong>: One failure does not affect others</li> <li> <strong>Independent scaling</strong>: Each worker scales based on its own load</li> <li> <strong>Extensibility</strong>: New consumers of data can be added without changing existing code, just point to the new worker’s SQS queue</li> </ul> <p>This is not just event-driven—it’s <strong>fan-out by construction</strong>, making it so easy to do multiple processes in parallel.</p> <p>Another important detail to mention is that all SQS queue has it’s own Dead-letter queues (or DLQ for short), which collects the posts which couldn’t be processed, so the developer has an easier time debugging the failures in the system, making the system more mature and easier to work with. We are going to take a look how they work in the next blog post.</p> <p>In the CDK code, creating a SNS topic and connecting the SQS queues looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="n">post_published_topic</span> <span class="o">=</span> <span class="n">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PostPublishedTopic</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="n">base</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="n">sqs</span><span class="p">.</span><span class="n">Queue</span><span class="p">,</span> <span class="n">sqs</span><span class="p">.</span><span class="n">Queue</span><span class="p">]:</span> <span class="n">dlq</span> <span class="o">=</span> <span class="n">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">base</span><span class="si">}</span><span class="s">Dlq</span><span class="sh">"</span><span class="p">,</span> <span class="n">retention_period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">14</span><span class="p">))</span> <span class="n">q</span> <span class="o">=</span> <span class="n">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">base</span><span class="p">,</span> <span class="n">visibility_timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">90</span><span class="p">),</span> <span class="n">dead_letter_queue</span><span class="o">=</span><span class="n">sqs</span><span class="p">.</span><span class="nc">DeadLetterQueue</span><span class="p">(</span><span class="n">queue</span><span class="o">=</span><span class="n">dlq</span><span class="p">,</span> <span class="n">max_receive_count</span><span class="o">=</span><span class="mi">5</span><span class="p">),</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">post_published_topic</span><span class="p">.</span><span class="nf">add_subscription</span><span class="p">(</span><span class="n">subs</span><span class="p">.</span><span class="nc">SqsSubscription</span><span class="p">(</span><span class="n">q</span><span class="p">))</span> <span class="k">return</span> <span class="n">q</span><span class="p">,</span> <span class="n">dlq</span> <span class="n">self</span><span class="p">.</span><span class="n">feed_q</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">feed_dlq</span> <span class="o">=</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="sh">"</span><span class="s">FeedQueue</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">search_q</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">search_dlq</span> <span class="o">=</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="sh">"</span><span class="s">SearchQueue</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">email_q</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">email_dlq</span> <span class="o">=</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="sh">"</span><span class="s">EmailQueue</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">moderation_q</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">moderation_dlq</span> <span class="o">=</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="sh">"</span><span class="s">ModerationQueue</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">analytics_q</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">analytics_dlq</span> <span class="o">=</span> <span class="nf">mk_queue</span><span class="p">(</span><span class="sh">"</span><span class="s">AnalyticsQueue</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Multiple Independent Workers Triggered by One Event </h2> <p>Every worker reacts to the same event but serves a different purpose:</p> <ul> <li> <strong>Feed Worker</strong>: Distributes content to followers</li> <li> <strong>Search Worker</strong>: Updates the inverted index</li> <li> <strong>Email Worker</strong>: Sends notifications via SES</li> <li> <strong>Moderation Worker</strong>: Runs AI moderation</li> </ul> <p>Each worker:</p> <ul> <li>Has its own IAM role</li> <li>Has its own retry and DLQ configuration</li> <li>Can fail without cascading impact</li> </ul> <p>Connecting a Lambda worker to it’s SQS queue is done inside the CDK code like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Any Lambda function, just copy, paste and adjust! </span><span class="k">def</span> <span class="nf">mk_worker</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">queue</span><span class="p">,</span> <span class="n">extra_env</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="n">fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="n">path</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">256</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span><span class="o">**</span><span class="n">common_env</span><span class="p">,</span> <span class="o">**</span><span class="p">(</span><span class="n">extra_env</span> <span class="ow">or</span> <span class="p">{})},</span> <span class="n">layers</span><span class="o">=</span><span class="p">[</span><span class="n">powertools_layer</span><span class="p">],</span> <span class="p">)</span> <span class="n">fn</span><span class="p">.</span><span class="nf">add_event_source</span><span class="p">(</span><span class="n">sources</span><span class="p">.</span><span class="nc">SqsEventSource</span><span class="p">(</span><span class="n">queue</span><span class="p">,</span> <span class="n">batch_size</span><span class="o">=</span><span class="mi">10</span><span class="p">))</span> </code></pre> </div> <p>Now, let’s explain what each of the Lambda workers work in more detail.</p> <h3> Feed Worker </h3> <p>This Lambda takes the incoming data about the published post and updates the feed which should be shown to the followers of the user which published the post. A user’s feed is defined inside a DynamoDB table. </p> <h3> Moderation Worker </h3> <p>Content moderation is handled by a dedicated worker using <strong>AWS Bedrock’s Nova Micro model</strong>, because of it’s low price and it works wonders in this case.</p> <p>Moderation is:</p> <ul> <li>Asynchronous</li> <li>Non-blocking</li> <li>Cheap enough to run on every post</li> </ul> <p>The worker takes the incoming data about the published post, like title, content and tags, builds a prompt with that data and sends it to the Nova Micro LLM model to analyze the content. The LLM will return either <code>APPROVED</code> or <code>REJECTED</code>, and the provided response is written inside the DynamoDB table, so the user cannot see any of the <code>REJECTED</code> posts.</p> <h3> Email Worker </h3> <p>This is very simple — take the incoming data of the blog post and send it to the followers found inside the DynamoDB table.</p> <h3> Search Worker </h3> <p>Instead of using OpenSearch or any other vector database, I’ve chosen to use DynamoDB for search indexing. The reason for choosing it is very simple — DynamoDB enables you to have the same functionality, but for a fraction of the cost.</p> <p>All Lambda code is available in the Github repository available by clicking on the link at the beginning of this post.</p> <p>Now that we’ve covered the heart of this application, there are some architectural decisions made for the DynamoDB data model and decisions made about exposing the API endpoints to the user.</p> <h2> Data Modeling: Designing for Access Patterns </h2> <p>The data layer is intentionally simple and optimized around how the application reads data, not how it looks relationally. This is explained as well, together with the fan-out pattern, as it’s very important for the application’s performance.</p> <h3> Posts Table </h3> <p>Stores the canonical representation of each post, indexed for:</p> <ul> <li>Fetching a post by ID</li> <li>Listing posts by author</li> <li>Filtering by moderation status</li> </ul> <h3> Follows Table </h3> <p>Represents the social graph:</p> <ul> <li>Partitioned by <code>authorId</code> </li> <li>Enables fast lookup of followers when a post is published</li> </ul> <h3> Feed Table </h3> <p>This table exists to serve one purpose: <strong>fast feed reads</strong>.</p> <p>Each user has their own partition containing pre-computed feed entries, sorted by publication time. There is no aggregation or computation at read time—fetching a feed is a single DynamoDB query.</p> <p>This design only works because of one key decision: <strong>fan-out on write</strong>.</p> <h3> Search Index Table </h3> <p>Instead of using OpenSearch, the system implements a lightweight inverted index in DynamoDB by tokenizing titles and tags. It’s intentionally limited but dramatically cheaper and simpler for MVP-level search requirements.</p> <h2> The API Layer: Thin by Design </h2> <p>The API exposes a small set of endpoints:</p> <ul> <li>Publish a post</li> <li>Retrieve a post</li> <li>Fetch a user’s feed</li> <li>Search content</li> </ul> <p>Very simple, very straight forward. To open up a Lambda to the Internet inside the CDK code, you would do it like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Define the Lambda resource </span><span class="n">get_post_fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GetPostFn</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">get_post.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="sh">"</span><span class="s">services/api/handlers</span><span class="sh">"</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">256</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">POSTS_TABLE</span><span class="sh">"</span><span class="p">:</span> <span class="n">storage</span><span class="p">.</span><span class="n">posts_table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">POWERTOOLS_LOG_LEVEL</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="n">layers</span><span class="o">=</span><span class="p">[</span><span class="n">powertools_layer</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Create the root API via API Gateway </span><span class="n">http_api</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">HttpApi</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HttpApi</span><span class="sh">"</span><span class="p">,</span> <span class="n">cors_preflight</span><span class="o">=</span><span class="n">cors_preflight</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Add a route to the root API </span><span class="n">http_api</span><span class="p">.</span><span class="nf">add_routes</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/posts/{postId}</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="n">apigw</span><span class="p">.</span><span class="n">HttpMethod</span><span class="p">.</span><span class="n">GET</span><span class="p">],</span> <span class="n">integration</span><span class="o">=</span><span class="n">integrations</span><span class="p">.</span><span class="nc">HttpLambdaIntegration</span><span class="p">(</span><span class="sh">"</span><span class="s">GetPostInt</span><span class="sh">"</span><span class="p">,</span> <span class="n">get_post_fn</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h2> Security and Identity </h2> <p>Authentication is handled by Amazon Cognito with:</p> <ul> <li>Email-based signup</li> <li>JWT-based authorization</li> <li>OAuth 2.0 support</li> </ul> <p>All APIs which are open to the Internet are protected via the Cognito authorizer, that way we let API Gateway handle protection of our endpoints.</p> <p>In addition, each Lambda function inside this sytem operates under <strong>least-privilege IAM</strong>, with access only to the resources it requires. Workers or API Lambdas cannot accidentally read or modify unrelated data.</p> <p>To protect the endpoint, you’ll need the created Cognito User Pool ID when it gets initialized. We’ll use the same Lambda we’ve opened up to the Internet via API Gateway, just modify the <code>add_routes</code> method arguments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Create Cognito authorizer </span><span class="n">cognito_authorizer</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">HttpUserPoolAuthorizer</span><span class="p">(</span> <span class="sh">"</span><span class="s">CognitoAuthorizer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ADD YOUR USER POOL ID HERE</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Add a route to the root API # and protect the endpoint with the Cognito Authorizer </span><span class="n">http_api</span><span class="p">.</span><span class="nf">add_routes</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/posts/{postId}</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="n">apigw</span><span class="p">.</span><span class="n">HttpMethod</span><span class="p">.</span><span class="n">GET</span><span class="p">],</span> <span class="n">integration</span><span class="o">=</span><span class="n">integrations</span><span class="p">.</span><span class="nc">HttpLambdaIntegration</span><span class="p">(</span><span class="sh">"</span><span class="s">GetPostInt</span><span class="sh">"</span><span class="p">,</span> <span class="n">get_post_fn</span><span class="p">),</span> <span class="n">authorizer</span><span class="o">=</span><span class="n">cognito_authorizer</span> <span class="p">)</span> </code></pre> </div> <h2> Cost Characteristics </h2> <p>All of services used in this project are inside the AWS Free tier and, if your traffic is low-to-medium (i.e. around few thousand users), most of the services are going to still be inside the Free tier. Only service which might cost you a couple of dollars will be AWS Bedrock, since running the project is running the LLM on every blog post.</p> <h2> Conclusion </h2> <p>You’ve now seen the power of this pattern and how easy it makes it to run multiple processes in parallel by using AWS serverless services.</p> <p>The fan-out pattern turns a single publish action into a <strong>scalable pipeline of independent reactions</strong>. It keeps APIs fast, workers isolated, and the system easy to extend.</p> <p>Most importantly, it aligns perfectly with the realities of a publishing platform:</p> <ul> <li>Reads must be instant</li> <li>Side effects must not block users</li> <li>Features will grow over time and they are easy to add as SNS destinations</li> </ul> <p>By making fan-out a first-class architectural choice, the backend remains simple—even as it scales. </p> <p>In the next post, we’re going to take a closer look in all functionalities of the full-stack application.</p> webdev aws programming architecture Matia Rašetina Mon, 23 Feb 2026 09:04:41 +0000 https://forem.com/mate32/my-aws-lambda-runs-faster-than-yours-heres-how-to-optimize-lambda-cold-starts-with-snapstart-4odd https://forem.com/mate32/my-aws-lambda-runs-faster-than-yours-heres-how-to-optimize-lambda-cold-starts-with-snapstart-4odd <p>If you ever worked with AWS Lambda, you know about one of their main weak points — cold starts. It’s been a pain point for any team building serverless applications with libraries that take lots of storage space. Whether it’s a data science processing library, machine learning models or complex custom libraries, cold starts can quickly become the dominant source of latency.</p> <p>In early 2022, AWS launched Lambda SnapStart, a feature used to enable the developers to lower Lambda initialization times, and in late 2024, it was also enabled for Python runtimes as well. We’re going into more detail about SnapStart and how it works in the next heading.</p> <p>In this post, I’ll walk you through how SnapStart works with Python 3.12, give you AWS CDK code examples which you can copy and paste straight into your project to enable SnapStart on your Lambdas, and show you how the impact of enabling SnapStart with real benchmark data from 10 cold start runs.</p> <p>Full code can be found by clicking on the <a href="https://github.com/mate329/python-aws-cdk-lambda-snapstart-benchmark" rel="noopener noreferrer">link here</a>.</p> <h2> <strong>What Is AWS Lambda SnapStart?</strong> </h2> <p><strong>Lambda SnapStart is</strong> a feature which enables the developers to mitigate the expensive and long Lambda environment initialization phases. What SnapStart does is it captures a snapshot of your execution environment when a new Lambda version is published and used for the first time, right after the initialization phase completes. For each subsequent cold start, the snapshot is restored as your Lambda execution environment instead of initializing the environment again, significantly reducing startup time.</p> <p>For Python workloads, this is very impactful because if you are using Lambda for your ETL pipeline, smaller Machine Learning models, initializations of time-costly database connections etc., libraries like Pandas, NumPy and others are costing you precious time to initialize inside the Lambda environment and your user experience decreases dramatically. As mentioned, by using SnapStart and creating a snapshot of the Lambda environment, we are lowering the cold start time, which enables us to provide better user experience. When the Lambda is warm, the Lambda invocation time stays more or less the same, even if you have SnapStart enabled. The main point here is to only <strong>lower</strong> the cold start time.</p> <p>Below you can see the request lifecycle with a standard Lambda execution environment and when SnapStart is enabled. This image is taken from the official AWS documentation, and if you want to read into more detail about SnapStart, you can do that by clicking on the link <a href="https://aws.amazon.com/blogs/aws/aws-lambda-snapstart-for-python-and-net-functions-is-now-generally-available/" rel="noopener noreferrer">here</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdcjhd009h1w3nprw8ps.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxdcjhd009h1w3nprw8ps.png" width="800" height="290"></a></p> <h2> <strong>Architecture Overview and Test Setup</strong> </h2> <p>The overview of this experiment is as following — we have 2 Lambdas, where one has SnapStart enabled and the other uses the standard Lambda environment without SnapStart.</p> <p>We are only going to focus on importing the libraries in the Lambda environment, the Lambda handler method returns a “hello-world” back to the user, as we are not testing and measuring Lambda invocation times in this post. However, I’ve made the code log invocation time as well, so if you want to test something out in addition to importing the libraries, you can do that with ease.</p> <p>Both have the same Lambda code — they are going to import some of the most used libraries like <code>json</code>, <code>os</code>, <code>logging</code>, however, then we are going to try and import libraries which cost Lambda initialization time the most — libraries like <code>pandas</code>, <code>joblib</code> and <code>numpy</code>. </p> <p>Configuration of the Lambdas are:</p> <ul> <li>ARM64 architecture</li> <li>1024MB of memory</li> <li>Python 3.12 used as Lambda runtime</li> <li>30s timeout</li> </ul> <p>Both Lambdas are run 10 times, with a 10 minute waiting time after any of the invocations, to have a very good chance of the Lambdas transition from a “warm” to a “cold” state. Information about the initialization times were taken from CloudWatch logs, and the Lambdas were invoked straight inside the AWS Console. Examples of the initialization times from CloudWatch can be seen in the following images:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23i3er4xbin71fn5cu4x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23i3er4xbin71fn5cu4x.png" width="800" height="334"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo2qui72riew0mb6vu4wy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo2qui72riew0mb6vu4wy.png" width="800" height="156"></a></p> <h2> <strong>Enabling SnapStart with AWS CDK (Python)</strong> </h2> <p>The following CDK code contains the project configuration — 2 AWS Lambdas, where one has SnapStart enabled, and the other one has SnapStart disabled, forcing it to have a standard Lambda execution environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">Duration</span><span class="p">,</span> <span class="n">CfnOutput</span><span class="p">,</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">_lambda</span><span class="p">,</span> <span class="n">aws_lambda_python_alpha</span> <span class="k">as</span> <span class="n">lambda_python</span><span class="p">,</span> <span class="n">aws_iam</span> <span class="k">as</span> <span class="n">iam</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">BenchmarkStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># 0. Creating a common configuration for each of the 2 Lambdas </span> <span class="n">common</span> <span class="o">=</span> <span class="nf">dict</span><span class="p">(</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">entry</span><span class="o">=</span><span class="sh">"</span><span class="s">benchmark</span><span class="sh">"</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.py</span><span class="sh">"</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">architecture</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Architecture</span><span class="p">.</span><span class="n">ARM_64</span><span class="p">,</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">1024</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">bundling</span><span class="o">=</span><span class="n">lambda_python</span><span class="p">.</span><span class="nc">BundlingOptions</span><span class="p">(</span> <span class="n">image</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">.</span><span class="n">bundling_image</span><span class="p">,</span> <span class="n">platform</span><span class="o">=</span><span class="sh">"</span><span class="s">linux/arm64</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="c1"># 1. SnapStart Lambda </span> <span class="n">snapstart_fn</span> <span class="o">=</span> <span class="n">lambda_python</span><span class="p">.</span><span class="nc">PythonFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">SnapStartFn</span><span class="sh">"</span><span class="p">,</span> <span class="n">snap_start</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">SnapStartConf</span><span class="p">.</span><span class="n">ON_PUBLISHED_VERSIONS</span><span class="p">,</span> <span class="c1"># Enable SnapStart for all published versions of the Lambda </span> <span class="o">**</span><span class="n">common</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 2. Standard Lambda (no SnapStart) </span> <span class="n">standard_fn</span> <span class="o">=</span> <span class="n">lambda_python</span><span class="p">.</span><span class="nc">PythonFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">StandardFn</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Do NOT include the "snap_start" argument, so it uses the regular </span> <span class="c1"># Lambda execution environment </span> <span class="o">**</span><span class="n">common</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 3. Create versions </span> <span class="n">snapstart_version</span> <span class="o">=</span> <span class="n">snapstart_fn</span><span class="p">.</span><span class="n">current_version</span> <span class="n">standard_version</span> <span class="o">=</span> <span class="n">standard_fn</span><span class="p">.</span><span class="n">current_version</span> <span class="c1"># 4. Create aliases </span> <span class="n">snapstart_alias</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Alias</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">SnapStartAlias</span><span class="sh">"</span><span class="p">,</span> <span class="n">alias_name</span><span class="o">=</span><span class="sh">"</span><span class="s">live</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="n">snapstart_version</span><span class="p">,</span> <span class="p">)</span> <span class="n">standard_alias</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Alias</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">StandardAlias</span><span class="sh">"</span><span class="p">,</span> <span class="n">alias_name</span><span class="o">=</span><span class="sh">"</span><span class="s">live</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="n">standard_version</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>It’s very important that the Lambda, which has SnapStart enabled, has an alias.</p> <p>Lambda SnapStart requires aliases because it only works on <strong>published versions</strong>, and aliases provide a stable pointer to a specific version of your Lambda code with all of your requirements, code and libraries so AWS can safely create, cache, and restore the created snapshot.</p> <h2> Lambda Handler Code used for Testing Lambda SnapStart </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Light and quick imports of these libraries </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Dict</span> <span class="c1"># Heavy libraries which take time to initialize # in the Lambda environment </span><span class="kn">import</span> <span class="n">pandas</span> <span class="kn">import</span> <span class="n">numpy</span> <span class="kn">import</span> <span class="n">joblib</span> <span class="n">LOG</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">()</span> <span class="n">LOG</span><span class="p">.</span><span class="nf">setLevel</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">LOG_LEVEL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">))</span> <span class="n">INIT_EPOCH_MS</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="n">LOG</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">phase</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">init</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">event</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">complete</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ts_epoch_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">INIT_EPOCH_MS</span><span class="p">}))</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">],</span> <span class="n">context</span><span class="p">:</span> <span class="n">Any</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">perf_counter</span><span class="p">()</span> <span class="n">handler_start_epoch_ms</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="c1"># Lambda code for measuring total invocation time, </span> <span class="c1"># not the topic of this post </span> <span class="c1"># ... </span></code></pre> </div> <p>As mentioned, to make the benchmark meaningful, the Lambda handler method includes heavy initialization logic, importing big libraries which we’ve mentioned above. This is to simulate a real-world Lambda doing a big computational task that loads large dependencies to complete it’s task.</p> <h2> <strong>Results: SnapStart vs No SnapStart (10 Cold Starts)</strong> </h2> <p>The difference between SnapStart-enabled and non-SnapStart Lambdas becomes immediately obvious when comparing cold start durations across multiple runs.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9ptd5dk3qvnq478zldu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9ptd5dk3qvnq478zldu.png" alt="Results of Testing Standard Lambda environment vs SnapStart" width="800" height="480"></a></p> <p>The average cold start initialization (so not total invocation, just initialization!) times were on average:</p> <ul> <li>Lambda with a standard environment - 2929.99ms</li> <li>Lambda with SnapStart enabled - 473.50ms</li> </ul> <p>By only enabling one Lambda feature, we’ve cut the initialization time by <strong>~84%</strong>! That’s 6.2x faster!</p> <h2> <strong>When SnapStart Is (and Isn’t) Worth It</strong> </h2> <p>We’ve seen how SnapStart makes a difference in cutting down on invocation times in Lambdas where library and global object initialization times are significant and can impact user experience.</p> <p>It’s on you as a Lead Developer, or a Solutions Architect, to decide if implementing SnapStart in your Lambdas is worth it — if you are using AWS Lambda as your API handler to do CRUD operations in your application, more probably than not you are not going to need SnapStart enabled. Yet again, it’s on you to decide, based on the data you see.</p> <p>Finally, there is some cost when using SnapStart (following cost is for eu-central-1, AWS region I’m using):</p> <ul> <li>when caching the Lambda environment - $0.0000015046 per GB-second</li> <li>when restoring the Lambda environment - $0.0001397998 for every GB restored</li> </ul> <p>Cost is still very low, but something to keep in mind if you have Lambdas handling heavy traffic. More information about SnapStart pricing can be found on the <a href="https://www.notion.so/My-AWS-Lambda-Runs-Faster-Than-Yours-Here-s-how-to-optimize-Lambda-Cold-Starts-with-SnapStart-2fdf484b7a7180f5afecfeb39fe25e26?pvs=21" rel="noopener noreferrer">link here.</a></p> <h2> Conclusion </h2> <p>AWS Lambda SnapStart offers a very powerful, yet a low-effort way of reducing cold start times for heavy serverless workloads. The benchmark provided in this blog post provides strong evidence that the Lambda functions, which require libraries that are time-consuming during Lambda environment initialization, can be mitigated by toggling on a single feature, making environment initialization times from a multi-second into sub-second starts.</p> <p>For teams already using AWS CDK and Python Lambdas, enabling SnapStart is one of the highest-ROI optimizations available today.</p> aws python webdev serverless Matia Rašetina Mon, 16 Feb 2026 08:00:00 +0000 https://forem.com/mate32/cloudfront-signed-cookies-authorization-a-powerful-session-based-pattern-for-private-content-on-aws-1dm7 https://forem.com/mate32/cloudfront-signed-cookies-authorization-a-powerful-session-based-pattern-for-private-content-on-aws-1dm7 <p>Providing private content securely and swiftly is a very common challenge for any application which is on the internet. Whether you’re building a SaaS dashboard, a paid content platform or an enterprise portal, it is important that only authenticated users are able to access sensitive documents or assets, while providing best download performance.</p> <p>This is where a Content Delivery Network service comes into play — on AWS, that’s CloudFront. CloudFront signed cookies authorization becomes a powerful design pattern. Instead of enforcing custom authorization logic on your backend, generating a pre-signed URL and sending it back to the user, here authentication happens in the application layer and authorization is handled at the edge by CloudFront. </p> <p>By combining session-based authorization AWS patterns with edge security, you gain lower latency, improved scalability, caching and stronger security of your application. This article walks you through a clean, minimal, AWS-based architecture that shows you the thought process and the code to protect and provide private content to your users by using CloudFront signed cookies.</p> <p>Code changes are in GitHub and are available by clicking on the link <a href="https://github.com/aws-samples/serverless-patterns/pull/2913" rel="noopener noreferrer">here</a>.</p> <h2> <strong>High-Level Architecture Overview and AWS Services Used</strong> </h2> <p>At a high level, this pattern enables users to authenticate once via AWS Lambda and Cognito to then access application access with the best download performance. The browser or any other client of you application receives a HTTP-only cookie that CloudFront validates on every request, without calling any other backend services.</p> <p>The core idea is simple:</p> <ul> <li>Provide Authentication endpoints via AWS API Gateway and authenticate users using AWS Lambda and <strong>Amazon Cognito</strong> </li> <li>Mint signed cookies via a lightweight backend</li> <li>Enforce <strong>Amazon CloudFront authorization</strong> at the edge</li> <li>Restrict the origin so content is never publicly accessible</li> </ul> <p>Services which are crucial for this pattern are:</p> <h3> <strong>Amazon CloudFront + Amazon S3</strong> </h3> <p><strong>Amazon CloudFront</strong> is a Content Delivery Network provided by AWS, which acts as the central enforcement point. It validates provided signed cookies and decides if the user has access to the assets available at the edge.</p> <p><strong>Amazon S3</strong> is a service used to store objects and files inside buckets. The bucket blocks all public access and can only be reached through CloudFront, enabling <strong>CloudFront secure S3 access</strong>.</p> <h3> <strong>Amazon Cognito</strong> </h3> <p><strong>Amazon Cognito</strong> handles user authentication. It verifies user identity and issues JWT tokens.</p> <h3> <strong>Amazon API Gateway + AWS Lambda</strong> </h3> <p>We use Amazon API Gateway to open up our Authentication Lambdas to the internet.</p> <p><strong>AWS Lambda</strong> runs a minimal, stateless function. Its single responsibility is to validate the incoming email and password and if the user is registered, it provides the signed cookies which enable the user to access private data. This keeps the system simple, auditable, and secure.</p> <h3> <strong>AWS Secrets Manager</strong> </h3> <p><strong>AWS Secrets Manager</strong> securely stores the RSA private key used to sign CloudFront cookies. The key never leaves AWS-managed infrastructure.</p> <h2> <strong>End-to-End Request Flow and Architecture Diagram</strong> </h2> <p>The flow for the client of your application is the following:</p> <ol> <li>User registers to the platform via Cognito and Register Lambda</li> <li>User logs in and Login Lambda mints <strong>AWS CloudFront signed cookies</strong> </li> <li>Browser stores cookies securely</li> <li>When needed, browser requests private content from CloudFront</li> <li>CloudFront validates the provided cookies</li> <li>Authorized requests reach the private S3 bucket</li> <li>Load the assets at lightning-fast speed!</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja7wm7hhno2vd0xecum8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja7wm7hhno2vd0xecum8.png" alt="Simple Architecture Diagram of the Pattern" width="686" height="371"></a></p> <h2> <strong>Authentication Stack</strong> </h2> <p>First, we need to initialize our Cognito resources, like user pool, to be able to register and login users via our Lambdas, which we are going to define later. The following AWS CDK code creates the necessary resources in Cognito:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Cognito User Pool </span><span class="n">user_pool</span> <span class="o">=</span> <span class="n">cognito</span><span class="p">.</span><span class="nc">UserPool</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">UserPool</span><span class="sh">"</span><span class="p">,</span> <span class="n">user_pool_name</span><span class="o">=</span><span class="sh">"</span><span class="s">UserPool</span><span class="sh">"</span><span class="p">,</span> <span class="n">auto_verify</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">AutoVerifiedAttrs</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="n">sign_in_aliases</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">SignInAliases</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="n">self_sign_up_enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">password_policy</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">PasswordPolicy</span><span class="p">(</span> <span class="n">min_length</span><span class="o">=</span><span class="mi">8</span><span class="p">,</span> <span class="n">require_lowercase</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">require_uppercase</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">require_digits</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">require_symbols</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">),</span> <span class="n">standard_attributes</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">StandardAttributes</span><span class="p">(</span> <span class="n">email</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">StandardAttribute</span><span class="p">(</span><span class="n">required</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">mutable</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="p">),</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> <span class="n">user_pool_client</span> <span class="o">=</span> <span class="n">cognito</span><span class="p">.</span><span class="nc">UserPoolClient</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">UserPoolClient</span><span class="sh">"</span><span class="p">,</span> <span class="n">user_pool</span><span class="o">=</span><span class="n">user_pool</span><span class="p">,</span> <span class="n">user_pool_client_name</span><span class="o">=</span><span class="sh">"</span><span class="s">WebApp</span><span class="sh">"</span><span class="p">,</span> <span class="n">generate_secret</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">auth_flows</span><span class="o">=</span><span class="n">cognito</span><span class="p">.</span><span class="nc">AuthFlow</span><span class="p">(</span> <span class="n">user_srp</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">user_password</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">custom</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">admin_user_password</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">),</span> <span class="n">prevent_user_existence_errors</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> Generating and Saving the RSA Key-pair </h2> <p>To enable the signing process of the cookies, we need to generate the RSA key-pair, create a variable that will hold the public key and make it eligible for usage with CloudFront and save the private key in the AWS Secrets Manager.</p> <p>Important note — this pattern creates the RSA key-pair every time you try to deploy or update the stack. This is made on purpose, as the pattern itself is made to get you quickly off the ground. The best way is to generate the keys in a separate Python script or via your terminal, load them in the CDK code and deploy to AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Generate private key </span><span class="n">private_key</span> <span class="o">=</span> <span class="n">rsa</span><span class="p">.</span><span class="nf">generate_private_key</span><span class="p">(</span> <span class="n">public_exponent</span><span class="o">=</span><span class="mi">65537</span><span class="p">,</span> <span class="n">key_size</span><span class="o">=</span><span class="mi">2048</span><span class="p">,</span> <span class="n">backend</span><span class="o">=</span><span class="nf">default_backend</span><span class="p">()</span> <span class="p">)</span> <span class="c1"># Serialize private key to PEM format </span><span class="n">private_key_pem</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">private_bytes</span><span class="p">(</span> <span class="n">encoding</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">Encoding</span><span class="p">.</span><span class="n">PEM</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">PrivateFormat</span><span class="p">.</span><span class="n">TraditionalOpenSSL</span><span class="p">,</span> <span class="n">encryption_algorithm</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="nc">NoEncryption</span><span class="p">()</span> <span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Extract public key and serialize to PEM format </span><span class="n">public_key</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">public_key</span><span class="p">()</span> <span class="n">public_key_pem</span> <span class="o">=</span> <span class="n">public_key</span><span class="p">.</span><span class="nf">public_bytes</span><span class="p">(</span> <span class="n">encoding</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">Encoding</span><span class="p">.</span><span class="n">PEM</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">PublicFormat</span><span class="p">.</span><span class="n">SubjectPublicKeyInfo</span> <span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="n">cf_public_key</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">PublicKey</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">CloudFrontPublicKey</span><span class="sh">"</span><span class="p">,</span> <span class="n">encoded_key</span><span class="o">=</span><span class="n">public_key_pem</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Public key for CloudFront signed cookies</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">cf_key_group</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">KeyGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">CloudFrontKeyGroup</span><span class="sh">"</span><span class="p">,</span> <span class="n">items</span><span class="o">=</span><span class="p">[</span><span class="n">cf_public_key</span><span class="p">],</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Key group for signed cookie validation</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Secrets Manager - Private Key Storage </span><span class="n">private_key_secret</span> <span class="o">=</span> <span class="n">secretsmanager</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">CloudFrontPrivateKeySecret</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">CloudFront private key for signing cookies (PEM format)</span><span class="sh">"</span><span class="p">,</span> <span class="n">secret_string_value</span><span class="o">=</span><span class="n">SecretValue</span><span class="p">.</span><span class="nf">unsafe_plain_text</span><span class="p">(</span><span class="n">private_key_pem</span><span class="p">),</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Now, that we have our encryption keys and all variables initialized, now it’s time to create the CloudFront distribution itself.</p> <h2> <strong>Creating S3 bucket, CloudFront Distribution and Securing the S3 Bucket</strong> </h2> <p>The S3 bucket is fully locked down:</p> <ul> <li>All public access is blocked</li> <li>No direct access from the internet is allowed</li> <li>Requests are accepted only from CloudFront</li> </ul> <p>This is achieved using <strong>Origin Access Control</strong>, enabling <strong>AWS private S3 bucket CloudFront OAC</strong> patterns. Even if someone discovers the S3 bucket name, they cannot retrieve objects directly.</p> <p>The CloudFront key group created in the previous step is referenced here to associate the public key from our key pair with the newly created distribution, allowing CloudFront to recognize and use it correctly.</p> <p>In addition, it’s worth mentioning that assets and object that have the prefix <code>private/</code> in their key are protected via the signed cookie mechanism, while all other assets in the bucket are publicly available via the CloudFront distribution.</p> <p>This design ensures your <strong>private content delivery AWS</strong> strategy has no weak points.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># S3 Bucket for Private Assets </span><span class="n">private_assets_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PrivateAssetsBucket</span><span class="sh">"</span><span class="p">,</span> <span class="n">block_public_access</span><span class="o">=</span><span class="n">s3</span><span class="p">.</span><span class="n">BlockPublicAccess</span><span class="p">.</span><span class="n">BLOCK_ALL</span><span class="p">,</span> <span class="n">encryption</span><span class="o">=</span><span class="n">s3</span><span class="p">.</span><span class="n">BucketEncryption</span><span class="p">.</span><span class="n">S3_MANAGED</span><span class="p">,</span> <span class="n">enforce_ssl</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="n">auto_delete_objects</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">versioned</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># CloudFront Origin Access Control (OAC) </span><span class="n">oac</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">CfnOriginAccessControl</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">S3OriginAccessControl</span><span class="sh">"</span><span class="p">,</span> <span class="n">origin_access_control_config</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">CfnOriginAccessControl</span><span class="p">.</span><span class="nc">OriginAccessControlConfigProperty</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">construct_id</span><span class="si">}</span><span class="s">-S3-OAC</span><span class="sh">"</span><span class="p">,</span> <span class="n">origin_access_control_origin_type</span><span class="o">=</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">,</span> <span class="n">signing_behavior</span><span class="o">=</span><span class="sh">"</span><span class="s">always</span><span class="sh">"</span><span class="p">,</span> <span class="n">signing_protocol</span><span class="o">=</span><span class="sh">"</span><span class="s">sigv4</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">OAC for private S3 bucket access via CloudFront</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="c1"># CloudFront Distribution # Create the S3 origin without OAC first </span><span class="n">s3_origin</span> <span class="o">=</span> <span class="n">origins</span><span class="p">.</span><span class="n">S3BucketOrigin</span><span class="p">.</span><span class="nf">with_origin_access_control</span><span class="p">(</span> <span class="n">private_assets_bucket</span> <span class="p">)</span> <span class="c1"># Default behavior - public content (no signed cookies required) </span><span class="n">default_behavior</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">BehaviorOptions</span><span class="p">(</span> <span class="n">origin</span><span class="o">=</span><span class="n">s3_origin</span><span class="p">,</span> <span class="n">viewer_protocol_policy</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">ViewerProtocolPolicy</span><span class="p">.</span><span class="n">REDIRECT_TO_HTTPS</span><span class="p">,</span> <span class="n">allowed_methods</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">AllowedMethods</span><span class="p">.</span><span class="n">ALLOW_GET_HEAD</span><span class="p">,</span> <span class="n">cached_methods</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">CachedMethods</span><span class="p">.</span><span class="n">CACHE_GET_HEAD</span><span class="p">,</span> <span class="n">cache_policy</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">CachePolicy</span><span class="p">.</span><span class="n">CACHING_OPTIMIZED</span><span class="p">,</span> <span class="n">compress</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Private behavior - requires signed cookies </span><span class="n">private_behavior</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">BehaviorOptions</span><span class="p">(</span> <span class="n">origin</span><span class="o">=</span><span class="n">s3_origin</span><span class="p">,</span> <span class="n">viewer_protocol_policy</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">ViewerProtocolPolicy</span><span class="p">.</span><span class="n">REDIRECT_TO_HTTPS</span><span class="p">,</span> <span class="n">allowed_methods</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">AllowedMethods</span><span class="p">.</span><span class="n">ALLOW_GET_HEAD</span><span class="p">,</span> <span class="n">cached_methods</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">CachedMethods</span><span class="p">.</span><span class="n">CACHE_GET_HEAD</span><span class="p">,</span> <span class="n">cache_policy</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">CachePolicy</span><span class="p">.</span><span class="n">CACHING_OPTIMIZED</span><span class="p">,</span> <span class="n">compress</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">trusted_key_groups</span><span class="o">=</span><span class="p">[</span><span class="n">cf_key_group</span><span class="p">],</span> <span class="p">)</span> <span class="n">distribution</span> <span class="o">=</span> <span class="n">cloudfront</span><span class="p">.</span><span class="nc">Distribution</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PrivateContentDistribution</span><span class="sh">"</span><span class="p">,</span> <span class="n">default_behavior</span><span class="o">=</span><span class="n">default_behavior</span><span class="p">,</span> <span class="n">additional_behaviors</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">private/*</span><span class="sh">"</span><span class="p">:</span> <span class="n">private_behavior</span><span class="p">,</span> <span class="p">},</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Distribution for private S3 content with signed cookies</span><span class="sh">"</span><span class="p">,</span> <span class="n">price_class</span><span class="o">=</span><span class="n">cloudfront</span><span class="p">.</span><span class="n">PriceClass</span><span class="p">.</span><span class="n">PRICE_CLASS_100</span><span class="p">,</span> <span class="n">enabled</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># S3 Bucket Policy for CloudFront OAC </span><span class="n">private_assets_bucket</span><span class="p">.</span><span class="nf">add_to_resource_policy</span><span class="p">(</span> <span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">sid</span><span class="o">=</span><span class="sh">"</span><span class="s">AllowCloudFrontServicePrincipalReadOnly</span><span class="sh">"</span><span class="p">,</span> <span class="n">effect</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="n">Effect</span><span class="p">.</span><span class="n">ALLOW</span><span class="p">,</span> <span class="n">principals</span><span class="o">=</span><span class="p">[</span><span class="n">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="sh">"</span><span class="s">cloudfront.amazonaws.com</span><span class="sh">"</span><span class="p">)],</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">s3:GetObject</span><span class="sh">"</span><span class="p">],</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="n">private_assets_bucket</span><span class="p">.</span><span class="nf">arn_for_objects</span><span class="p">(</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">)],</span> <span class="n">conditions</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">StringEquals</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">AWS:SourceArn</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:cloudfront::</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">account</span><span class="si">}</span><span class="s">:distribution/</span><span class="si">{</span><span class="n">distribution</span><span class="p">.</span><span class="n">distribution_id</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">)</span> <span class="p">)</span> </code></pre> </div> <h3> AWS Lambdas + API Gateway </h3> <p>Finally, we have our 2 Lambdas and API Gateway which enables the user to register and login into our platform to receive the necessary credentials, like the signed cookie and <code>idToken</code> in case you are going to use Cognito Authorizer on your other stacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Lambdas # IAM Policy for Lambda functions to access Cognito </span><span class="n">cognito_policy</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">effect</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="n">Effect</span><span class="p">.</span><span class="n">ALLOW</span><span class="p">,</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">cognito-idp:SignUp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cognito-idp:AdminConfirmSignUp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cognito-idp:InitiateAuth</span><span class="sh">"</span><span class="p">,</span> <span class="p">],</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="n">user_pool</span><span class="p">.</span><span class="n">user_pool_arn</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># Register User Lambda Function </span><span class="n">register_lambda</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">RegisterUserLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span> <span class="sh">"</span><span class="s">./lambda/Register</span><span class="sh">"</span><span class="p">,</span> <span class="n">bundling</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">:</span> <span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">.</span><span class="n">bundling_image</span><span class="p">,</span> <span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-c</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pip install aws-lambda-powertools -t /asset-output &amp;&amp; cp -r . /asset-output</span><span class="sh">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">),</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">POWERTOOLS_SERVICE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">authentication</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_POOL_ID</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_pool</span><span class="p">.</span><span class="n">user_pool_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_POOL_CLIENT_ID</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_pool_client</span><span class="p">.</span><span class="n">user_pool_client_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="n">allowed_cors_origin</span><span class="p">,</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="p">)</span> <span class="n">register_lambda</span><span class="p">.</span><span class="nf">add_to_role_policy</span><span class="p">(</span><span class="n">cognito_policy</span><span class="p">)</span> <span class="c1"># Login User Lambda Function </span><span class="n">login_lambda</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LoginUserLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">lambda_handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span> <span class="sh">"</span><span class="s">./lambda/Login</span><span class="sh">"</span><span class="p">,</span> <span class="n">bundling</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">:</span> <span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">.</span><span class="n">bundling_image</span><span class="p">,</span> <span class="sh">"</span><span class="s">command</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-lc</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pip install --platform manylinux2014_x86_64 --only-binary=:all: --no-cache-dir --upgrade </span><span class="sh">"</span> <span class="sh">"</span><span class="s">-t /asset-output aws-lambda-powertools </span><span class="sh">'</span><span class="s">cryptography&gt;=41</span><span class="sh">'</span><span class="s"> </span><span class="sh">"</span> <span class="sh">"</span><span class="s">&amp;&amp; cp -au . /asset-output</span><span class="sh">"</span> <span class="p">],</span> <span class="p">},</span> <span class="p">),</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">POWERTOOLS_SERVICE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">authentication</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_POOL_ID</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_pool</span><span class="p">.</span><span class="n">user_pool_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">USER_POOL_CLIENT_ID</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_pool_client</span><span class="p">.</span><span class="n">user_pool_client_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="n">allowed_cors_origin</span><span class="p">,</span> <span class="sh">"</span><span class="s">PRIVATE_KEY_SECRET_ARN</span><span class="sh">"</span><span class="p">:</span> <span class="n">private_key_secret</span><span class="p">.</span><span class="n">secret_arn</span><span class="p">,</span> <span class="sh">"</span><span class="s">CLOUDFRONT_DOMAIN</span><span class="sh">"</span><span class="p">:</span> <span class="n">distribution</span><span class="p">.</span><span class="n">distribution_domain_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">KEY_PAIR_ID</span><span class="sh">"</span><span class="p">:</span> <span class="n">cf_public_key</span><span class="p">.</span><span class="n">public_key_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">COOKIE_TTL_SECONDS</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">cookie_ttl_seconds</span><span class="p">),</span> <span class="sh">"</span><span class="s">COOKIE_DOMAIN</span><span class="sh">"</span><span class="p">:</span> <span class="n">cookie_domain</span><span class="p">,</span> <span class="sh">"</span><span class="s">COOKIE_SAME_SITE</span><span class="sh">"</span><span class="p">:</span> <span class="n">same_site</span><span class="p">,</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">memory_size</span><span class="o">=</span><span class="mi">256</span><span class="p">,</span> <span class="p">)</span> <span class="n">login_lambda</span><span class="p">.</span><span class="nf">add_to_role_policy</span><span class="p">(</span><span class="n">cognito_policy</span><span class="p">)</span> <span class="n">private_key_secret</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">login_lambda</span><span class="p">)</span> <span class="c1"># API Gateway REST API </span><span class="n">api</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">RestApi</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">AuthApi</span><span class="sh">"</span><span class="p">,</span> <span class="n">rest_api_name</span><span class="o">=</span><span class="sh">"</span><span class="s">Auth and Cookie API</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">API for authentication and CloudFront signed cookies</span><span class="sh">"</span><span class="p">,</span> <span class="n">deploy</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">deploy_options</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">StageOptions</span><span class="p">(</span><span class="n">stage_name</span><span class="o">=</span><span class="sh">"</span><span class="s">v1</span><span class="sh">"</span><span class="p">),</span> <span class="n">default_cors_preflight_options</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">CorsOptions</span><span class="p">(</span> <span class="n">allow_origins</span><span class="o">=</span><span class="p">[</span><span class="n">allowed_cors_origin</span><span class="p">]</span> <span class="k">if</span> <span class="n">allowed_cors_origin</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span> <span class="k">else</span> <span class="n">apigw</span><span class="p">.</span><span class="n">Cors</span><span class="p">.</span><span class="n">ALL_ORIGINS</span><span class="p">,</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">OPTIONS</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Authorization</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Amz-Date</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-Api-Key</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_credentials</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="c1"># API Gateway Lambda Integration </span><span class="n">register_integration</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="n">register_lambda</span><span class="p">)</span> <span class="n">login_integration</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="n">login_lambda</span><span class="p">)</span> <span class="c1"># API Gateway Resources and Methods </span><span class="n">api</span><span class="p">.</span><span class="n">root</span><span class="p">.</span><span class="nf">add_resource</span><span class="p">(</span><span class="sh">"</span><span class="s">register</span><span class="sh">"</span><span class="p">).</span><span class="nf">add_method</span><span class="p">(</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="n">register_integration</span><span class="p">)</span> <span class="n">api</span><span class="p">.</span><span class="n">root</span><span class="p">.</span><span class="nf">add_resource</span><span class="p">(</span><span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">).</span><span class="nf">add_method</span><span class="p">(</span><span class="sh">"</span><span class="s">POST</span><span class="sh">"</span><span class="p">,</span> <span class="n">login_integration</span><span class="p">)</span> </code></pre> </div> <p>After successful registration via the Register Lambda, when the user tries to login, they invoke the Login Lambda. This function is intentionally minimal:</p> <ol> <li>Validate the authenticated request context</li> <li>Retrieve the RSA private key from Secrets Manager</li> <li>Generate <strong>CloudFront signed cookies architecture</strong> values</li> <li>Return the cookies to the browser as <strong>HTTP-only cookies</strong> </li> </ol> <p>Because the cookies are HTTP-only, they cannot be accessed by JavaScript, reducing the risk of XSS attacks. This is a critical best practice when implementing <strong>secure content delivery using CloudFront</strong>.</p> <h2> <strong>Security Best Practices</strong> </h2> <p>To harden your <strong>CloudFront signed cookies authorization</strong> setup:</p> <ul> <li>Use short-lived cookies</li> <li>Rotate RSA keys regularly</li> <li>Grant least-privilege IAM permissions</li> <li>Enable logging and monitoring at CloudFront and S3</li> </ul> <p>These practices strengthen trust and align with AWS security recommendations.</p> <p>By default, the cookie will expire in 600 seconds or 10 minutes after it’s created. That’s something you can modify inside the CDK code on your own, and also you can configure CORS settings as well.</p> <h2> Testing the pattern </h2> <p>I’ve uploaded 2 images from the AWS console into the S3 bucket - one is a picture of a car and it’s S3 key is <code>private/gt3.jpg</code> , while the other image is of Manhattan in New York City and it’s key is <code>public/Above_gotham.jpg</code> .</p> <p>We are going to do 3 tests:</p> <ol> <li>try and fetch the <code>private/gt3.jpg</code> image without the signed cookie - we expect this request to be blocked</li> <li>try and fetch the same image but with the signed cookie - we expect this to pass</li> <li>try and fetch the image of Manhattan, which we expect to pass since it’s a publicly available asset via the CloudFront distribution URL</li> </ol> <p>I’ve used Postman to test this out and here is the example of the failed request, where the signed cookie is required:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk2tlop3oplast35valye.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk2tlop3oplast35valye.png" alt="Fetching the Protected Asset Without a Signed Cookie" width="800" height="435"></a></p> <p>Now, we are going to sign in, get the cookie, put it in the <code>Cookie</code> header and send the request again:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F50gbusn02xhhydlwjw56.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F50gbusn02xhhydlwjw56.png" alt="Fetching the Protected Asset With a Signed Cookie" width="800" height="611"></a></p> <p>Finally, let’s try and fetch the publicly available image:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72u5x7umexcykwr2ob0p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72u5x7umexcykwr2ob0p.png" alt="Fetching a Publicly Available Asset" width="800" height="526"></a></p> <p>This is proof that our pattern works as expected — all assets and objects which are inside the <code>private/</code> folder in S3 are protected and users need to be signed in to access them, while some objects can still be accessed publicly if needed.</p> <h2> When This Pattern May Not Be the Right Fit </h2> <p>While CloudFront signed cookies offer very powerful benefits, they also introduce tradeoffs which are worth considering.</p> <p>This approach works best for content which doesn’t change often and has predictable access patterns, like videos, images and documents. For highly dynamic content, that changes per-request and/or requires real-time authorization, the edge-based model becomes limiting since you cannot revoke the cookie session in progress without cookie expiration, as it’s valid until it expires.</p> <p>Additionally, this pattern adds architectural complexity — you need to manage RSA key pairs, coordinate cookie domains and if there’s a bug, you have multiple AWS services to look into.</p> <p>If you have a smaller application and don’t really mind the longer download times and want less complex architecture for your application, a simpler approach would be to have a Lambda which handles pre-signing process of the S3 objects, as that is simpler and easier to maintain.</p> <h2> <strong>Conclusion</strong> </h2> <p>This architecture demonstrates how authentication happens by using just a few AWS services, while <strong>authorization is enforced at the edge by CloudFront</strong>. By combining Cognito, API Gateway, Lambda, and CloudFront signed cookies, you create a robust, scalable, and secure system for <strong>private content delivery AWS</strong>.</p> <p>If you’re designing modern cloud systems, adopting <strong>CloudFront signed cookies authorization</strong> is a practical step toward better performance and stronger security.</p> webdev aws softwaredevelopment programming Matia Rašetina Mon, 02 Feb 2026 08:00:00 +0000 https://forem.com/mate32/redis-vs-dynamodb-vs-dax-i-benchmarked-aws-caching-performance-the-results-were-unexpected-cb3 https://forem.com/mate32/redis-vs-dynamodb-vs-dax-i-benchmarked-aws-caching-performance-the-results-were-unexpected-cb3 <p>In many backend systems, user data is fetched on almost every request. A common assumption is that adding an in-memory cache will improve read performance by any system.</p> <p>To validate this assumption, I’ve benchmarked 3 approaches of accessing user data from DynamoDB inside the Serverless infrastructure:</p> <ul> <li>A baseline using AWS Lambda and DynamoDB</li> <li>A cache-aside approach using Redis</li> <li>AWS Lambda backed by DynamoDB Accelerator (DAX)</li> </ul> <p>I wanted to find out, if you are a CTO of a startup and you are thinking of implementing caching services into your architecture, to see if it’s worth. I expected that the cached approaches will outperform the baseline easily.</p> <p>Even at 200 requests per second (that’s 12 000 requests per minute!), that assumption didn’t hold.</p> <h2> Experimental Setup </h2> <p>The architecture across the benchmark is as identical as possible — the cheapest available option on AWS region eu-central-1.</p> <p>Here are the 3 approaches</p> <h2> <strong>Baseline (DDB + Lambda)</strong> </h2> <ul> <li> <strong>Lambda</strong>: Python 3.12, 256 MB memory, 10s timeout</li> <li> <strong>DynamoDB</strong>: Pay-per-request billing mode</li> <li> <strong>Access Pattern</strong>: Direct reads from DynamoDB without any caching layer</li> <li> <strong>Latency</strong>: Highest (no cache)</li> </ul> <h2> <strong>DAX (DynamoDB Accelerator)</strong> </h2> <ul> <li> <strong>Lambda</strong>: Python 3.12, 256 MB memory, 10s timeout</li> <li> <strong>DAX Cluster</strong>: <ul> <li>Node type: <code>dax.t3.small</code> </li> <li>Replication factor: 1 (single node)</li> <li>Deployed in VPC isolated subnets</li> </ul> </li> <li> <strong>Cache</strong>: Managed by DAX automatically (default item TTL ~5 minutes, query cache TTL ~5 minutes)</li> <li> <strong>Access Pattern</strong>: Lambda → DAX → DynamoDB</li> <li> <strong>Client</strong>: Uses <code>amazondax</code> Python client available on PIP</li> </ul> <h2> <strong>Redis (AWS ElastiCache)</strong> </h2> <ul> <li> <strong>Lambda</strong>: Python 3.12, 256 MB memory, 10s timeout</li> <li> <strong>Redis Cluster</strong>: <ul> <li>Node type: <code>cache.t4g.micro</code> </li> <li>Single node (no automatic failover)</li> <li>Deployed in VPC isolated subnets</li> </ul> </li> <li> <strong>Cache TTL</strong>: 30 seconds (configurable via <code>REDIS_TTL_SECONDS</code>)</li> <li> <strong>Access Pattern</strong>: <ul> <li>Lambda checks Redis first</li> <li>On miss: reads from DynamoDB, stores in Redis with 30s TTL</li> <li>On hit: returns cached data directly</li> </ul> </li> <li> <strong>Client</strong>: Standard <code>redis-py</code> client with 1s connection timeout</li> </ul> <p>I’ve tested 2 load levels — one with 50 reads per second (3000 reads per minute), the other 200 reads per second (12000 reads per minute), by using the same payload size, hot/mixed key distribution, and p95 latency as the primary metric. Testing was done with an open-source library <code>k6</code> with Javascript.</p> <p>In all 3 approaches, the same data was fetched from the database. Here is an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"pk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ITEM#123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sk"</span><span class="p">:</span><span class="w"> </span><span class="s2">"META"</span><span class="p">,</span><span class="w"> </span><span class="nl">"itemId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Example Item Title"</span><span class="p">,</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"This is the body content of the item"</span><span class="p">,</span><span class="w"> </span><span class="nl">"updatedAt"</span><span class="p">:</span><span class="w"> </span><span class="mi">1736467200</span><span class="p">,</span><span class="w"> </span><span class="nl">"etag"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a7f8d9e1c2b3a4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Results at 50 RPS — Establish the baseline truth </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Access Pattern</th> <th>p95 Latency (ms)</th> <th>Avg Latency (ms)</th> <th>Dropped Iterations</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><strong>Lambda + DynamoDB (Baseline)</strong></td> <td><strong>~63 ms</strong></td> <td>~48 ms</td> <td>0</td> <td>Fast, stable, no bottlenecks</td> </tr> <tr> <td><strong>Redis (warmup run)</strong></td> <td>~68 ms</td> <td>~66 ms</td> <td>22</td> <td>Cache misses + write-back cost</td> </tr> <tr> <td><strong>Redis (steady state)</strong></td> <td>~63 ms</td> <td>~48 ms</td> <td>0</td> <td>Matches baseline, no latency win</td> </tr> <tr> <td><strong>DAX (single small node)</strong></td> <td><strong>~1040 ms</strong></td> <td>~957 ms</td> <td>19</td> <td>Cache saturation, unusable</td> </tr> </tbody> </table></div> <h3> Baseline: Lambda + DynamoDB @ 50 RPS </h3> <p>At 50 RPS, the most common and baseline setup by using Lambda + DynamoDB achieved a p95 latency of ~63ms, with no dropped requests. Hot and mixed key access patterns had very similar latency, which indicates that DynamoDB on-demand wasn’t under pressure at all.</p> <h3> Redis: Warmup vs Steady State @ 50 RPS </h3> <p>The Redis results clearly show two very different phases — during the first run, the p95 latency was, on average 66ms. This is expected behavior, as the system asks the Redis cluster if the requested data is already inside it. If it’s not, the Lambda proceeds to query the data inside the DynamoDB. Since the cluster doesn’t have any data cached, this latency is expected.</p> <p>Once the cache was warm, Redis did it’s job and achieved nearly identical latency to the baseline. However, it did not outperform it.</p> <h3> DAX: Undersized Cache Failure @ 50 RPS </h3> <p>The DAX configuration performed significantly worse than both the baseline and Redis. With a single small node, the DAX cluster became CPU-bound, leading to request queueing and p95 latencies exceeding one second.</p> <p>This result highlights an often-overlooked risk: a misconfigured or undersized cache can actively degrade performance. DAX is not a drop-in optimization — it requires careful capacity planning. Keep in mind, we are running the benchmark with the weakest instance of DAX available.</p> <h3> Conclusion: 50 RPS </h3> <p>At 50 RPS, the baseline configuration performed great and doesn’t require any additional caching, as it only introduces additional network and service hops, while getting not much in return. Yes, by using Redis, DynamoDB pressure went down, but still wasn’t even near it’s limit.</p> <h2> Results at 200 RPS — The expected crossover that didn’t happen </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Access Pattern</th> <th>p95 Latency (ms)</th> <th>Avg Latency (ms)</th> <th>Dropped Iterations</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><strong>Lambda + DynamoDB (Baseline)</strong></td> <td><strong>~63 ms</strong></td> <td>~48 ms</td> <td>13</td> <td>Stable, scales linearly</td> </tr> <tr> <td><strong>Redis (warm run)</strong></td> <td>~64 ms</td> <td>~52 ms</td> <td>40</td> <td>Cache population under load</td> </tr> <tr> <td><strong>Redis (steady state)</strong></td> <td><strong>~70 ms</strong></td> <td>~58 ms</td> <td>79</td> <td>Slightly worse than baseline</td> </tr> <tr> <td><strong>DAX (single small node)</strong></td> <td><strong>~1050 ms</strong></td> <td>~968 ms</td> <td><strong>5,399</strong></td> <td>Cluster saturation</td> </tr> </tbody> </table></div> <h3> Baseline: Lambda + DynamoDB @ 200 RPS </h3> <p>At 200 requests per second, the baseline Lambda + DynamoDB configuration had a nearly identical performance to the 50 RPS run. p95 latency remained around 63 ms, with only a small number of dropped iterations.</p> <p>This makes a very strong case that the baseline is a very optimized choice by default.</p> <h3> Redis @ 200 RPS: Warm vs Steady State </h3> <p>As with the 50 RPS test, Redis exhibited two distinct phases. During the initial run, cache misses caused additional latency and tail spikes as items were fetched from DynamoDB and written back to Redis.</p> <p>Once the cache was warm, Redis stabilized but did not outperform the baseline. In steady state, p95 latency increased slightly to ~70 ms, and the number of dropped iterations was higher than with DynamoDB alone.</p> <h3> DAX @ 200 RPS: Saturation Under Load </h3> <p>At 200 RPS, the DAX configuration began to collapse. Effective throughput dropped well below the target rate, p95 latency exceeded one second, and thousands of iterations were dropped.</p> <p>This behavior confirms that DAX is highly sensitive to sizing — smaller instances simply do not provide any benefit.</p> <h3> Conclusion: 200RPS </h3> <p>Even at 200 RPS, the dominant cost in this system was not database access but network and managed service overhead. Adding a cache did not remove that cost — it added to it, as you still need to pay for the on-demand or serverless Redis instance, depending on your choice.</p> <h2> What These Results Actually Prove </h2> <p>With these benchmarks, we’ve proven:</p> <ul> <li>DynamoDB on-demand scales extremely well for simple reads</li> <li>Redis reduces pressure, not latency</li> <li>Cache warmup matters</li> <li>Misconfigured DAX is worse than no cache</li> <li>Latency optimization and scaling optimization are different problems</li> </ul> <h2> Conclusion &amp; Lessons Learned </h2> <p>The results from both the 50 RPS and 200 RPS benchmarks lead to a clear and somewhat counterintuitive conclusion: for this workload, Lambda backed by DynamoDB on-demand was already fast enough that adding a cache did not improve user-visible latency.</p> <p>At both load levels, DynamoDB was not the bottleneck. End-to-end latency was dominated by network distance and managed service overhead rather than database access time. As a result, introducing Redis added an extra network hop and client-side overhead without removing the dominant cost in the request path.</p> <p>Redis still served a purpose, but not the one I initially expected. It reduced pressure on DynamoDB and flattened backend load, which can be valuable for cost control and future scaling. What it did not do — at least at these traffic levels — was make requests faster.</p> <p>DynamoDB Accelerator, based on these results, taught us a totally different lesson. When undersized, it simply doesn’t help in anyway, as it got saturated very quickly which caused increased latency and dropped requests. It requires careful capacity planning and workflow understanding.</p> <p>And maybe the biggest lesson while doing this experiment is the understanding that doing a measurement run before optimizing is incredibly important. Even though it makes sense to cache the data to save the resources and ease the load on the backend, it doesn’t cause the end-to-end latency to lower.</p> <p>It seems that this workflow is just too simple to see the caching benefits — if you have a time-costly method inside your code and the data can be cached, most probably caching would be worth testing.</p> <p>In short: don’t cache because it feels right—cache because the data proves you need it.</p> aws programming python webdev Matia Rašetina Mon, 19 Jan 2026 08:00:00 +0000 https://forem.com/mate32/running-a-rag-pipeline-in-a-production-full-stack-application-without-a-vector-database-42fj https://forem.com/mate32/running-a-rag-pipeline-in-a-production-full-stack-application-without-a-vector-database-42fj <p>In the previous post, I focused on how to build a Retrieval-Augmented Generation (RAG) pipeline on AWS using DynamoDB as a low-cost vector store. The goal there was simple: prove that you don’t need heavy infrastructure or a dedicated vector database to get something useful working.</p> <p>If you haven’t read it, you can check it out by clicking on the link <a href="https://dev.to/mate32/you-dont-need-a-vector-database-to-build-rag-yet-a-1month-dynamodb-pipeline-268">here</a>.</p> <p>This post picks up where that one stops. We will implement the RAG pipeline we’ve created into a frontend application, which uses our backend and creates a full-stack application, which you can use to upload documents and get easier access to information you need from your PDFs. We will see how the budget RAG pipeline behaves with real users and traffic.</p> <p>The link to the GitHub repository is the same as from the previous post, it’s just located on a branch called <code>full-stack-implementation</code> — access the repo by clicking <a href="https://github.com/mate329/budget-rag-system-with-dynamodb/tree/full-stack-implementation" rel="noopener noreferrer">here</a>.</p> <h1> What the Application Does </h1> <p>The frontend application is written with the following technologies:</p> <ul> <li> <strong>Next.js</strong> - React framework with App Router for server-side rendering and routing</li> <li> <strong>Tailwind CSS 4</strong> - Utility-first CSS framework for styling</li> <li> <strong>shadcn/ui</strong> - Component library built on Radix UI primitives (New York style)</li> <li> <strong>NextAuth.js</strong> - Authentication solution for Next.js</li> <li> <strong>Lucide React</strong> - Icon library</li> </ul> <p>When you load up the application, the user is prompted with a signup and a login form, which uses the Authentication stack on the backend.</p> <p>The Authentication stack uses AWS Cognito for easier user management.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw608ivbfj8o2epc4tl6z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw608ivbfj8o2epc4tl6z.png" alt="Login Form" width="800" height="458"></a></p> <p>After the user signs up and logs in, they can upload PDF documents to the platform, wait for them to be indexed, and then ask questions that are answered using only the content of those documents.</p> <p>There’s no attempt to hide latency, no background magic, and no assumption of massive scale. This is designed for early-stage usage: experimentation, internal tools, or MVPs where validating the feature matters more than optimizing for peak performance.</p> <p>I’m going to show you 2 happy paths, one for the document upload, and the other for asking questions.</p> <p>Here is a GIF which shows you how the user can upload the documents to the platform. I’ve exported my old blog posts as PDFs and uploaded them to the platform, just as an example.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgqpyyy8q32u4swyspp7b.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgqpyyy8q32u4swyspp7b.gif" alt="Uploading documents flow" width="800" height="459"></a></p> <p>After the documents got indexed by the backend and saved to the DynamoDB table, they will come up inside the Chat UI. You can choose which documents you want to ask questions about — the backend will take the ID of the uploaded document, get the information from the database and get the answer to your question with Bedrock LLM.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fktm1o8h0onez2aw15z2u.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fktm1o8h0onez2aw15z2u.gif" alt="Asking questions about our uploaded documents" width="800" height="459"></a></p> <h1> High-Level Architecture </h1> <p>The simple frontend talks to an API layer backed by AWS Lambda. </p> <p>There are 2 stacks, one for authentication and user management, the other is the stack for the documents. Separating Authentication and Document processing keeps the ingestion and query path independent. In addition, if you ever wanted to expand this application and the other stack needs to have it’s API Gateway protected, you can simply import the Authentication stack’s User Pool ID and easily protect your endpoints.</p> <p>As mentioned, authentication and user management is completely handled by AWS Cognito, together with a Login and Register Lambdas which handle and validate the incoming payloads.</p> <p>Regarding the Document stack, documents are stored in S3 via the presigned URLs, embeddings and metadata live in DynamoDB, and the LLM and embedding models are accessed via AWS Bedrock. There are no long-running services, ensuring that there are no fixed monthly costs.</p> <p>Every architectural choice here optimizes for one thing: minimizing cost and operational overhead, while still providing the RAG pipeline development experience and it’s features.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmelhrrioroih0crtwzt6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmelhrrioroih0crtwzt6.png" alt="Architecture Diagram" width="491" height="801"></a></p> <h1> API and Lambda Performance with Real Traffic </h1> <p>The following image shows you the execution duration of the Lambda which indexes the incoming documents and puts the information inside the DynamoDB table. Remember the architecture from the previous post, when the document is uploaded in S3, it triggers an EventBridge rule which puts the uploaded document information into SQS queue, which triggers the document indexing Lambda. This is done like this to reuse Lambda environments and to lower Lambda invocations, lowering cost.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqtyg7m2evrxyxaqbvgl7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqtyg7m2evrxyxaqbvgl7.png" alt="Document Indexing Lambda Execution Duration" width="800" height="347"></a></p> <p>The first points are Lambda invocations where 1 PDF of 400kb is uploaded, later points are Lambda invocations where 2 PDFs are uploaded, both have ~200kb.</p> <p>Indexing two small PDFs in just over 8 seconds means document indexing stays comfortably asynchronous. Users aren’t blocked, and indexing cost remains predictable.</p> <p>Next, you can list indexed documents, inspect their state, and see exactly when they become available for querying. In the meantime, I’ve uploaded the same documents and other blog PDFs with similar sizes and reached around 20+ documents in the database and got very similar results, around ~4 seconds per document to index it and put it inside the database.</p> <p>Now, we to fetch all available documents for the user, we need to call the <code>get-documents</code> API. The screenshots below show the <code>get-documents</code> endpoint in action, along with the execution duration of the document indexing Lambda. For testing, I’ve used Postman API testing and got the following results when querying all documents inside the database for my user. Notice that the first API call is slower than the rest? That’s because of the Lambda cold start. It’s important to note that an average user of the application won’t experience cold starts often, especially if there are other users on the platform.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft55eqjm2o0hvcsiatr2r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft55eqjm2o0hvcsiatr2r.png" alt="Postman Get Documents API performance" width="800" height="384"></a></p> <p>Finally, the Ask Questions Lambda which the user invokes when they choose the documents about which they want to send an inquiry about. It’s a simple payload to the Lambda, where the selected document IDs are sent, together with a question.</p> <p>The following graph is the duration of the execution of the said Lambda. The Lambda was tested first to see the cold start duration, then the warm start duration. First couple of executions questions regarding only one document — the question was:</p> <blockquote> <p>What is this document about?</p> </blockquote> <p>Whilst the latest execution in the graph had 4 documents chosen with the question:</p> <blockquote> <p>Give me a summary of these 4 documents.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2270oxnyvw5j0thc4l8d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2270oxnyvw5j0thc4l8d.png" alt="Ask Questions Lambda Executinon Duration" width="800" height="347"></a></p> <p>As you can see, when inquiring about one document, the cold start duration is around the 3 second mark, while when the Lambda is warm, the execution time is under 1.5 seconds.</p> <p>On the other hand, the cold start duration when the Lambda is asked about 4 documents is just above 4 seconds, while the warm start duration is just under 4 seconds.</p> <p>As mentioned before, an average user won’t experience many Lambda cold starts. For a budget RAG system, using very few AWS services for minimal complexity, these performances are acceptable.</p> <h1> Conclusion </h1> <p>This application confirms what the first blog post theorized — a DynamoDB-based RAG system is not just cheap, but usable and if you understand it’s limits, has acceptable performance.</p> <p>As we’ve discussed in the previous post, trade-offs made are obvious and expected — Lambda cold starts are real, document query latency behaves as expected and increases if the document count grows.</p> <p>For early-stage applications, internal tools, experiments or even a hackathon competition where you don’t want to break the bank, but still have a working RAG system, this setup does its job well. It lets you ship the product, let your users give you feedback on the application and delay expensive architectural decisions until data forces your hand.</p> aws rag programming python Matia Rašetina Mon, 12 Jan 2026 08:00:00 +0000 https://forem.com/mate32/you-dont-need-a-vector-database-to-build-rag-yet-a-1month-dynamodb-pipeline-268 https://forem.com/mate32/you-dont-need-a-vector-database-to-build-rag-yet-a-1month-dynamodb-pipeline-268 <p>You've just been tasked with building a document Q&amp;A system, where the users are able to upload PDF documents and then ask questions to get accurate answers based on the content in the uploaded documents. This request is the perfect opportunity to build a Retrieval Augmented Generation (RAG) pipeline. For starters, you’ve been asked to do a Proof-of-concept project therefore, you don’t have a budget to create this project with best tools available for this scenario.</p> <p>If you’ve never researched how a RAG system works, it works in the following way - it breaks down a document into multiple chunks, converts them into a vector embeddings (numerical representations of the incoming data), storing them in a database and then later, when the system is asked about the document, it finds the most relevant chunks inside the database. The results are then fed into a Large Language Model, which then provides an answer.</p> <p>I wanted to learn about RAG pipelines as cheap as possible, without using a vector database, even though I know that’s a better option performance-wise.</p> <p>That’s why I decided to use DynamoDB. This post will show you that it’s one of the cheapest implementation of a RAG pipeline available. Of course, there are drawbacks and trade-offs, but for a strict budget and POC pipeline, it’s a great choice.</p> <p>Technologies and services which we’ll be using are:</p> <ul> <li>Python and AWS CDK in Python</li> <li>AWS Bedrock</li> <li>AWS Lambda</li> <li>AWS DynamoDB</li> <li>AWS SQS</li> </ul> <p>Link to the GitHub repository is here - <a href="https://github.com/mate329/budget-rag-system-with-dynamodb" rel="noopener noreferrer">https://github.com/mate329/budget-rag-system-with-dynamodb</a>.</p> <p>Let's dive in.</p> <h2> Architecture Overview </h2> <p>Take a look into the architecture of the pipeline, together with explained steps:</p> <ol> <li>Document Upload: The user requests a pre-signed S3 URL from the Upload Handler Lambda to upload the document into the S3 bucket</li> <li>Event-Driven Ingestion: Upon document upload in S3, it triggers an EventBridge rule that sends the event to an SQS queue, where the messages are batched to reduce Lambda invocations and cuts costs significantly</li> <li>Document Processing: The Index Document Lamdba is triggered by SQS batches. For each document, it: <ul> <li>Downloads the file from S3 via the provided S3 key in the payload</li> <li>Splits the document into semantic chunks</li> <li>Generates vector embeddings using Bedrock (Titan Embeddings or similar)</li> <li>Stores chunks + embeddings + metadata in DynamoDB</li> </ul> </li> <li>Question Answering: When a user asks a question via the Ask Question Lambda: <ul> <li>The question is converted to a vector embedding (same model as step 3)</li> <li>The database is searched for the most similar chunks</li> <li>Top N relevant chunks are retrieved as context and provided to a Bedrock LLM (in this project, we use Amazon’s Titan model to keep the cost down) to generate an answer</li> <li>The answer is returned to the user</li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmh92am205ztspt87l8vb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmh92am205ztspt87l8vb.png" alt="Architecture Diagram" width="769" height="223"></a></p> <h1> DynamoDB as a Vector Store </h1> <p>When I started building this RAG system, I had two goals: ship fast and keep costs as low as possible.</p> <p>Here's the mental shift required: DynamoDB isn't a vector database, and that's fine. It doesn't have native k-NN search or approximate nearest neighbor algorithms. But it does have:</p> <ul> <li>Single-digit millisecond latency for queries</li> <li>Built-in user isolation through partition keys</li> <li>Zero operational overhead (no cluster management, no indexing jobs)</li> <li>Cost that scales to zero when not in use</li> </ul> <p>For an MVP with 10-100 documents and a handful of users? DynamoDB is perfect. You're trading query performance for operational simplicity and cost savings. That's a trade worth making early on.</p> <h1> Architecture &amp; Data Model </h1> <p>Defining the table inside the CDK is easy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 3. Create DynamoDB table with USER ISOLATION </span><span class="n">self</span><span class="p">.</span><span class="n">vectors_table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DocumentVectorsTable</span><span class="sh">"</span><span class="p">,</span> <span class="n">table_name</span><span class="o">=</span><span class="sh">"</span><span class="s">document-vectors</span><span class="sh">"</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span> <span class="p">),</span> <span class="n">sort_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">document_page</span><span class="sh">"</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span> <span class="p">),</span> <span class="n">billing_mode</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">BillingMode</span><span class="p">.</span><span class="n">PAY_PER_REQUEST</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span> <span class="p">)</span> <span class="c1"># GSI for listing user's documents </span><span class="n">self</span><span class="p">.</span><span class="n">vectors_table</span><span class="p">.</span><span class="nf">add_global_secondary_index</span><span class="p">(</span> <span class="n">index_name</span><span class="o">=</span><span class="sh">"</span><span class="s">user-document-index</span><span class="sh">"</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span> <span class="p">),</span> <span class="n">sort_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">document_id</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span> <span class="p">),</span> <span class="n">projection_type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">ProjectionType</span><span class="p">.</span><span class="n">KEYS_ONLY</span> <span class="p">)</span> </code></pre> </div> <p>The key to making DynamoDB work as a vector store is the table design:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Partition Key: user_id # Sort Key: document_page (format: "doc_id#page_num") </span><span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">user-123</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># user_id is derived from Cognito user ID </span> <span class="sh">'</span><span class="s">document_page</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">quarterly-report-2024#0</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># doc_id#page_num </span> <span class="sh">'</span><span class="s">document_id</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">quarterly-report-2024</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_number</span><span class="sh">'</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_text</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Executive Summary...</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_vector</span><span class="sh">'</span><span class="p">:</span> <span class="p">[</span><span class="mf">0.123</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.456</span><span class="p">,</span> <span class="mf">0.789</span><span class="p">,</span> <span class="p">...],</span> <span class="c1"># 1536 dimensions from Titan </span> <span class="sh">'</span><span class="s">s3_bucket</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">my-documents</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">s3_key</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">user-123/quarterly-report-2024.pdf</span><span class="sh">'</span> <span class="p">}</span> </code></pre> </div> <h2> Why this design? </h2> <ol> <li>User isolation is automatic – Querying with <code>user_id</code> as the partition key inside the Ask Questinon Lambda means User 1 can never see User 2's data. No filter logic, no mistakes.</li> <li>Composite sort key allows efficient queries like "get all pages of this document"</li> <li>Vectors as native lists – DynamoDB supports List types, no serialization needed</li> </ol> <p>The GSI on <code>user_id + document_id</code> lets users list their documents without scanning all pages.</p> <h2> PDF Document Indexing Flow </h2> <p>Before the Index Lambda processes the incoming documents, all S3 notifications about uploaded documents to the bucket get put into the SQS queue. All of the notifications are batched and this is where SQS batching is crucial. Without it, you'd pay for one Lambda invocation per document. With batching, 10 documents = 1 invocation = 90% cost savings on Lambda.</p> <p>Here's the document processing code for each of the incoming PDFs, where:</p> <ul> <li>we take each page of the incoming PDF document and check if it has text data on it</li> <li>communicate with the Bedrock model to embed the data</li> <li>save the embedded data into the DynamoDB table </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_embedding</span><span class="p">(</span><span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate embedding for text using Bedrock.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">bedrock_runtime</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="sh">'</span><span class="s">amazon.titan-embed-text-v1</span><span class="sh">'</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">inputText</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">})</span> <span class="p">)</span> <span class="n">response_body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">].</span><span class="nf">read</span><span class="p">())</span> <span class="k">return</span> <span class="n">response_body</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">embedding</span><span class="sh">'</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error generating embedding: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">process_pdf</span><span class="p">(</span><span class="n">bucket</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">document_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Process PDF and store page vectors in DynamoDB.</span><span class="sh">"""</span> <span class="n">table_name</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">'</span><span class="s">DYNAMODB_TABLE_NAME</span><span class="sh">'</span><span class="p">]</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">table_name</span><span class="p">)</span> <span class="c1"># Download PDF from S3 </span> <span class="n">pdf_obj</span> <span class="o">=</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">bucket</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">pdf_data</span> <span class="o">=</span> <span class="n">pdf_obj</span><span class="p">[</span><span class="sh">'</span><span class="s">Body</span><span class="sh">'</span><span class="p">].</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Extract text from each page </span> <span class="n">pdf_reader</span> <span class="o">=</span> <span class="n">PyPDF2</span><span class="p">.</span><span class="nc">PdfReader</span><span class="p">(</span><span class="nc">BytesIO</span><span class="p">(</span><span class="n">pdf_data</span><span class="p">))</span> <span class="n">items_to_write</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">page_num</span><span class="p">,</span> <span class="n">page</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">pdf_reader</span><span class="p">.</span><span class="n">pages</span><span class="p">):</span> <span class="n">page_text</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">extract_text</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">page_text</span><span class="p">.</span><span class="nf">strip</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Skipping empty page </span><span class="si">{</span><span class="n">page_num</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">continue</span> <span class="c1"># Generate embedding </span> <span class="n">embedding</span> <span class="o">=</span> <span class="nf">get_embedding</span><span class="p">(</span><span class="n">page_text</span><span class="p">)</span> <span class="c1"># Prepare item for DynamoDB with user_id partition key </span> <span class="n">item</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="c1"># Partition key for user isolation </span> <span class="sh">'</span><span class="s">document_page</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">document_id</span><span class="si">}</span><span class="s">#</span><span class="si">{</span><span class="n">page_num</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Sort key: doc_id#page_num </span> <span class="sh">'</span><span class="s">document_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">document_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_number</span><span class="sh">'</span><span class="p">:</span> <span class="n">page_num</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_text</span><span class="sh">'</span><span class="p">:</span> <span class="n">page_text</span><span class="p">,</span> <span class="sh">'</span><span class="s">page_vector</span><span class="sh">'</span><span class="p">:</span> <span class="nf">convert_float_to_decimal</span><span class="p">(</span><span class="n">embedding</span><span class="p">),</span> <span class="sh">'</span><span class="s">document_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">pdf</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">s3_bucket</span><span class="sh">'</span><span class="p">:</span> <span class="n">bucket</span><span class="p">,</span> <span class="sh">'</span><span class="s">s3_key</span><span class="sh">'</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="p">}</span> <span class="n">items_to_write</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">item</span><span class="p">)</span> <span class="c1"># Batch write to DynamoDB </span> <span class="k">with</span> <span class="n">table</span><span class="p">.</span><span class="nf">batch_writer</span><span class="p">()</span> <span class="k">as</span> <span class="n">batch</span><span class="p">:</span> <span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="n">items_to_write</span><span class="p">:</span> <span class="n">batch</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="n">item</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Indexed </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">items_to_write</span><span class="p">)</span><span class="si">}</span><span class="s"> pages for document </span><span class="si">{</span><span class="n">document_id</span><span class="si">}</span><span class="s"> (user: </span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">items_to_write</span><span class="p">)</span> </code></pre> </div> <p>Important: Convert floats to Decimals – DynamoDB doesn't support native floats. This conversion is annoying but necessary.</p> <p>Another very important detail — notice the <code>batch_writer</code> method? It’s another great feature of the <code>Table</code>object of the DynamoDB resource from <code>boto3</code> — if the document has 10 pages, and we write the data after each page has been processed, it would take 10 database transactions to process the document.</p> <p>By using <code>batch_writer</code> , we reduce it to ONE. 10x the improvement just by using one method.</p> <h2> Similarity Search: The Brute Force Approach </h2> <p>Here's where DynamoDB shows its limitations, where we're doing full linear scan with client-side similarity calculation to adjust to the DynamoDB table architecture and usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cosine_similarity</span><span class="p">(</span><span class="n">vec1</span><span class="p">,</span> <span class="n">vec2</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Calculate cosine similarity between two vectors using pure Python.</span><span class="sh">"""</span> <span class="c1"># Dot product </span> <span class="n">dot_product</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span> <span class="n">b</span> <span class="k">for</span> <span class="n">a</span><span class="p">,</span> <span class="n">b</span> <span class="ow">in</span> <span class="nf">zip</span><span class="p">(</span><span class="n">vec1</span><span class="p">,</span> <span class="n">vec2</span><span class="p">))</span> <span class="c1"># Magnitude of vec1 </span> <span class="n">magnitude1</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="nf">sum</span><span class="p">(</span><span class="n">a</span> <span class="o">*</span> <span class="n">a</span> <span class="k">for</span> <span class="n">a</span> <span class="ow">in</span> <span class="n">vec1</span><span class="p">))</span> <span class="c1"># Magnitude of vec2 </span> <span class="n">magnitude2</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="nf">sum</span><span class="p">(</span><span class="n">b</span> <span class="o">*</span> <span class="n">b</span> <span class="k">for</span> <span class="n">b</span> <span class="ow">in</span> <span class="n">vec2</span><span class="p">))</span> <span class="c1"># Cosine similarity </span> <span class="k">return</span> <span class="n">dot_product</span> <span class="o">/</span> <span class="p">(</span><span class="n">magnitude1</span> <span class="o">*</span> <span class="n">magnitude2</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_similar_pages</span><span class="p">(</span><span class="n">table_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">question_embedding</span><span class="p">:</span> <span class="nb">list</span><span class="p">,</span> <span class="n">k</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">5</span><span class="p">,</span> <span class="n">document_ids</span><span class="p">:</span> <span class="nb">list</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Search for similar document pages using cosine similarity. ONLY searches within the specified user</span><span class="sh">'</span><span class="s">s data - complete isolation! Args: table_name: DynamoDB table name user_id: User ID for data isolation (partition key) question_embedding: Query vector k: Number of results to return document_ids: Optional list - search within specific documents only </span><span class="sh">"""</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">table_name</span><span class="p">)</span> <span class="c1"># Query only this user's data using partition key </span> <span class="c1"># This ensures User 1 can NEVER see User 2's data </span> <span class="k">if</span> <span class="n">document_ids</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">document_ids</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># Search within specific documents for this user </span> <span class="c1"># Use FilterExpression with IN operator for multiple document IDs </span> <span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">user_id = :uid</span><span class="sh">'</span><span class="p">,</span> <span class="n">FilterExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">document_id IN (</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">([</span><span class="sa">f</span><span class="sh">'</span><span class="s">:doc</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="sh">'</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">document_ids</span><span class="p">))])</span> <span class="o">+</span> <span class="sh">'</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">:uid</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="p">{</span><span class="sa">f</span><span class="sh">'</span><span class="s">:doc</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="sh">'</span><span class="p">:</span> <span class="n">doc_id</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">doc_id</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">document_ids</span><span class="p">)}</span> <span class="p">}</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Search all documents for this user </span> <span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">user_id = :uid</span><span class="sh">'</span><span class="p">,</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">:uid</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">}</span> <span class="p">)</span> <span class="n">items</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Items</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Handle pagination (DynamoDB returns max 1MB per query) </span> <span class="k">while</span> <span class="sh">'</span><span class="s">LastEvaluatedKey</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">response</span><span class="p">:</span> <span class="k">if</span> <span class="n">document_ids</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">document_ids</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">user_id = :uid</span><span class="sh">'</span><span class="p">,</span> <span class="n">FilterExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">document_id IN (</span><span class="sh">'</span> <span class="o">+</span> <span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">([</span><span class="sa">f</span><span class="sh">'</span><span class="s">:doc</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="sh">'</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">document_ids</span><span class="p">))])</span> <span class="o">+</span> <span class="sh">'</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">:uid</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="p">{</span><span class="sa">f</span><span class="sh">'</span><span class="s">:doc</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="sh">'</span><span class="p">:</span> <span class="n">doc_id</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">doc_id</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">document_ids</span><span class="p">)}</span> <span class="p">},</span> <span class="n">ExclusiveStartKey</span><span class="o">=</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">LastEvaluatedKey</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="sh">'</span><span class="s">user_id = :uid</span><span class="sh">'</span><span class="p">,</span> <span class="n">ExpressionAttributeValues</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">:uid</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span><span class="p">},</span> <span class="n">ExclusiveStartKey</span><span class="o">=</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">LastEvaluatedKey</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">items</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Items</span><span class="sh">'</span><span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Found </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">items</span><span class="p">)</span><span class="si">}</span><span class="s"> pages for user </span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Calculate similarity for each item </span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="n">items</span><span class="p">:</span> <span class="c1"># Convert Decimal to float for numpy operations </span> <span class="n">vector</span> <span class="o">=</span> <span class="p">[</span><span class="nf">float</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">page_vector</span><span class="sh">'</span><span class="p">]]</span> <span class="n">similarity</span> <span class="o">=</span> <span class="nf">cosine_similarity</span><span class="p">(</span><span class="n">question_embedding</span><span class="p">,</span> <span class="n">vector</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">'</span><span class="s">page_number</span><span class="sh">'</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">page_number</span><span class="sh">'</span><span class="p">]),</span> <span class="sh">'</span><span class="s">page_text</span><span class="sh">'</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">page_text</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">score</span><span class="sh">'</span><span class="p">:</span> <span class="nf">float</span><span class="p">(</span><span class="n">similarity</span><span class="p">),</span> <span class="sh">'</span><span class="s">document_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">item</span><span class="p">[</span><span class="sh">'</span><span class="s">document_id</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_id</span> <span class="c1"># Include for debugging (but never expose other users) </span> <span class="p">})</span> <span class="c1"># Sort by similarity (highest first) and return top k </span> <span class="n">results</span><span class="p">.</span><span class="nf">sort</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">[</span><span class="sh">'</span><span class="s">score</span><span class="sh">'</span><span class="p">],</span> <span class="n">reverse</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="n">results</span><span class="p">[:</span><span class="n">k</span><span class="p">]</span> </code></pre> </div> <p>Let’s be honest here — here is where time complexity starts playing a part. For 100 processed pages inside the table? Expect fast responses (500ms max), but if you have 10 000 pages? That’s where the user experience starts to take a hit because of the chosen architecture. When you hit this stage, it’s time to think about another database solution, most probably one of the vector databases.</p> <p>But here's the thing: at small scale, this works fine. You're fetching data at DynamoDB speed (single-digit milliseconds), doing simple math in Python, and sorting. For a simple MVP, this is something we’ve expected and accepted as a trade-off.</p> <p>This makes DynamoDB an excellent starting point, not a permanent solution — and that’s exactly the point.</p> <h2> The Complete Q&amp;A Flow </h2> <p>Once we have relevant chunks from the DynamoDB table, we send them to an LLM to get an answer to the user’s question by doing the following steps:</p> <ul> <li>build the <code>context</code> and <code>prompt</code> payloads, where we put the pages information received from the table and ask the LLM model to provide a clear answer to the user’s question</li> <li>build a dynamic profile ID for the inference to access the Amazon Nova Micro model</li> <li>receive, parse and return the response </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_answer</span><span class="p">(</span><span class="n">question</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">context_pages</span><span class="p">:</span> <span class="nb">list</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate answer using Bedrock with retrieved context.</span><span class="sh">"""</span> <span class="c1"># Build context from pages </span> <span class="n">context</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\n\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">([</span> <span class="sa">f</span><span class="sh">"</span><span class="s">[Document: </span><span class="si">{</span><span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">document_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">, Page </span><span class="si">{</span><span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">page_number</span><span class="sh">'</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="si">}</span><span class="s">]</span><span class="se">\n</span><span class="si">{</span><span class="n">page</span><span class="p">[</span><span class="sh">'</span><span class="s">page_text</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="k">for</span> <span class="n">page</span> <span class="ow">in</span> <span class="n">context_pages</span> <span class="p">])</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">You are a helpful assistant that answers questions based on provided document context. Context from documents: </span><span class="si">{</span><span class="n">context</span><span class="si">}</span><span class="s"> Question: </span><span class="si">{</span><span class="n">question</span><span class="si">}</span><span class="s"> Please provide a clear, accurate answer based only on the information in the context above. If the context doesn</span><span class="sh">'</span><span class="s">t contain enough information to answer the question, say so. Answer:</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Construct the inference profile ID based on region </span> <span class="c1"># For us-east-1 or us-west-2, use "us" prefix </span> <span class="n">region</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BEDROCK_MODEL_REGION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="n">region_prefix</span> <span class="o">=</span> <span class="sh">'</span><span class="s">us</span><span class="sh">'</span> <span class="k">if</span> <span class="n">region</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">us-west-2</span><span class="sh">'</span><span class="p">]</span> <span class="k">else</span> <span class="sh">'</span><span class="s">eu</span><span class="sh">'</span> <span class="n">inference_profile_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">region_prefix</span><span class="si">}</span><span class="s">.amazon.nova-micro-v1:0</span><span class="sh">"</span> <span class="n">response</span> <span class="o">=</span> <span class="n">bedrock_runtime</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="n">inference_profile_id</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]</span> <span class="p">}</span> <span class="p">],</span> <span class="sh">"</span><span class="s">inferenceConfig</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">max_new_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="sh">"</span><span class="s">temperature</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.7</span><span class="p">,</span> <span class="sh">"</span><span class="s">top_p</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.9</span> <span class="p">}</span> <span class="p">})</span> <span class="p">)</span> <span class="c1"># Return the response text </span> <span class="n">response_body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">].</span><span class="nf">read</span><span class="p">())</span> <span class="k">return</span> <span class="n">response_body</span><span class="p">[</span><span class="sh">'</span><span class="s">output</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">message</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">content</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">text</span><span class="sh">'</span><span class="p">]</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error generating answer: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <h1> Cost Breakdown </h1> <p>One of the main reasons I chose DynamoDB for this RAG pipeline was cost predictability. </p> <p>The estimates below assume on-demand capacity mode, which is ideal for MVPs and early-stage products with unpredictable traffic.</p> <h3> Assumptions </h3> <ul> <li>Average PDF size after processing: ~3 MB (worst case)</li> <li>Average document split into 10 chunks/pages</li> <li>Each chunk stored as a separate DynamoDB item (text + embedding + metadata)</li> <li>Item size: ~3–4 KB per chunk</li> <li>Region: us-east-1</li> <li>No backups, streams, or global tables enabled</li> </ul> <h3> Monthly Cost Breakdown (Example) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Usage Assumption</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td><strong>DynamoDB Storage</strong></td> <td>1,000 PDFs (~3 GB total)</td> <td>~$0.75 (often free under 25 GB free tier)</td> </tr> <tr> <td><strong>DynamoDB Writes</strong></td> <td>10,000 items/month (ingestion)</td> <td>~$0.04</td> </tr> <tr> <td><strong>DynamoDB Reads</strong></td> <td>10,000 similarity queries/month (brute-force scan)</td> <td>~$0.08</td> </tr> <tr> <td><strong>S3 Storage</strong></td> <td>1,000 PDFs (3 GB)</td> <td>~$0.07</td> </tr> <tr> <td><strong>Total (DynamoDB-related)</strong></td> <td>—</td> <td><strong>~$0.10–$1.00 / month</strong></td> </tr> </tbody> </table></div> <p>Even if you 10× the usage (10,000 documents or 100,000 queries/month), DynamoDB costs remain in the single-digit dollar range. At this stage, Bedrock embeddings and LLM inference will dominate your bill, not the database.</p> <h1> When This Approach Breaks (And How You’ll Know) </h1> <p>This DynamoDB-based RAG pipeline doesn’t fail silently — it gives you very clear warning signs when it’s time to start thinking about migrating to time to migrate to a purpose-built vector database. Here are a couple warning signs:</p> <ol> <li>Pages per user: once a single user consistently exceeds ~1,000–2,000 stored chunks, brute-force similarity search starts to feel slow. </li> <li>Query latency, especially p95; when it crosses ~3 seconds, users notice and trust drops. </li> <li>Lambda memory usage — if your query Lambda needs to load thousands of vectors and regularly exceeds 50–60% memory just to sort results, you’re approaching a hard ceiling. </li> <li>DynamoDB read capacity consumption — it will start climbing linearly with corpus size; not because DynamoDB is inefficient, but because you’re intentionally scanning more data per query. </li> </ol> <p>None of these are bugs — they’re the natural limits of an O(n) retrieval strategy. The key advantage is that these limits are predictable, measurable, and give you plenty of time to migrate before the system becomes unusable.</p> <h1> Conclusion </h1> <p>Not every RAG system needs a vector database on day one.</p> <p>If you’re building a POC project or a new feature you’re not yet sure users will care about, optimizing for lowest cost and fastest iteration matters more than performance. Using DynamoDB as a vector store lets you ship a fully functional, serverless RAG pipeline with almost no fixed infrastructure cost, predictable pricing, and minimal operational overhead.</p> <p>The trade-offs are real and intentional as we’ve discussed. Similarity search is linear, latency grows with the size of the database. Eventually, this approach will hit a ceiling. But that ceiling is high enough for early-stage systems — and, more importantly, it’s visible and measurable. You’ll know when you’ve outgrown it long before it becomes a production problem.</p> <p>The key takeaway is not that DynamoDB replaces vector databases. It doesn’t and it can’t. The main point of this blog post is to understand that you don’t have to pay for the vector database before you need it. Start simple, validate your idea and then migrate to new architecture which will support your new requirements.</p> <p>If you’re building RAG for the first time, this approach will get you there faster and cheaper. And when it stops being enough, you’ll be in the best possible position to move on — with a working system, real users, and real constraints guiding the next step.</p> aws rag programming python Matia Rašetina Fri, 02 Jan 2026 11:11:07 +0000 https://forem.com/mate32/eliminating-repetitive-crud-and-presigned-url-logic-with-aws-appsync-pipeline-resolvers-2n8c https://forem.com/mate32/eliminating-repetitive-crud-and-presigned-url-logic-with-aws-appsync-pipeline-resolvers-2n8c <p>During the end of 2025, I wanted to end the year strong with learning and developing a project with a technology I wanted to learn for a long time, together with an AWS service which uses that same technology — GraphQL and AWS AppSync.</p> <p>If you haven’t heard of GraphQL, it’s a data querying language developed by Meta, in which you can declare which data you want to fetch, update or create. It’s not tied to any specific database engine, like PostgreSQL or DynamoDB, so makes it even more interesting to use.</p> <p>During 2025, I’ve built many projects with many operations and features, and many features were repetitive — CRUD operations in DynamoDB and pre-signed URL generation for object upload to S3 were the main ones. That’s why I decided to create a pattern with GraphQL to make CRUD operations and generation of pre-signed URLs easier and more straightforward.</p> <p>Why GraphQL over REST? Here are the reasons:</p> <ul> <li>overfetching — your REST API might provide additional information, which your frontend doesn’t need. By using GraphQL, you specifically define what data you need</li> <li>underfetching — if you have multiple datasources to build one screen, GraphQL replaces them with only ONE request</li> </ul> <p>This blog will not go into explaining GraphQL basics and will only talk about components of this pattern. If you are interested in learning GraphQL, please take a look at the official docs — <a href="https://graphql.org/learn/" rel="noopener noreferrer">https://graphql.org/learn/</a>.</p> <p>You can reuse this pattern in any project and you can be assured that your endpoints are working as expected right away. Only thing you need to do is to modify the object you are creating inside the DynamoDB table.</p> <p>The code is available on this GitHub link: <a href="https://github.com/mate329/serverless-patterns/tree/mate329-pattern-appsync-lambda-s3-presigned-urls" rel="noopener noreferrer">https://github.com/mate329/serverless-patterns/tree/mate329-pattern-appsync-lambda-s3-presigned-urls</a>.</p> <h1> <strong>Architecture Overview &amp; Understanding the Components</strong> </h1> <p>This pattern uses the following technologies and AWS Services:</p> <ul> <li>Python and Python AWS CDK</li> <li>AWS Lambda</li> <li>AWS DynamoDB</li> <li>AWS AppSync</li> </ul> <p>Let’s understand the components of this pattern first. </p> <p>The schema defines the contract that makes this pattern reusable: a single Note type with fields that can be progressively enriched by pipeline resolvers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">type</span><span class="w"> </span><span class="n">Note</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!</span><span class="w"> </span><span class="n">title</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">content</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">attachmentKey</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">uploadUrl</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">downloadUrl</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">PaginatedNotes</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">notes</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="n">Note</span><span class="p">!]!</span><span class="w"> </span><span class="n">nextToken</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">allNotes</span><span class="p">(</span><span class="n">limit</span><span class="p">:</span><span class="w"> </span><span class="nb">Int</span><span class="p">,</span><span class="w"> </span><span class="n">nextToken</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">):</span><span class="w"> </span><span class="n">PaginatedNotes</span><span class="p">!</span><span class="w"> </span><span class="n">getNote</span><span class="p">(</span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!):</span><span class="w"> </span><span class="n">Note</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Mutation</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">saveNote</span><span class="p">(</span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!,</span><span class="w"> </span><span class="n">title</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!,</span><span class="w"> </span><span class="n">content</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">!,</span><span class="w"> </span><span class="n">fileName</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="p">):</span><span class="w"> </span><span class="n">Note</span><span class="w"> </span><span class="n">deleteNote</span><span class="p">(</span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="nb">ID</span><span class="p">!):</span><span class="w"> </span><span class="n">Note</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">schema</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">query</span><span class="p">:</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="n">mutation</span><span class="p">:</span><span class="w"> </span><span class="n">Mutation</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>However, in this pattern, an additional step has been taken — I’ve implemented AppSync Pipeline Resolvers.</p> <p>AppSync pipeline resolvers are a powerful but often overlooked feature of AWS AppSync. Think of them as a series of functions that execute in sequence for a single GraphQL operation, where each unique method can get the result of the previous step. Unlike traditional resolvers which interact with one datasource, pipeline resolvers let you orchestrate multiple AWS services in a single GraphQL query or mutation. The magic happens through the <code>$ctx.prev.result</code> variable in VTL (Velocity Template Language), which passes data from one function to the next, creating a clean data pipeline without writing orchestration code.</p> <p>It removes so much boilerplate code — if you’re going to have multiple Lambdas for CRUD operations, you have to declare them inside the CDK code, give them permissions, set them up with correct environment variables and debug them if something happens. Then, of course, writing the Lambda code itself takes time to develop and to test.</p> <p>By using AppSync pipeline resolvers, you let the pipeline handle everything for you. Less code = less worry that a bug might sneak in.</p> <p>In this pattern, pipeline resolvers are used to:</p> <ul> <li>Upload process — save the incoming data about the document inside the DynamoDB and call a Lambda to generate a pre-signed URL for document upload</li> <li>Download process — fetch the data from the DynamoDB about the document and call a Lambda to generate a pre-signed URL for document download</li> </ul> <p>VTL files will be shown in the following parts.</p> <p>In addition, here is the base CDK code used for creating resources like AppSync, DynamoDB and S3 and creating data sources, so we can access the bucket and the table with AppSync:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">App</span><span class="p">,</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">CfnOutput</span><span class="p">,</span> <span class="n">Duration</span><span class="p">,</span> <span class="n">RemovalPolicy</span><span class="p">,</span> <span class="n">aws_dynamodb</span> <span class="k">as</span> <span class="n">ddb</span><span class="p">,</span> <span class="n">aws_appsync</span> <span class="k">as</span> <span class="n">appsync</span><span class="p">,</span> <span class="n">aws_lambda</span> <span class="k">as</span> <span class="n">lambda_</span><span class="p">,</span> <span class="n">aws_s3</span> <span class="k">as</span> <span class="n">s3</span><span class="p">,</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">NotesAppSyncStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># S3 bucket </span> <span class="n">attachments_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">NoteAttachmentsBucket</span><span class="sh">"</span><span class="p">,</span> <span class="n">versioned</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="n">auto_delete_objects</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">public_read_access</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">block_public_access</span><span class="o">=</span><span class="n">s3</span><span class="p">.</span><span class="nc">BlockPublicAccess</span><span class="p">(</span> <span class="n">block_public_acls</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">block_public_policy</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">ignore_public_acls</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">restrict_public_buckets</span><span class="o">=</span><span class="bp">False</span> <span class="p">),</span> <span class="n">cors</span><span class="o">=</span><span class="p">[</span> <span class="n">s3</span><span class="p">.</span><span class="nc">CorsRule</span><span class="p">(</span> <span class="n">allowed_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allowed_methods</span><span class="o">=</span><span class="p">[</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">PUT</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">POST</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">GET</span> <span class="p">],</span> <span class="n">allowed_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_age</span><span class="o">=</span><span class="mi">3000</span> <span class="p">)</span> <span class="p">]</span> <span class="p">)</span> <span class="c1"># DynamoDB table </span> <span class="n">table</span> <span class="o">=</span> <span class="n">ddb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DynamoDBNotesTable</span><span class="sh">"</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">ddb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">NoteId</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">ddb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span><span class="p">),</span> <span class="n">billing_mode</span><span class="o">=</span><span class="n">ddb</span><span class="p">.</span><span class="n">BillingMode</span><span class="p">.</span><span class="n">PAY_PER_REQUEST</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">RETAIN</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Lambda function for S3 operations </span> <span class="n">s3_lambda</span> <span class="o">=</span> <span class="n">lambda_</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">S3OperationsFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">lambda_</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">lambda_</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="sh">"</span><span class="s">PresignerLambda</span><span class="sh">"</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">BUCKET_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="n">attachments_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">TABLE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="n">table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="c1"># Grant Lambda permissions </span> <span class="n">attachments_bucket</span><span class="p">.</span><span class="nf">grant_read_write</span><span class="p">(</span><span class="n">s3_lambda</span><span class="p">)</span> <span class="n">table</span><span class="p">.</span><span class="nf">grant_read_write_data</span><span class="p">(</span><span class="n">s3_lambda</span><span class="p">)</span> <span class="c1"># AppSync GraphQL API </span> <span class="n">api</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">GraphqlApi</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Api</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">MyAppSyncApi</span><span class="sh">"</span><span class="p">,</span> <span class="n">definition</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">Definition</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">graphql/schema.graphql</span><span class="sh">"</span><span class="p">),</span> <span class="n">authorization_config</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="nc">AuthorizationConfig</span><span class="p">(</span> <span class="n">default_authorization</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="nc">AuthorizationMode</span><span class="p">(</span> <span class="n">authorization_type</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">AuthorizationType</span><span class="p">.</span><span class="n">API_KEY</span> <span class="p">)</span> <span class="p">),</span> <span class="p">)</span> <span class="c1"># API Key for Output </span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">CfnApiKey</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">AppSyncApiKey</span><span class="sh">"</span><span class="p">,</span> <span class="n">api_id</span><span class="o">=</span><span class="n">api</span><span class="p">.</span><span class="n">api_id</span><span class="p">)</span> <span class="c1"># Data Sources </span> <span class="n">ddb_ds</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">DynamoDbDataSource</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">AppSyncNotesTableDataSource</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">table</span><span class="o">=</span><span class="n">table</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">The Notes Table AppSync Data Source</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">lambda_ds</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">LambdaDataSource</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">S3OperationsDataSource</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">lambda_function</span><span class="o">=</span><span class="n">s3_lambda</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Lambda for S3 presigned URL operations</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h1> <strong>The Upload Flow (saveNote mutation)</strong> </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrf2klwpd510wbx8ihhn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgrf2klwpd510wbx8ihhn.png" alt="The Upload Flow Architecture Diagram" width="521" height="411"></a></p> <p>To understand this flow, we’ll go over it step-by-step.</p> <h3> Step 1: client calls the AppSync URL to generate the pre-signed URL for document upload </h3> <p>To save the note, AppSync calls the Presigner Lambda, which generates the pre-signed upload URL, here is the method used in the <code>handler.py</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_upload_url</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Generate a presigned URL for uploading a file to S3. Args: event: Contains </span><span class="sh">'</span><span class="s">noteId</span><span class="sh">'</span><span class="s"> and optional </span><span class="sh">'</span><span class="s">fileName</span><span class="sh">'</span><span class="s"> Returns: Dict containing </span><span class="sh">'</span><span class="s">uploadUrl</span><span class="sh">'</span><span class="s"> and </span><span class="sh">'</span><span class="s">attachmentKey</span><span class="sh">'</span><span class="s"> </span><span class="sh">"""</span> <span class="n">note_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">noteId</span><span class="sh">'</span><span class="p">)</span> <span class="n">file_name</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">fileName</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">attachment</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">note_id</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">noteId is required</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Sanitize filename and create S3 key </span> <span class="n">sanitized_filename</span> <span class="o">=</span> <span class="nf">sanitize_filename</span><span class="p">(</span><span class="n">file_name</span><span class="p">)</span> <span class="n">attachment_key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">notes/</span><span class="si">{</span><span class="n">note_id</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">sanitized_filename</span><span class="si">}</span><span class="sh">"</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Generate presigned URL for PUT operation </span> <span class="n">upload_url</span> <span class="o">=</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">generate_presigned_url</span><span class="p">(</span> <span class="sh">'</span><span class="s">put_object</span><span class="sh">'</span><span class="p">,</span> <span class="n">Params</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">Bucket</span><span class="sh">'</span><span class="p">:</span> <span class="n">BUCKET_NAME</span><span class="p">,</span> <span class="sh">'</span><span class="s">Key</span><span class="sh">'</span><span class="p">:</span> <span class="n">attachment_key</span><span class="p">,</span> <span class="sh">'</span><span class="s">ContentType</span><span class="sh">'</span><span class="p">:</span> <span class="nf">get_content_type</span><span class="p">(</span><span class="n">sanitized_filename</span><span class="p">),</span> <span class="p">},</span> <span class="n">ExpiresIn</span><span class="o">=</span><span class="n">UPLOAD_URL_EXPIRATION</span><span class="p">,</span> <span class="n">HttpMethod</span><span class="o">=</span><span class="sh">'</span><span class="s">PUT</span><span class="sh">'</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Generated upload URL for note </span><span class="si">{</span><span class="n">note_id</span><span class="si">}</span><span class="s">, key: </span><span class="si">{</span><span class="n">attachment_key</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">uploadUrl</span><span class="sh">'</span><span class="p">:</span> <span class="n">upload_url</span><span class="p">,</span> <span class="sh">'</span><span class="s">attachmentKey</span><span class="sh">'</span><span class="p">:</span> <span class="n">attachment_key</span><span class="p">,</span> <span class="sh">'</span><span class="s">expiresIn</span><span class="sh">'</span><span class="p">:</span> <span class="n">UPLOAD_URL_EXPIRATION</span> <span class="p">}</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error generating upload URL: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to generate upload URL: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This request mapping template invokes the presigner Lambda and exposes its output (uploadUrl, attachmentKey) to subsequent pipeline functions via <code>$ctx.prev.result</code>.</p> <p>The request VTL is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">version</span><span class="err">":</span><span class="w"> </span><span class="err">"2018-05-29"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">Invoke</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">payload</span><span class="err">":</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">generateUploadUrl</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">noteId</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">toJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">args</span><span class="err">.</span><span class="n">NoteId</span><span class="p">),</span><span class="w"> </span><span class="err">"</span><span class="n">fileName</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">toJson</span><span class="p">(</span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">defaultIfNull</span><span class="err">($</span><span class="n">ctx</span><span class="err">.</span><span class="n">args</span><span class="err">.</span><span class="n">fileName</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">attachment</span><span class="err">"</span><span class="p">)</span><span class="err">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Step 2: save the data to the DynamoDB table with the VTL payload </h3> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">version</span><span class="err">":</span><span class="w"> </span><span class="err">"2018-05-29"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">PutItem</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">key</span><span class="err">":</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">NoteId</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">dynamodb</span><span class="err">.</span><span class="n">toDynamoDBJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">args</span><span class="err">.</span><span class="n">NoteId</span><span class="p">)</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">"</span><span class="n">attributeValues</span><span class="err">":</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">title</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">dynamodb</span><span class="err">.</span><span class="n">toDynamoDBJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">args</span><span class="err">.</span><span class="n">title</span><span class="p">),</span><span class="w"> </span><span class="err">"</span><span class="n">content</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">dynamodb</span><span class="err">.</span><span class="n">toDynamoDBJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">args</span><span class="err">.</span><span class="n">content</span><span class="p">),</span><span class="w"> </span><span class="err">"</span><span class="n">attachmentKey</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">dynamodb</span><span class="err">.</span><span class="n">toDynamoDBJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">prev</span><span class="err">.</span><span class="n">result</span><span class="err">.</span><span class="n">attachmentKey</span><span class="p">),</span><span class="w"> </span><span class="err">"</span><span class="n">uploadUrl</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">dynamodb</span><span class="err">.</span><span class="n">toDynamoDBJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">prev</span><span class="err">.</span><span class="n">result</span><span class="err">.</span><span class="n">uploadUrl</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Notice the <code>$ctx.prev.result.uploadUrl</code> ? That’s the payload which the Lambda has generated and provided to the second step of the resolver pipeline.</p> <p>To build this pipeline inside the CDK code, here’s how you do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Pipeline Function: Generate presigned URL for upload </span><span class="n">generate_upload_url_fn</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">AppsyncFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GenerateUploadUrlFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">GenerateUploadUrlFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">data_source</span><span class="o">=</span><span class="n">lambda_ds</span><span class="p">,</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/generateUploadUrl.req.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">lambda_result</span><span class="p">(),</span> <span class="p">)</span> <span class="c1"># Pipeline Function: Save note to DynamoDB </span><span class="n">save_note_to_ddb_fn</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">AppsyncFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">SaveNoteToDynamoDBFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">SaveNoteToDynamoDBFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">data_source</span><span class="o">=</span><span class="n">ddb_ds</span><span class="p">,</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/saveNoteToDynamoDB.req.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">dynamo_db_result_item</span><span class="p">(),</span> <span class="p">)</span> <span class="c1"># Pipeline Resolver: saveNote (generate URL -&gt; save to DDB) # Here, we create the pipeline resolver which combines our pipeline parts, # or rather pipeline functions </span><span class="n">appsync</span><span class="p">.</span><span class="nc">Resolver</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">SaveNotePipelineResolver</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">type_name</span><span class="o">=</span><span class="sh">"</span><span class="s">Mutation</span><span class="sh">"</span><span class="p">,</span> <span class="n">field_name</span><span class="o">=</span><span class="sh">"</span><span class="s">saveNote</span><span class="sh">"</span><span class="p">,</span> <span class="n">pipeline_config</span><span class="o">=</span><span class="p">[</span><span class="n">generate_upload_url_fn</span><span class="p">,</span> <span class="n">save_note_to_ddb_fn</span><span class="p">],</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/saveNotePipeline.req.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/saveNotePipeline.res.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p><code>saveNotePipeline.req.vtl</code> is an empty JSON <code>{}</code> , while the <code>saveNotePipeline.res.vtl</code> has the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">$util.toJson($ctx.prev.result)</span><span class="w"> </span></code></pre> </div> <h1> <strong>The Download Flow (getNote query)</strong> </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xld9cu72abdee7hz54j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3xld9cu72abdee7hz54j.png" alt="The Download Flow Architecure Diagram" width="521" height="411"></a></p> <h2> Step 1. Fetching the information about the note from the DynamoDB table </h2> <p>No VTL files for this step, as CDK supports fetching information directly inside the AppSync function definition!</p> <h2> Step 2: If the user has provided the attachment to the note, call the presigner Lambda to generate the download URL </h2> <p>The method to generate the download URL looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_download_url</span><span class="p">(</span><span class="n">event</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Generate a presigned URL for downloading a file from S3. Args: event: Contains </span><span class="sh">'</span><span class="s">attachmentKey</span><span class="sh">'</span><span class="s"> Returns: Dict containing </span><span class="sh">'</span><span class="s">downloadUrl</span><span class="sh">'</span><span class="s"> if attachment exists, empty dict otherwise </span><span class="sh">"""</span> <span class="n">attachment_key</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">attachmentKey</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># If no attachment key, return empty result (note has no attachment) </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">attachment_key</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">No attachment key provided, skipping download URL generation</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{}</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Check if object exists </span> <span class="k">try</span><span class="p">:</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">head_object</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">BUCKET_NAME</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">attachment_key</span><span class="p">)</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">e</span><span class="p">.</span><span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Error</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Code</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">404</span><span class="sh">'</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Attachment not found: </span><span class="si">{</span><span class="n">attachment_key</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{}</span> <span class="k">raise</span> <span class="c1"># Generate presigned URL for GET operation </span> <span class="n">download_url</span> <span class="o">=</span> <span class="n">s3_client</span><span class="p">.</span><span class="nf">generate_presigned_url</span><span class="p">(</span> <span class="sh">'</span><span class="s">get_object</span><span class="sh">'</span><span class="p">,</span> <span class="n">Params</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">Bucket</span><span class="sh">'</span><span class="p">:</span> <span class="n">BUCKET_NAME</span><span class="p">,</span> <span class="sh">'</span><span class="s">Key</span><span class="sh">'</span><span class="p">:</span> <span class="n">attachment_key</span><span class="p">,</span> <span class="p">},</span> <span class="n">ExpiresIn</span><span class="o">=</span><span class="n">DOWNLOAD_URL_EXPIRATION</span><span class="p">,</span> <span class="n">HttpMethod</span><span class="o">=</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Generated download URL for key: </span><span class="si">{</span><span class="n">attachment_key</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">downloadUrl</span><span class="sh">'</span><span class="p">:</span> <span class="n">download_url</span><span class="p">,</span> <span class="sh">'</span><span class="s">expiresIn</span><span class="sh">'</span><span class="p">:</span> <span class="n">DOWNLOAD_URL_EXPIRATION</span> <span class="p">}</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error generating download URL: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to generate download URL: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>VTL request file, <code>generateDownloadUrl.req.vtl</code> , to fetch the download URL looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c">## Only invoke Lambda if attachmentKey exists</span><span class="w"> </span><span class="c">#if($ctx.prev.result.attachmentKey)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">version</span><span class="err">":</span><span class="w"> </span><span class="err">"2018-05-29"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">Invoke</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">payload</span><span class="err">":</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">generateDownloadUrl</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">attachmentKey</span><span class="err">":</span><span class="w"> </span><span class="err">$</span><span class="n">util</span><span class="err">.</span><span class="n">toJson</span><span class="p">(</span><span class="err">$</span><span class="n">ctx</span><span class="err">.</span><span class="n">prev</span><span class="err">.</span><span class="n">result</span><span class="err">.</span><span class="n">attachmentKey</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c">#else</span><span class="w"> </span><span class="c">## Pass through without invoking Lambda</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">version</span><span class="err">":</span><span class="w"> </span><span class="err">"2018-05-29"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">Invoke</span><span class="err">"</span><span class="p">,</span><span class="w"> </span><span class="err">"</span><span class="n">payload</span><span class="err">":</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">"</span><span class="n">operation</span><span class="err">":</span><span class="w"> </span><span class="err">"</span><span class="n">skip</span><span class="err">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c">#end</span><span class="w"> </span></code></pre> </div> <p>while the response VTL file, <code>generateDownloadUrl.res.vtl</code>, looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c">## Merge download URL into previous result if it exists</span><span class="w"> </span><span class="c">#if($ctx.result &amp;&amp; $ctx.result.downloadUrl)</span><span class="w"> </span><span class="c">#set($ctx.prev.result.downloadUrl = $ctx.result.downloadUrl)</span><span class="w"> </span><span class="c">#end</span><span class="w"> </span><span class="err">$util.toJson($ctx.prev.result)</span><span class="w"> </span></code></pre> </div> <p>CDK looks as following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Pipeline Function: Get note from DynamoDB </span><span class="n">get_note_from_ddb_fn</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">AppsyncFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GetNoteFromDynamoDBFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">GetNoteFromDynamoDBFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">data_source</span><span class="o">=</span><span class="n">ddb_ds</span><span class="p">,</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">dynamo_db_get_item</span><span class="p">(</span><span class="sh">"</span><span class="s">NoteId</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">NoteId</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">dynamo_db_result_item</span><span class="p">(),</span> <span class="p">)</span> <span class="c1"># Pipeline Function: Generate presigned URL for download (conditional) </span><span class="n">generate_download_url_fn</span> <span class="o">=</span> <span class="n">appsync</span><span class="p">.</span><span class="nc">AppsyncFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GenerateDownloadUrlFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">GenerateDownloadUrlFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">data_source</span><span class="o">=</span><span class="n">lambda_ds</span><span class="p">,</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/generateDownloadUrl.req.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/generateDownloadUrl.res.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="c1"># Pipeline Resolver: getNote (get from DDB -&gt; generate download URL if attachment exists) </span><span class="n">appsync</span><span class="p">.</span><span class="nc">Resolver</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">GetNotePipelineResolver</span><span class="sh">"</span><span class="p">,</span> <span class="n">api</span><span class="o">=</span><span class="n">api</span><span class="p">,</span> <span class="n">type_name</span><span class="o">=</span><span class="sh">"</span><span class="s">Query</span><span class="sh">"</span><span class="p">,</span> <span class="n">field_name</span><span class="o">=</span><span class="sh">"</span><span class="s">getNote</span><span class="sh">"</span><span class="p">,</span> <span class="n">pipeline_config</span><span class="o">=</span><span class="p">[</span><span class="n">get_note_from_ddb_fn</span><span class="p">,</span> <span class="n">generate_download_url_fn</span><span class="p">],</span> <span class="n">request_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/getNotePipeline.req.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="n">response_mapping_template</span><span class="o">=</span><span class="n">appsync</span><span class="p">.</span><span class="n">MappingTemplate</span><span class="p">.</span><span class="nf">from_file</span><span class="p">(</span><span class="sh">"</span><span class="s">resolvers/functions/getNotePipeline.res.vtl</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>Similarly to the saveNote VTL files, <code>getNotePipeline.req.vtl</code> is an empty JSON <code>{}</code> , while the <code>getNotePipeline.res.vtl</code> has the same content as <code>saveNotePipeline.res.vtl</code> .</p> <h1> Update and Delete Flows </h1> <p>Creating a delete flow is very easy, again, we can use already packaged method inside the AWS CDK. You can create the delete resolver via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="err">ddb_ds.create_resolver(</span><span class="w"> </span><span class="err">"AppSyncDeleteNoteMutationResolver"</span><span class="p">,</span><span class="w"> </span><span class="err">type_name="Mutation"</span><span class="p">,</span><span class="w"> </span><span class="err">field_name="deleteNote"</span><span class="p">,</span><span class="w"> </span><span class="err">request_mapping_template=appsync.MappingTemplate.dynamo_db_delete_item("NoteId"</span><span class="p">,</span><span class="w"> </span><span class="err">"NoteId")</span><span class="p">,</span><span class="w"> </span><span class="err">response_mapping_template=appsync.MappingTemplate.dynamo_db_result_item()</span><span class="p">,</span><span class="w"> </span><span class="err">)</span><span class="w"> </span></code></pre> </div> <p>, while the update flow is built on the <code>saveNote</code> mutation — you just provide the <code>noteId</code> field and update the fields. Examples of all methods in this pattern are shown in the following chapter.</p> <h1> <strong>Testing It Out</strong> </h1> <p>Let’s go over the whole pattern and show you examples of how this works.</p> <h2> Create Note </h2> <p>We will start with the <code>saveNote</code> mutation. Here is the GraphQL mutation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="n">SaveNote</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">saveNote</span><span class="p">(</span><span class="w"> </span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="s2">"123"</span><span class="w"> </span><span class="n">title</span><span class="p">:</span><span class="w"> </span><span class="s2">"My First Note"</span><span class="w"> </span><span class="n">content</span><span class="p">:</span><span class="w"> </span><span class="s2">"This is the content of my note"</span><span class="w"> </span><span class="n">fileName</span><span class="p">:</span><span class="w"> </span><span class="s2">"test.txt"</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">content</span><span class="w"> </span><span class="n">attachmentKey</span><span class="w"> </span><span class="n">uploadUrl</span><span class="w"> </span><span class="n">downloadUrl</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>and here is the expected response:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjiok05a3oqhk6keewczd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjiok05a3oqhk6keewczd.png" width="800" height="477"></a></p> <p>and when you create a sample <code>test.txt</code> file and use the provided upload URL, you will get the following interface:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8v02gshhe81uayrcjxa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv8v02gshhe81uayrcjxa.png" width="800" height="482"></a></p> <h2> Get Note </h2> <p>With the following GraphQL payload, you will get the newly created note:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="n">GetNote</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">getNote</span><span class="p">(</span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="s2">"123"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">content</span><span class="w"> </span><span class="n">attachmentKey</span><span class="w"> </span><span class="n">downloadUrl</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>and it should look like this in Postman, or any other API testing tool:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmgrsnhwlboyyt2wcdoey.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmgrsnhwlboyyt2wcdoey.png" width="800" height="483"></a></p> <p>In case you want to fetch all notes, the following GraphQL query can be used. The result will be similar as the previous one, so an image won’t be provided. Here is the query though:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="n">GetAllNotes</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">allNotes</span><span class="p">(</span><span class="n">limit</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="n">nextToken</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">notes</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">content</span><span class="w"> </span><span class="n">attachmentKey</span><span class="w"> </span><span class="n">uploadUrl</span><span class="w"> </span><span class="n">downloadUrl</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">nextToken</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Update Note </h2> <p>As mentioned, Update note flow uses the <code>saveNote</code> mutation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="n">UpdateNote</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">saveNote</span><span class="p">(</span><span class="w"> </span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="s2">"123"</span><span class="w"> </span><span class="n">title</span><span class="p">:</span><span class="w"> </span><span class="s2">"Updated Title"</span><span class="w"> </span><span class="n">content</span><span class="p">:</span><span class="w"> </span><span class="s2">"Updated content"</span><span class="w"> </span><span class="n">fileName</span><span class="p">:</span><span class="w"> </span><span class="s2">"test.txt"</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="w"> </span><span class="n">title</span><span class="w"> </span><span class="n">content</span><span class="w"> </span><span class="n">attachmentKey</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>here is the execution example:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8o9t83hw5d0cbcyczp1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp8o9t83hw5d0cbcyczp1.png" width="800" height="480"></a></p> <h2> Delete Note </h2> <p>Lastly, here is the usage of the <code>deleteNote</code> mutation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">mutation</span><span class="w"> </span><span class="n">DeleteNote</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">deleteNote</span><span class="p">(</span><span class="n">NoteId</span><span class="p">:</span><span class="w"> </span><span class="s2">"123"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">NoteId</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>, together with the execution results:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farmmrjxx1aaknby0w5sn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farmmrjxx1aaknby0w5sn.png" width="800" height="484"></a></p> <h1> <strong>Security and Cost</strong> </h1> <h2> API Key vs AWS Cognito — Which one to choose? </h2> <p>Regarding security, in this pattern the API key is used, for the sake of simplicity. AWS Cognito can be used to protect the GraphQL endpoint, but I didn’t want to make the pattern dependent on another AWS service.</p> <p>However, let’s compare the differences in between choosing the API key and Cognito as the security choice.</p> <p>By using the API key, you have the following pros:</p> <ul> <li>very easy to implement (just a few lines of code inside the CDK to fetch the key for your GraphQL endpoint)</li> <li>great for quick prototyping or testing</li> <li>no additional AWS services required and no additional AWS services cost</li> </ul> <p>There are cons to this approach too:</p> <ul> <li>no user identity - you cannot tell who made the request</li> <li>not suitable for real-world production application, as you need to implement additional logic to filter out requester’s data</li> <li>no granular permissions - everyone has access to everything AppSync does</li> </ul> <p>On the other hand, here are the pros of using Cognito as the authorizer:</p> <ul> <li>individual user identities - you know exactly who's making each request</li> <li>users can only access their data</li> <li>fine-grained access control using IAM policies or Lambda authorizers, making your system more secure</li> </ul> <p>Cons of this approach are:</p> <ul> <li>possible additional cost in production - Cognito is free until you have more than 50000 users</li> <li>more complex to setup, both for frontend and backend developers</li> <li>another AWS service dependency</li> </ul> <p>The choice is up to you!</p> <h2> Cost — Will it break the bank? </h2> <p>When talking about cost, AppSync is in the Free Tier and you get the following number of operations:</p> <ul> <li>250,000 query or data modification operations</li> <li>250,000 real-time updates</li> <li>600,000 connection-minutes</li> </ul> <p>This makes it a very good choice, especially if you expect traffic lower than this.</p> <p>Of course, if you use AWS Lambda REST API, it most probably will be cheaper, but by using this pattern you get off the ground quicker than developing Lambdas for every CRUD operation + you get the benefits I’ve talked about at the beginning of the blog.</p> <h1> Conclusion </h1> <p>This pattern shows how GraphQL with the combination of AWS CDK and AWS AppSync pipeline resolvers can be used to move beyond simple CRUD APIs and into orchestrated backend workflows.</p> <p>By combining AppSync, DynamoDB, Lambda and S3, this pattern models one of the most common application flows as a single GraphQL operation, while still keeping the implementation modular and reusable.</p> <p>As already mentioned, the main advantage of this approach is not just fewer API calls, but reduced backend boilerplate. Instead of writing and maintaining multiple Lambdas for repetitive CRUD logic and presigned URL handling, AppSync pipeline resolvers handle everything for you.</p> <p>With all of these positives, there are some drawbacks as well — this pattern is not a replacement for REST, as it introduces it’s own complexity, especially around VTL files and it makes most sense when you already rely on AWS services. For small workflows, a traditional Lambda may still be the simpler choice.</p> <p>If you find yourself repeatedly building the same serverless backend features — CRUD operations, file uploads, and basic orchestration — this pattern can serve as a solid foundation. It is intentionally minimal, easy to adapt, and designed to be extended as application requirements grow.</p> webdev aws python programming Matia Rašetina Fri, 28 Nov 2025 09:00:00 +0000 https://forem.com/mate32/the-complete-guide-to-aws-lambda-aliases-versions-and-canary-deployments-with-cdk-examples-31fg https://forem.com/mate32/the-complete-guide-to-aws-lambda-aliases-versions-and-canary-deployments-with-cdk-examples-31fg <p>Deploying a new Lambda code to your AWS environment shouldn’t be stressful at all, but for some teams, it is. If you ever pushed a quick fix to production and straight away went to CloudWatch logs to see if the Lambda is failing, you know the feeling. When updating the Lambda code, it happens instantly. If there is a bug in the new code, every user feels it straight away.</p> <p>That’s why tools like Lambda Versions, Aliases and Canary Deployments come in. When used correctly, they give you a way of rolling out new code changes gradually, observing the impact and automatically starting the roll back process if something happens.</p> <p>No downtime. No fire drills. No late-night debugging sessions.</p> <p>In this guide, you'll learn:</p> <ul> <li>What Lambda versions and aliases actually do</li> <li>How traffic routing works</li> <li>How CodeDeploy turns aliases into safe, automated canary releases</li> <li>How to implement everything with AWS CDK</li> <li>The pitfalls and best practices you should know</li> </ul> <p>This blog post is a continuation of a previous post about CRUD Lambdas with PynamoDB. Here, we are going to enable versioning, alias and deployment for <code>CreatePropertyLambda</code> , however the full code for all CRUD Lambdas is available on <a href="https://github.com/mate329/lambda-alias-canary-deployment" rel="noopener noreferrer">this link</a>.</p> <h1> Why Safe Lambda Deployments Matter </h1> <p>Most of the Lambda deployments follow the most basic flow:</p> <ol> <li>a developer deploys the code via CDK, SAM or any other tool</li> <li>AWS takes the new snapshot of the incoming code</li> <li>AWS switches all traffic to the new deployed Lambda</li> </ol> <p>It’s fast, however it makes it very dangerous for the stability of the application, as you don’t know if there will be any errors which went unnoticed during testing.</p> <p>With aliases and canary routing, you shift from “everything at once” to:</p> <ul> <li>Send 10% of traffic to the new version</li> <li>Watch for errors</li> <li>Promote or roll back automatically</li> </ul> <p>This gives you:</p> <ul> <li> <strong>Zero downtime</strong> deployments</li> <li> <strong>Automatic recovery</strong> when something breaks</li> <li> <strong>Gradual exposure</strong> to real production traffic</li> <li> <strong>Safety</strong> without slowing delivery</li> </ul> <p>Let’s take a deeper dive into the basics and understand them before continuing to the CDK code.</p> <h1> Lambda Versions, Aliases and Routing — The Essentials </h1> <p>Before we begin, let’s go over some base points, which are need-to-know.</p> <h2> Versions </h2> <p><strong>A version</strong> is an immutable snapshot of that code, meaning once deployed, it will forever have that version number and it can only be updated by another version.</p> <p>One Lambda version contains multiple parts which are vital for Lambda runtime:</p> <ul> <li>source code</li> <li>layers and dependencies</li> <li>environment variables</li> <li>runtime settings, like Lambda timeout</li> </ul> <p>This immutability is why versions are the backbone of safe deployments.</p> <h2> Aliases </h2> <p>An <strong>alias</strong> is a named pointer — like <code>prod</code>, <code>beta</code>, or <code>v1</code> — that points to one or more Lambda versions. </p> <p>It is very important to understand — API Gateway, Step Functions, EventBridge rules or any other AWS service should call your alias, not the version directly, because aliases enable us to decouple deployments from references, allow traffic shifting and rollback and aliases prevent needing to update API Gateway integrations.</p> <h2> Weighted Routing + Why use Canary Deployments? </h2> <p>AWS lets you attach a routing configuration to an alias — for example, we deploy a new Lambda version and we can route the traffic to both old and new versions:</p> <ul> <li>90% of traffic → version 1</li> <li>10% of traffic → version 2</li> </ul> <p>This simple mechanism is the foundation of canary deployments.</p> <p>We use canary deployments to route a fraction of the production traffic to the newly deployed resource. If for any reason the new version of the resource fails, only a small slice of users is impacted and the system will recognize the errors and re-route the experimental users back to the fully working code.</p> <p>There are other benefits to using canary deployments:</p> <ul> <li><strong>Zero downtime</strong></li> <li> <strong>Safe experimentation</strong> with new logic or dependencies</li> <li> <strong>Easy rollback</strong> by flipping the alias back</li> </ul> <p>For more information how the canary deployment works, please check out my blog post about it, you can see it by clicking the link <a href="https://medium.com/aws-in-plain-english/i-built-a-safety-net-for-my-aws-deployments-heres-the-code-f91f9957f301" rel="noopener noreferrer">here</a>.</p> <h1> How Lambda Aliases Enable Canary Releases </h1> <p>The full canary release process is as following:</p> <ul> <li>new Lambda code gets deployed → AWS automatically creates a new version, let’s call it version 2</li> <li>Lambda alias <code>prod</code> is pointing to version 1</li> <li> <code>prod</code> alias gets updated to route the traffic: <ul> <li>90% of the traffic → version 1</li> <li>10% of the traffic → version 2</li> </ul> </li> <li>CodeDeploy and CloudWatch are working together to monitor the incoming traffic to version 2 <ul> <li>if anything breaks and errors spike, CloudWatch sends the notification to CodeDeploy to stop the deployment process and to reroute all traffic to the older version (in this case, version 1)</li> <li>if everything looks good, shift the traffic from version 1 to version 2 and version 2 becomes a de facto main carrier of <code>prod</code> alias traffic</li> </ul> </li> </ul> <p>With this approach, users experience no downtime and you can be assured that in case of failure, your system is still online!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F460980vknagc7ubgn686.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F460980vknagc7ubgn686.png" alt="Overview of the API Gateway and AWS Lambdas with an Alias" width="472" height="331"></a></p> <h1> Setting Up Canary Deployments with AWS CDK </h1> <h2> Step 1: Enable Lambda versioning </h2> <p>You want Lambda to publish a new version only when the code changes*.*</p> <p>A common trick: embed a hash into the function description.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Method used to get the hash of the Lambda, so we confirm if # the code changed at all. # No need to start a canary deployment if the code didn't change </span><span class="k">def</span> <span class="nf">_get_code_hash</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">directory</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate a hash of all files in the Lambda code directory.</span><span class="sh">"""</span> <span class="n">hash_md5</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">md5</span><span class="p">()</span> <span class="k">for</span> <span class="n">root</span><span class="p">,</span> <span class="n">dirs</span><span class="p">,</span> <span class="n">files</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="nf">walk</span><span class="p">(</span><span class="n">directory</span><span class="p">)):</span> <span class="k">for</span> <span class="nb">file</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">files</span><span class="p">):</span> <span class="k">if</span> <span class="nb">file</span><span class="p">.</span><span class="nf">endswith</span><span class="p">((</span><span class="sh">'</span><span class="s">.py</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">.json</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">.txt</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">.yaml</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">.yml</span><span class="sh">'</span><span class="p">)):</span> <span class="n">file_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="nb">file</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">file_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">hash_md5</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">())</span> <span class="k">return</span> <span class="n">hash_md5</span><span class="p">.</span><span class="nf">hexdigest</span><span class="p">()[:</span><span class="mi">8</span><span class="p">]</span> <span class="c1"># Lambda functions with code hash in description for versioning </span><span class="n">create_property_code_dir</span> <span class="o">=</span> <span class="sh">"</span><span class="s">./CreatePropertyHandler</span><span class="sh">"</span> <span class="n">create_code_hash</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_code_hash</span><span class="p">(</span><span class="n">create_property_code_dir</span><span class="p">)</span> <span class="n">create_property_fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">CreatePropertyLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="n">create_property_code_dir</span><span class="p">),</span> <span class="n">layers</span><span class="o">=</span><span class="p">[</span><span class="n">layer</span><span class="p">],</span> <span class="n">description</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">v-</span><span class="si">{</span><span class="n">create_code_hash</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Hash in description triggers new version only when code changes </span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">PROPERTY_TABLE_NAME</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">property_table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">PROPERTY_BUCKET</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">property_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">)</span> <span class="n">create_version</span> <span class="o">=</span> <span class="n">create_property_fn</span><span class="p">.</span><span class="n">current_version</span> </code></pre> </div> <h2> Step 2 — Create a Lambda Alias </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">create_alias</span> <span class="o">=</span> <span class="nx">_lambda</span><span class="p">.</span><span class="nc">Alias</span><span class="p">(</span> <span class="nb">self</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CreatePropertyProdAlias</span><span class="dl">"</span><span class="p">,</span> <span class="nx">alias_name</span><span class="o">=</span><span class="dl">"</span><span class="s2">prod</span><span class="dl">"</span><span class="p">,</span> <span class="nx">version</span><span class="o">=</span><span class="nx">create_version</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>This is the entry point of accessing the CreateProperty Lambdas which will be deployed.</p> <h2> Step 3 — Creating a CloudWatch Alarm </h2> <p>This alarms will trigger a rollback if the function is reporting any errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">create_error_alarm</span> <span class="o">=</span> <span class="nx">cloudwatch</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span> <span class="nb">self</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CreatePropertyErrorAlarm</span><span class="dl">"</span><span class="p">,</span> <span class="nx">metric</span><span class="o">=</span><span class="nx">create_property_fn</span><span class="p">.</span><span class="nf">metric_errors</span><span class="p">(</span> <span class="nx">period</span><span class="o">=</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="nx">statistic</span><span class="o">=</span><span class="dl">"</span><span class="s2">Sum</span><span class="dl">"</span> <span class="p">),</span> <span class="nx">threshold</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="nx">evaluation_periods</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="nx">datapoints_to_alarm</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="nx">alarm_name</span><span class="o">=</span><span class="dl">"</span><span class="s2">create-property-canary-errors</span><span class="dl">"</span> <span class="p">)</span> </code></pre> </div> <p>A very useful feature in CloudWatch is that you can monitor not just Lambda errors, but also:</p> <ul> <li>latency</li> <li>throttles</li> <li>create metrics of your own - you can read more about custom metrics by clicking on the <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html" rel="noopener noreferrer">link here</a> </li> </ul> <h2> Step 4 — Adding a Canary Deployment process with CodeDeploy </h2> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="nx">codedeploy</span><span class="p">.</span><span class="nc">LambdaDeploymentGroup</span><span class="p">(</span> <span class="nb">self</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CreatePropertyCanaryDeployment</span><span class="dl">"</span><span class="p">,</span> <span class="nx">alias</span><span class="o">=</span><span class="nx">create_alias</span><span class="p">,</span> <span class="nx">deployment_config</span><span class="o">=</span><span class="nx">codedeploy</span><span class="p">.</span><span class="nx">LambdaDeploymentConfig</span><span class="p">.</span><span class="nx">CANARY_10_PERCENT_5_MINUTES</span><span class="p">,</span> <span class="nx">alarms</span><span class="o">=</span><span class="p">[</span><span class="nx">create_error_alarm</span><span class="p">],</span> <span class="nx">auto_rollback</span><span class="o">=</span><span class="nx">codedeploy</span><span class="p">.</span><span class="nc">AutoRollbackConfig</span><span class="p">(</span> <span class="nx">failed_deployment</span><span class="o">=</span><span class="nx">True</span><span class="p">,</span> <span class="nx">stopped_deployment</span><span class="o">=</span><span class="nx">True</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>The configuration I’ve used is:</p> <ul> <li>route 10% of traffic to the new version for 5 minutes <ul> <li>if no errors, shift to 100% instantly</li> <li>if errors, roll back to the previous version</li> </ul> </li> </ul> <p>When you start your deployment via <code>cdk deploy</code> , if you go to your AWS Console and go to CodeDeploy, you will see the following interface and see how your deployment is going:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkun8iw70eigv817dohj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkun8iw70eigv817dohj5.png" alt="Example of the Canary Deployment of a Lambda" width="800" height="468"></a></p> <p>I’ve written about the deployment configuration in my other blog post which focuses more on Canary Deployments. If you are interested in more details, please check out my other post by clicking on the link <a href="https://medium.com/aws-in-plain-english/i-built-a-safety-net-for-my-aws-deployments-heres-the-code-f91f9957f301" rel="noopener noreferrer">here</a>.</p> <h1> Best Practices and Lessons Learned </h1> <p>A couple of lessons and best practices I’ve learned:</p> <ul> <li>use aliases for everything in production <ul> <li>never point to a specific Lambda version, only aliases</li> </ul> </li> <li>canary deployments don’t work for all triggers <ul> <li>SQS, Kinesis and DynamoDB streams are not supported — canaries can only apply where AWS can split traffic, like API Gateway and Application Load Balancer</li> </ul> </li> <li>versioning increases storage <ul> <li>old Lambda code versions can accumulate, so consider lifecycle cleanup of unused Lambda versions</li> </ul> </li> <li>never forget about cold starts <ul> <li>it’s very useful to have a latency alarm during deployment, however, keep in mind that Lambda’s cold starts + regular execution time can trigger the alarm too!</li> </ul> </li> </ul> <h1> Conclusion </h1> <p>Your Lambda deployments don’t have to be risky. By combining all of the points we’ve went over in this blog post, like versions, aliases and canary deployments, you can get a predictable, reversible and fully automated rollouts — with zero downtime!</p> <p>In a production-grade system, implementation of this pattern should be a no-brainer.</p> aws python devops webdev Matia Rašetina Tue, 25 Nov 2025 09:00:00 +0000 https://forem.com/mate32/pynamodb-tutorial-build-production-ready-dynamodb-crud-apis-in-aws-lambda-i35 https://forem.com/mate32/pynamodb-tutorial-build-production-ready-dynamodb-crud-apis-in-aws-lambda-i35 <p>I've been building on AWS for multiple years now, and one of the most repetitive parts I found was writing crude operations for DynamoDB. Every project starts the same:</p> <ul> <li>use <code>boto3</code> to define the table</li> <li>define a big JSON payload JUST to fetch some data from the table</li> <li>copy-and-paste methods from previous projects for all CRUD operations, basically adding boilerplate code</li> </ul> <p>That's when I found out about a library called <code>PynamoDB</code> , a lightweight ORM for DynamoDB tables and that changed the way I manipulate table’s data.</p> <p>Welcome to the part two of creating code for a real estate platform where in the first post we went over a pipeline of labeling main parts of the properties and now we're gonna go over Lambdas which are responsible for CRUD operations.</p> <p>The code in this post will be a shortened version than the one from the full project, just to make it as simple as possible. The full code used on the platform will be available in the next blog posts.</p> <p>In this post, I’ll break down how I put together a simple CRUD stack using:</p> <ul> <li>PynamoDB for the data model</li> <li>Lambda functions for the business logic and interaction with the DynamoDB table via PynamoDB model</li> </ul> <p>The whole goal is ease of use — a DynamoDB-backed CRUD pattern that feels as natural as working with a traditional ORM, but with all the serverless benefits of AWS.</p> <p>AWS CDK code won’t be mentioned in this blog post, however it will be available on the GitHub repository which you can find by clicking on this link.</p> <h1> Which AWS resource are we using? </h1> <p>All resources will be created via AWS CDK in Python.</p> <p>We will start off with AWS Lambda - here is a short description of the Lambdas and what they do:</p> <ul> <li>Create Property Lambda - enter received property information, put it into the DynamoDB table and provide the user pre-signed URLs for property image uploads to the S3 bucket</li> <li>Get Property Lambda - read all or a specific property from the database</li> <li>Update Property Lambda - update the specific property entry which is inside the database</li> <li>Delete Property Lambda - delete all images and entry inside the database</li> </ul> <p>Of course, since we are showcasing the PynamoDB library, we need to use DynamoDB as our database.</p> <h1> Why should I use PynamoDB instead of boto3.client? </h1> <p>Well, great question! Take a look at the Python snippets which compares the syntax for both libraries:</p> <p><strong>With boto3.client:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">item</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">PROPERTY#</span><span class="si">{</span><span class="n">property_id</span><span class="si">}</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">price</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">N</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">500000</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">Beautiful Home</span><span class="sh">'</span><span class="p">},</span> <span class="sh">'</span><span class="s">createdAt</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">S</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">2024-01-15T10:30:00Z</span><span class="sh">'</span><span class="p">}</span> <span class="p">}</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">TableName</span><span class="o">=</span><span class="sh">'</span><span class="s">Properties</span><span class="sh">'</span><span class="p">,</span> <span class="n">Item</span><span class="o">=</span><span class="n">item</span><span class="p">)</span> </code></pre> </div> <p><strong>With PynamoDB:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">property_item</span> <span class="o">=</span> <span class="nc">PropertyModel</span><span class="p">(</span> <span class="n">property_id</span><span class="o">=</span><span class="n">property_id</span><span class="p">,</span> <span class="n">price</span><span class="o">=</span><span class="mi">500000</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="sh">'</span><span class="s">Beautiful Home</span><span class="sh">'</span><span class="p">,</span> <span class="n">createdAt</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">)</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> </code></pre> </div> <p>Notice how PynamoDB handles type conversion automatically - no more wrapping everything in <code>{'S': ...}</code> or <code>{'N': ...}</code> dictionaries!</p> <h1> Designing the PynamoDB model </h1> <p>Here is the PynamoDB model which I’ve used for my real estate platform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">from</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">environ</span> <span class="kn">from</span> <span class="n">pynamodb.models</span> <span class="kn">import</span> <span class="n">Model</span> <span class="kn">from</span> <span class="n">pynamodb.attributes</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">UnicodeAttribute</span><span class="p">,</span> <span class="n">NumberAttribute</span><span class="p">,</span> <span class="n">UTCDateTimeAttribute</span><span class="p">,</span> <span class="n">MapAttribute</span><span class="p">,</span> <span class="n">ListAttribute</span><span class="p">,</span> <span class="n">BooleanAttribute</span><span class="p">,</span> <span class="n">JSONAttribute</span> <span class="p">)</span> <span class="k">class</span> <span class="nc">PropertyModel</span><span class="p">(</span><span class="n">Model</span><span class="p">):</span> <span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">table_name</span> <span class="o">=</span> <span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">PROPERTY_TABLE_NAME</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">SimplifiedPropertyTable</span><span class="sh">'</span><span class="p">)</span> <span class="n">region</span> <span class="o">=</span> <span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">AWS_REGION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">eu-central-1</span><span class="sh">'</span><span class="p">)</span> <span class="n">PK</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">hash_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">SK</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">range_key</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nb">id</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">()</span> <span class="n">title</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">description</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">price</span> <span class="o">=</span> <span class="nc">NumberAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">address</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">city</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">state</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="nb">zip</span> <span class="o">=</span> <span class="nc">UnicodeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">createdAt</span> <span class="o">=</span> <span class="nc">UTCDateTimeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="n">updatedAt</span> <span class="o">=</span> <span class="nc">UTCDateTimeAttribute</span><span class="p">(</span><span class="n">null</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">property_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="k">if</span> <span class="n">property_id</span><span class="p">:</span> <span class="n">kwargs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">'</span><span class="s">PK</span><span class="sh">'</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">PROPERTY#</span><span class="si">{</span><span class="n">property_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">kwargs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">'</span><span class="s">SK</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">METADATA</span><span class="sh">"</span><span class="p">)</span> <span class="n">kwargs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">,</span> <span class="n">property_id</span><span class="p">)</span> <span class="n">kwargs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">'</span><span class="s">createdAt</span><span class="sh">'</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="n">kwargs</span><span class="p">.</span><span class="nf">setdefault</span><span class="p">(</span><span class="sh">'</span><span class="s">updatedAt</span><span class="sh">'</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> </code></pre> </div> <p>You can see that there are many information here, from numbers, booleans, lists, strings.</p> <p>When using PynamoDB, it’s important to understand how PynamoDB interprets your data. You can see many new objects like <code>UnicodeAttribute</code> , <code>BooleanAttribute</code> , <code>ListAttribute</code> and others. Here are the Python-PynamoDB equivalents:</p> <ul> <li> <code>NumberAttribute</code> - integer or float</li> <li> <code>ListAttribute</code> - list or array</li> <li> <code>UnicodeAttribute</code> - string</li> <li> <code>BooleanAttribute</code> - boolean</li> <li> <code>JSONAttribute</code> - a JSON object</li> <li> <code>MapAttribute</code> - Python’s dictionary</li> <li> <code>UTCDateTimeAttribute</code> - Python’s <code>datetime.now()</code> method</li> </ul> <p>In this case, every single information about the property was put inside only one database. You may ask “Why?”</p> <p>Two reasons which were crucial for this project:</p> <ul> <li>makes the usage of DynamoDB much cheaper — if we had 2 or more tables, to fetch the data we’d need to call multiple tables, but this way we only call one, which reduces cost</li> <li>no schema migrations - any new data can be easily added to the already existing DynamoDB entry. As I wanted to complete this project as soon as possible, I kept adding data to the table. DynamoDB enabled me that without complaining once.</li> </ul> <p>Also, do you notice the <code>Meta</code> class?</p> <p>The <code>Meta</code> class is incredibly powerful because it externalizes your configuration. Here's what's happening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">Meta</span><span class="p">:</span> <span class="n">table_name</span> <span class="o">=</span> <span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">PROPERTY_TABLE_NAME</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">SimplifiedPropertyTable</span><span class="sh">'</span><span class="p">)</span> <span class="n">region</span> <span class="o">=</span> <span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">AWS_REGION</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">eu-central-1</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p>This means you can use the same code across environments:</p> <p><strong>Development:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PROPERTY_TABLE_NAME</span><span class="o">=</span>dev-properties-table <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>us-east-1 </code></pre> </div> <p><strong>Production:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PROPERTY_TABLE_NAME</span><span class="o">=</span>prod-properties-table <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>eu-central-1 </code></pre> </div> <p>No code changes needed - just different environment variables. This is especially useful when deploying with CDK, as you can set these per stack/stage automatically.</p> <h1> CRUD operations with the PynamoDB model </h1> <h2> Create DynamoDB Entry Lambda </h2> <p>Here is a very simple method which leverages the created PynamoDB model and saves the property information with ease, while creating pre-signed URLs for property images - just use the <code>.save()</code> method:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Create a new property and return presigned URLs for image uploads </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Parse request body </span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">{}</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># Validate required fields </span> <span class="n">required_fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">price</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">address</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">city</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">zip</span><span class="sh">'</span><span class="p">]</span> <span class="n">missing_fields</span> <span class="o">=</span> <span class="p">[</span><span class="n">field</span> <span class="k">for</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">required_fields</span> <span class="k">if</span> <span class="n">field</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">body</span><span class="p">]</span> <span class="k">if</span> <span class="n">missing_fields</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Missing required fields</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">missing</span><span class="sh">"</span><span class="p">:</span> <span class="n">missing_fields</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Missing required fields: </span><span class="si">{</span><span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">missing_fields</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="c1"># Generate unique property ID </span> <span class="n">property_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="c1"># Create property in DynamoDB </span> <span class="n">property_item</span> <span class="o">=</span> <span class="nc">PropertyModel</span><span class="p">(</span> <span class="n">property_id</span><span class="o">=</span><span class="n">property_id</span><span class="p">,</span> <span class="n">title</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">],</span> <span class="n">description</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">],</span> <span class="n">price</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">price</span><span class="sh">'</span><span class="p">],</span> <span class="n">address</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">address</span><span class="sh">'</span><span class="p">],</span> <span class="n">city</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">city</span><span class="sh">'</span><span class="p">],</span> <span class="n">state</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">],</span> <span class="nb">zip</span><span class="o">=</span><span class="n">body</span><span class="p">[</span><span class="sh">'</span><span class="s">zip</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Property created</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">201</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">property</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()</span> <span class="p">})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Error creating property</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to create property</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Get DynamoDB Entry Lambda </h2> <p>There are 2 flows for this Lambda:</p> <ol> <li>if the property ID is provided in the request, query the database for information just for that property</li> <li>scan the table and get all the data</li> </ol> <p>To scan the database, use the <code>pynamodb_model.scan()</code> method or to fetch the precise item from the database, use the <code>pynamodb_model.get('ID_of_item_you_want_to_fetch')</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Get a single property by ID or list all properties </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Check if property_id is provided in query parameters </span> <span class="n">query_params</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">queryStringParameters</span><span class="sh">'</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}</span> <span class="n">property_id</span> <span class="o">=</span> <span class="n">query_params</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">propertyId</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">property_id</span><span class="p">:</span> <span class="c1"># Get single property and handle the case </span> <span class="c1"># if the property requested doesn't exist </span> <span class="k">try</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="n">hash_key</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">PROPERTY#</span><span class="si">{</span><span class="n">property_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">range_key</span><span class="o">=</span><span class="sh">"</span><span class="s">METADATA</span><span class="sh">"</span> <span class="p">)</span> <span class="k">except</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="n">DoesNotExist</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">property_item</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Property retrieved</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">property</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()})</span> <span class="p">}</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># List all properties (scan operation) </span> <span class="n">properties</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">scan</span><span class="p">():</span> <span class="n">properties</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">())</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Properties listed</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">count</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">properties</span><span class="p">)})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="n">properties</span><span class="p">,</span> <span class="sh">"</span><span class="s">total</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">properties</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Error retrieving property</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to retrieve property</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Important note on scanning:</strong> The <code>PropertyModel.scan()</code> operation shown above works great for small datasets, but scanning becomes expensive and slow as your table grows. In production, consider:</p> <ul> <li> <strong>Pagination</strong>: For large result sets, use <code>last_evaluated_key</code> to paginate: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">results</span> <span class="o">=</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">scan</span><span class="p">(</span><span class="n">limit</span><span class="o">=</span><span class="mi">20</span><span class="p">)</span> <span class="k">for</span> <span class="n">item</span> <span class="ow">in</span> <span class="n">results</span><span class="p">:</span> <span class="n">properties</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">())</span> <span class="c1"># Get the last evaluated key for next page </span><span class="k">if</span> <span class="n">results</span><span class="p">.</span><span class="n">last_evaluated_key</span><span class="p">:</span> <span class="n">next_results</span> <span class="o">=</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">scan</span><span class="p">(</span> <span class="n">limit</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="n">last_evaluated_key</span><span class="o">=</span><span class="n">results</span><span class="p">.</span><span class="n">last_evaluated_key</span> <span class="p">)</span> </code></pre> </div> <ul> <li> <strong>Query instead of Scan</strong>: If you frequently filter by city or state, add a Global Secondary Index (GSI) and use <code>PropertyModel.city_index.query('Vienna')</code> instead of scanning everything.</li> <li> <strong>Limit for safety</strong>: Always set a limit in production to prevent timeout issues: <code>PropertyModel.scan(limit=100)</code> </li> </ul> <p>For my real estate platform with hundreds of properties, I added pagination and GSIs for common queries - I'll cover this in a future post!</p> <h2> Update DynamoDB Entry Lambda </h2> <p>Here is the code for updating the property already entered in the platform by using <code>pynamodb_model.update()</code> method:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Update an existing property </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Get property ID from path parameters </span> <span class="n">property_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">pathParameters</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">property_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property ID is required</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="c1"># Parse request body </span> <span class="n">body</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">body</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">{}</span><span class="sh">'</span><span class="p">))</span> <span class="c1"># Get existing property </span> <span class="k">try</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="n">hash_key</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">PROPERTY#</span><span class="si">{</span><span class="n">property_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">range_key</span><span class="o">=</span><span class="sh">"</span><span class="s">METADATA</span><span class="sh">"</span> <span class="p">)</span> <span class="k">except</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="n">DoesNotExist</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">property_item</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="c1"># Update fields </span> <span class="n">update_actions</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">updatable_fields</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">price</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">address</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">city</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">state</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">zip</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">updatable_fields</span><span class="p">:</span> <span class="k">if</span> <span class="n">field</span> <span class="ow">in</span> <span class="n">body</span><span class="p">:</span> <span class="n">update_actions</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">PropertyModel</span><span class="p">,</span> <span class="n">field</span><span class="p">).</span><span class="nf">set</span><span class="p">(</span><span class="n">body</span><span class="p">[</span><span class="n">field</span><span class="p">])</span> <span class="p">)</span> <span class="c1"># Always update the updatedAt timestamp </span> <span class="n">update_actions</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="n">updatedAt</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">())</span> <span class="p">)</span> <span class="k">if</span> <span class="n">update_actions</span><span class="p">:</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">actions</span><span class="o">=</span><span class="n">update_actions</span><span class="p">)</span> <span class="c1"># Refresh the item to get updated values </span> <span class="n">property_item</span><span class="p">.</span><span class="nf">refresh</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Property updated</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">property</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">to_dict</span><span class="p">()})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Error updating property</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to update property</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Delete DynamoDB Entry Lambda </h2> <p>The request should provide the property ID, and delete the property details by using the <code>pynamodb_model.delete()</code> method:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Delete a property by ID </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Get property ID from path parameters </span> <span class="n">property_id</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">pathParameters</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">property_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property ID is required</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="c1"># Get existing property </span> <span class="c1"># and catch the PropertyModel.DoesNotExist error </span> <span class="c1"># if the property ID is not found inside the DynamoDB </span> <span class="k">try</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="n">hash_key</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">PROPERTY#</span><span class="si">{</span><span class="n">property_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">range_key</span><span class="o">=</span><span class="sh">"</span><span class="s">METADATA</span><span class="sh">"</span> <span class="p">)</span> <span class="k">except</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="n">DoesNotExist</span><span class="p">:</span> <span class="n">property_item</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">property_item</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property not found</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="c1"># Delete the property </span> <span class="n">property_item</span><span class="p">.</span><span class="nf">delete</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Property deleted</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property deleted successfully</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Error deleting property</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">'</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">'</span><span class="p">:</span> <span class="n">ALLOWED_ORIGIN</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Failed to delete property</span><span class="sh">"</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h1> Error and Race Condition Handling </h1> <p>One thing to be aware of when building production CRUD operations: <strong>concurrent updates</strong>.</p> <p>Imagine two users trying to update the same property price simultaneously. Without proper handling, the last write wins and one update gets lost.</p> <p>PynamoDB supports conditional writes using conditions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">pynamodb.expressions.condition</span> <span class="kn">import</span> <span class="n">Condition</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># ... existing code to get property_item ... </span> <span class="c1"># Only update if the price hasn't changed since we read it </span> <span class="n">original_price</span> <span class="o">=</span> <span class="n">property_item</span><span class="p">.</span><span class="n">price</span> <span class="k">try</span><span class="p">:</span> <span class="n">property_item</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span><span class="n">PropertyModel</span><span class="p">.</span><span class="n">price</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">new_price</span><span class="p">)],</span> <span class="n">condition</span><span class="o">=</span><span class="p">(</span><span class="n">PropertyModel</span><span class="p">.</span><span class="n">price</span> <span class="o">==</span> <span class="n">original_price</span><span class="p">)</span> <span class="p">)</span> <span class="k">except</span> <span class="n">PropertyModel</span><span class="p">.</span><span class="n">UpdateError</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">409</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Property was modified by another user. Please refresh and try again.</span><span class="sh">"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>This is especially important for sensitive fields like price or availability status. For my platform, I use conditional updates when changing property status to prevent double-booking scenarios.</p> <h1> Deployment process </h1> <p>Very easy! You can take the GitHub repository provided and just run <code>cdk deploy</code> inside your terminal window!</p> <p>Just make sure your AWS credentials are correctly setup on your machine.</p> <h1> Future work &amp; Conclusion </h1> <p>Now that we went over how to use PynamoDB ORM usage, the next questions should be:</p> <ul> <li>how do we want to protect our <code>CreateProperty</code> , <code>UpdateProperty</code> and <code>DeleteProperty</code> Lambdas? <ul> <li>my choice? AWS Cognito makes it very easy to protect the endpoints via an AWS API Gateway Authorizer method</li> </ul> </li> <li>single Lambda handling multiple HTTP methods? <ul> <li>everything is in one place, however code maintenance might become an issue</li> </ul> </li> <li>Improving Lambda performance by implementing Global Secondary Indexes inside the DynamoDB table <ul> <li>this could be implemented based on which data the users mostly get</li> </ul> </li> </ul> <p>Ever since I’ve found out about PynamoDB, I’ve been using it constantly in every project. It just makes it so easy to add, access and modify the data which is in the DynamoDB table. Hopefully it helps you in your coding!</p> <p>Thank you for reading! See you in the next post!</p> aws database serverless programming Matia Rašetina Mon, 17 Nov 2025 09:18:42 +0000 https://forem.com/mate32/designing-a-scalable-image-labeling-workflow-with-aws-s3-sqs-lambda-rekognition-and-bedrock-48e4 https://forem.com/mate32/designing-a-scalable-image-labeling-workflow-with-aws-s3-sqs-lambda-rekognition-and-bedrock-48e4 <h1> Introduction </h1> <p>Managing the data on a real estate platform at scale can be a very challenging task — from tracking properties and images to generating useful summaries for buyers and sellers. Traditional real estate applications use very simple architecture, without adapting to the newest AI available features.</p> <p>That’s why I’ve decided to create a new real estate platform. The one where:</p> <ul> <li>you will learn how to batch data and lower the Lambda bill by up to 10x</li> <li>integration of AWS Rekognition and Bedrock</li> <li>learn how to create real-world architecture pattern that’s not beginner-level</li> </ul> <p>This new platform will be full with AI features, powered by technologies like NextJS for the frontend and AWS for the backend. We’ll take this project apart, take a deep dive into all parts of this project, from CI/CD deployments, mock testing to deploying via Lambda aliases and canary deployments.</p> <p>In this post, I’ll walk through a <strong>serverless, event-driven backend</strong> I built entirely with <strong>AWS CDK in Python</strong>, designed to create labels to describe the images of properties and summaries of properties based on those labels. The automatic image analysis is done by using <strong>Amazon Rekognition</strong>, and AI-generated property summaries with <strong>AWS Bedrock</strong>. The system leverages <strong>S3, Lambda, SQS and DynamoDB</strong> to create a <strong>scalable, cost-efficient, and resilient</strong> solution that can process thousands of images and generate real-time insights — all without managing servers.</p> <p>By the end of this post, you’ll understand how to design <strong>modular serverless pipelines</strong>, implement <strong>event-driven workflows</strong>, and integrate <strong>AI-powered summarization</strong> into your own applications.</p> <p>All code can be found at the GitHub repository by clicking on the <a href="https://github.com/mate329/s3-lambda-rekognition-bedrock-labeling" rel="noopener noreferrer">this link.</a></p> <p>Let’s start!</p> <h1> Architecture Overview of AWS Rekognition Image Labeling </h1> <p>Here is an architecture diagram, which executes when the user uploads an image of the property to the pre-signed URL provided by our property service for creating an property inside our system.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9rlb0idadgykep7721q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb9rlb0idadgykep7721q.png" alt=" " width="800" height="386"></a></p> <p>When the image is fully uploaded to S3, S3 sends an Event Notification to SQS with the information about the uploaded image. </p> <p>Now, imagine receiving 100 images and not having them batched. That would mean that the system needs to spin up 100 Lambdas, but if we configure the batching setting to 10 that would mean 10 times less than the invocations which lowers cost.</p> <p>That’s why the backend is configured to batch up to 10 Event Notifications inside the queue, and those 10 messages are sent to the land to lower cold starts and to lower cost. It’s worth mentioning that this setting can be changed on your project’s requirements.</p> <p>The Lambda takes each of the image and send it to AWS Rekognition for it to do the image analysis, to create labels based on the image. Also, in the payload we ask Rekognition to only return labels in which it’s 75% confident. After the labels are received, they are saved inside the DynamoDB database for that particular image</p> <h1> Code Deep-Dive - AWS Rekognition Label Detection </h1> <p>Let's take a closer look into the configuration of this pipeline and how can you do it yourself. This section will only contain snippets, but you can take a closer look into the <code>app.py</code> file which can be found on GitHub.</p> <p>Here is the CDK code for initializing the Lambda resource, the SQS queue, the DynamoDB table and the S3 bucket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># S3 bucket for property images </span><span class="n">self</span><span class="p">.</span><span class="n">property_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PropertyBucket</span><span class="sh">"</span><span class="p">,</span> <span class="n">versioned</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="n">auto_delete_objects</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">public_read_access</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">block_public_access</span><span class="o">=</span><span class="n">s3</span><span class="p">.</span><span class="nc">BlockPublicAccess</span><span class="p">(</span> <span class="n">block_public_acls</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">block_public_policy</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">ignore_public_acls</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">restrict_public_buckets</span><span class="o">=</span><span class="bp">False</span> <span class="p">),</span> <span class="n">cors</span><span class="o">=</span><span class="p">[</span> <span class="n">s3</span><span class="p">.</span><span class="nc">CorsRule</span><span class="p">(</span> <span class="n">allowed_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allowed_methods</span><span class="o">=</span><span class="p">[</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">PUT</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">POST</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">DELETE</span><span class="p">,</span> <span class="n">s3</span><span class="p">.</span><span class="n">HttpMethods</span><span class="p">.</span><span class="n">GET</span> <span class="p">],</span> <span class="n">allowed_origins</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">max_age</span><span class="o">=</span><span class="mi">3000</span> <span class="p">)</span> <span class="p">]</span> <span class="p">)</span> <span class="c1"># Property Images Table - stores individual image metadata and analysis </span><span class="n">self</span><span class="p">.</span><span class="n">property_images_table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">PropertyImagesTable</span><span class="sh">"</span><span class="p">,</span> <span class="n">partition_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PK</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span><span class="p">),</span> <span class="n">sort_key</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="nc">Attribute</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">SK</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">AttributeType</span><span class="p">.</span><span class="n">STRING</span><span class="p">),</span> <span class="n">billing_mode</span><span class="o">=</span><span class="n">dynamodb</span><span class="p">.</span><span class="n">BillingMode</span><span class="p">.</span><span class="n">PAY_PER_REQUEST</span><span class="p">,</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># SQS Queue for image upload events - batches multiple uploads </span><span class="n">image_queue</span> <span class="o">=</span> <span class="n">sqs</span><span class="p">.</span><span class="nc">Queue</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ImageAnalysisQueue</span><span class="sh">"</span><span class="p">,</span> <span class="n">visibility_timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">360</span><span class="p">),</span> <span class="n">retention_period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">14</span><span class="p">),</span> <span class="n">removal_policy</span><span class="o">=</span><span class="n">RemovalPolicy</span><span class="p">.</span><span class="n">DESTROY</span> <span class="p">)</span> <span class="c1"># Image Analysis Lambda - Triggered by SQS with batching </span><span class="n">image_analysis_code_dir</span> <span class="o">=</span> <span class="sh">"</span><span class="s">./ImageAnalysisHandler</span><span class="sh">"</span> <span class="n">image_analysis_fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ImageAnalysisLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="n">image_analysis_code_dir</span><span class="p">),</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">PROPERTY_IMAGES_TABLE</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">property_images_table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">PROPERTY_BUCKET</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">property_bucket</span><span class="p">.</span><span class="n">bucket_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">CODE_VERSION</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_code_hash</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">60</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Also, we need to add the necessary IAM permissions to the Lambda to have read-only access to images inside S3, write-only permissions to the <code>PropertyImagesTable</code> , and to be able to call the AWS Rekognition API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Enabling read-only access to S3 </span><span class="n">self</span><span class="p">.</span><span class="n">property_bucket</span><span class="p">.</span><span class="nf">grant_read</span><span class="p">(</span><span class="n">image_analysis_fn</span><span class="p">)</span> <span class="c1"># Enabling write-only access to the PropertyImages Table </span><span class="n">self</span><span class="p">.</span><span class="n">property_images_table</span><span class="p">.</span><span class="nf">grant_write_data</span><span class="p">(</span><span class="n">image_analysis_fn</span><span class="p">)</span> <span class="c1"># Enabling the Lambda to be able to call the Rekognition # service to detect labels </span><span class="n">image_analysis_fn</span><span class="p">.</span><span class="nf">add_to_role_policy</span><span class="p">(</span> <span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">rekognition:DetectLabels</span><span class="sh">"</span><span class="p">],</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Now, we need to tell our CDK code to:</p> <ul> <li>create an Event Notification on image upload to S3</li> <li>send that Event Notification for the particular image to SQS</li> <li>tell SQS queue to invoke our <code>ImageAnalysisHandler</code> Lambda with 10 batched notifications at most</li> </ul> <p>We can do that with the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># S3 Event Notification </span><span class="n">self</span><span class="p">.</span><span class="n">property_bucket</span><span class="p">.</span><span class="nf">add_event_notification</span><span class="p">(</span> <span class="n">s3</span><span class="p">.</span><span class="n">EventType</span><span class="p">.</span><span class="n">OBJECT_CREATED</span><span class="p">,</span> <span class="c1"># Create the notification only when an object is uploaded </span> <span class="n">s3n</span><span class="p">.</span><span class="nc">SqsDestination</span><span class="p">(</span><span class="n">image_queue</span><span class="p">),</span> <span class="c1"># Put the notification inside the SQS queue </span> <span class="n">s3</span><span class="p">.</span><span class="nc">NotificationKeyFilter</span><span class="p">(</span><span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">properties/</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Only send the Notificaiton if it's uploaded to the "properties" folder </span><span class="p">)</span> <span class="c1"># Lambda SQS Event Source </span><span class="n">image_analysis_fn</span><span class="p">.</span><span class="nf">add_event_source</span><span class="p">(</span> <span class="n">lambda_event_sources</span><span class="p">.</span><span class="nc">SqsEventSource</span><span class="p">(</span> <span class="n">image_queue</span><span class="p">,</span> <span class="c1"># Take payloads from the SQS queue </span> <span class="n">batch_size</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="c1"># Batch up to 10 payloads to reduce cost </span> <span class="n">max_batching_window</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">2</span><span class="p">),</span> <span class="c1"># Wait for 2 seconds to fill up the batch </span> <span class="n">report_batch_item_failures</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Now that we’ve created our infrastructure, let’s take a look at the main method inside our Lambda which takes the images from S3 and gets the labels from Rekognition. As previously said, if you need the full Lambda code, it is available on the provided GitHub link.</p> <p>What makes using Rekognition great is that you can tell it the image location inside the created S3 bucket and it’s going to do everything else for you - no extra payload fields!</p> <p>I’ve configured my payload to make Rekognition return 5 labels at most and it needs to be at least 75% confident in it’s label recognition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">analyze_image_with_rekognition</span><span class="p">(</span><span class="n">bucket_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">object_key</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Use AWS Rekognition to detect labels only Returns: dict: Analysis results with labels </span><span class="sh">"""</span> <span class="n">analysis</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">labels</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Detect labels </span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Detecting labels</span><span class="sh">"</span><span class="p">)</span> <span class="n">labels_response</span> <span class="o">=</span> <span class="n">rekognition_client</span><span class="p">.</span><span class="nf">detect_labels</span><span class="p">(</span> <span class="n">Image</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">S3Object</span><span class="sh">'</span><span class="p">:</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Bucket</span><span class="sh">'</span><span class="p">:</span> <span class="n">bucket_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">:</span> <span class="n">object_key</span> <span class="p">}</span> <span class="p">},</span> <span class="n">MaxLabels</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">MinConfidence</span><span class="o">=</span><span class="mi">75</span> <span class="p">)</span> <span class="n">analysis</span><span class="p">[</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">label</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">],</span> <span class="sh">'</span><span class="s">confidence</span><span class="sh">'</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">label</span><span class="p">[</span><span class="sh">'</span><span class="s">Confidence</span><span class="sh">'</span><span class="p">],</span> <span class="mi">2</span><span class="p">)</span> <span class="p">}</span> <span class="k">for</span> <span class="n">label</span> <span class="ow">in</span> <span class="n">labels_response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Labels</span><span class="sh">'</span><span class="p">,</span> <span class="p">[])</span> <span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Detected </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">analysis</span><span class="p">[</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">])</span><span class="si">}</span><span class="s"> labels</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Failed to detect labels</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)})</span> <span class="k">return</span> <span class="n">analysis</span> </code></pre> </div> <p>Lastly, the Lambda saves the results to the <code>PropertyImagesTable</code> DynamoDB table via the PynamoDB model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">save_image_analysis</span><span class="p">(</span><span class="n">property_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">image_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">image_key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">analysis</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Save image metadata and analysis results to PropertyImageTable using PropertyImageModel. </span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Create image record using Pynamodb model </span> <span class="n">image_item</span> <span class="o">=</span> <span class="n">PropertyImageModel</span><span class="p">.</span><span class="nf">create_image</span><span class="p">(</span> <span class="n">property_id</span><span class="o">=</span><span class="n">property_id</span><span class="p">,</span> <span class="n">image_name</span><span class="o">=</span><span class="n">image_name</span><span class="p">,</span> <span class="n">image_key</span><span class="o">=</span><span class="n">image_key</span><span class="p">,</span> <span class="n">labels</span><span class="o">=</span><span class="n">analysis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]),</span> <span class="n">analyzedAt</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">)</span> <span class="c1"># Save to DynamoDB </span> <span class="n">image_item</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Image analysis saved to PropertyImageTable</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">image_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">image_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">labels_count</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">analysis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">labels</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]))</span> <span class="p">})</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Failed to save image analysis</span><span class="sh">"</span><span class="p">,</span> <span class="n">extra</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="sh">"</span><span class="s">property_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">image_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">image_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_key</span> <span class="p">},</span> <span class="n">exc_info</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <h1> Architecture Overview - AWS Bedrock Property Summarization </h1> <p>Here is a simple overview of the Summarization part:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymwdovz82l0z1rjba96g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymwdovz82l0z1rjba96g.png" alt=" " width="384" height="438"></a></p> <p>The Lambda is available to the user via API Gateway, and when the user calls the URL, Lambda fetches all images from the <code>PropertyImagesTable</code> for the requested property and sends those labels to an AWS Bedrock model to get the summary.</p> <p>We are using the <code>amazon.nova-micro-v1:0</code> model, which is the cheapest model I found inside the model repository and it got the job done!</p> <p>It’s worth mentioning that we won’t be opening this Lambda up to the Internet for now - this part of the backend is a part of the bigger project which will be covered in next blog posts and that’s why this part may seem simple! The following code will be enough to get you off the ground in any Bedrock integration!</p> <h1> Code Deep-Dive - AWS Bedrock Property Summarization </h1> <p>Here is the CDK code for generating necessary resources and adding necessary IAM permissions for accessing the Bedrock model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add Bedrock permissions to the role </span><span class="n">bedrock_lambda_role</span><span class="p">.</span><span class="nf">add_to_policy</span><span class="p">(</span> <span class="n">iam</span><span class="p">.</span><span class="nc">PolicyStatement</span><span class="p">(</span> <span class="n">effect</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="n">Effect</span><span class="p">.</span><span class="n">ALLOW</span><span class="p">,</span> <span class="n">actions</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">bedrock:InvokeModel</span><span class="sh">"</span><span class="p">,</span> <span class="p">],</span> <span class="n">resources</span><span class="o">=</span><span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:bedrock:*:</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">account</span><span class="si">}</span><span class="s">:inference-profile/eu.amazon.nova-micro-v1:0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">arn:aws:bedrock:*::foundation-model/amazon.nova-micro-v1:0</span><span class="sh">"</span> <span class="p">],</span> <span class="p">)</span> <span class="p">)</span> <span class="c1"># Bedrock Summary Generation Lambda </span><span class="n">summary_generation_code_dir</span> <span class="o">=</span> <span class="sh">"</span><span class="s">./GetPropertySummaryHandler</span><span class="sh">"</span> <span class="n">summary_generation_fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">SummaryGenerationLambda</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">handler.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_asset</span><span class="p">(</span><span class="n">summary_generation_code_dir</span><span class="p">),</span> <span class="n">role</span><span class="o">=</span><span class="n">bedrock_lambda_role</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">PROPERTY_IMAGES_TABLE</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">property_images_table</span><span class="p">.</span><span class="n">table_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">BEDROCK_MODEL_ID</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">eu.amazon.nova-micro-v1:0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALLOWED_ORIGIN</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Giving the SummaryGenerationLambda permissions to # look into the DynamoDB tables </span><span class="n">self</span><span class="p">.</span><span class="n">property_images_table</span><span class="p">.</span><span class="nf">grant_read_data</span><span class="p">(</span><span class="n">summary_generation_fn</span><span class="p">)</span> </code></pre> </div> <p>Now, the Lambda code - to be completely honest, I expected this part to be way harder to configure, but it was really easy!</p> <p>Building the <code>request_body</code> JSON was interesting, because inside the <code>request_body.system.text</code> , you can define how to customize the response of the model. The model was instructed to act as following:</p> <blockquote> <p>You are an experienced real estate agent creating property listings. Write concise, appealing, and professional property descriptions that highlight key features and amenities based on the labels provided. Keep descriptions brief (up to 10 sentences) and focus on what makes the property attractive to potential buyers or renters. Use descriptive language but remain factual based on the provided information.</p> </blockquote> <p>You can also configure the maximum response length via a field <code>max_new_tokens</code> which was set to 200 to keep the costs as low as possible. In addition, configuration fields like <code>temperature</code> and <code>top_p</code> were used - for more information about this, please see this blog post by clicking on <a href="https://medium.com/@1511425435311/understanding-openais-temperature-and-top-p-parameters-in-language-models-d2066504684f" rel="noopener noreferrer">this link</a>.</p> <p>Here is the code to get the response from the Bedrock model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Initialize AWS clients </span><span class="n">BEDROCK_CLIENT</span> <span class="o">=</span> <span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">bedrock-runtime</span><span class="sh">"</span><span class="p">)</span> <span class="n">BEDROCK_MODEL_ID</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">BEDROCK_MODEL_ID</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Fetch labels from PropertyImagesTable using model </span><span class="n">images</span> <span class="o">=</span> <span class="n">PropertyImageModel</span><span class="p">.</span><span class="nf">get_property_images</span><span class="p">(</span><span class="n">property_id</span><span class="p">)</span> <span class="c1"># Extract all unique labels from all images </span><span class="n">all_labels</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">image_item</span> <span class="ow">in</span> <span class="n">images</span><span class="p">:</span> <span class="k">for</span> <span class="n">label</span> <span class="ow">in</span> <span class="n">image_item</span><span class="p">.</span><span class="n">labels</span> <span class="ow">or</span> <span class="p">[]:</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">label</span><span class="p">,</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">label_name</span> <span class="o">=</span> <span class="n">label</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">)</span> <span class="k">if</span> <span class="n">label_name</span><span class="p">:</span> <span class="n">all_labels</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">label_name</span><span class="p">)</span> <span class="k">elif</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">label</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span> <span class="n">all_labels</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">label</span><span class="p">)</span> <span class="n">property_labels_str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nf">set</span><span class="p">(</span><span class="n">all_labels</span><span class="p">))</span> <span class="n">request_body</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">system</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">You are an experienced real estate agent creating property listings. Write concise, appealing, and professional property descriptions that highlight key features and amenities based on the labels provided. Keep descriptions brief (up to 10 sentences) and focus on what makes the property attractive to potential buyers or renters. Use descriptive language but remain factual based on the provided information.</span><span class="sh">"</span> <span class="p">}</span> <span class="p">],</span> <span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">property_labels_str</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">],</span> <span class="sh">"</span><span class="s">inferenceConfig</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">max_new_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">temperature</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.7</span><span class="p">,</span> <span class="sh">"</span><span class="s">top_p</span><span class="sh">"</span><span class="p">:</span> <span class="mf">0.9</span> <span class="p">}</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">BEDROCK_CLIENT</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="n">BEDROCK_MODEL_ID</span><span class="p">,</span> <span class="n">contentType</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">accept</span><span class="o">=</span><span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">request_body</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <h1> Conclusion </h1> <p>This architecture cuts image-processing costs, improves backend reliability and scales with ease.</p> <p>By combining AWS services like S3, Lambda, Rekognition and Bedrock, with the power of AWS CDK as the Infrastructure-as-Code solution, you’ve learned how to create an AI powered pipeline, which can be applied to ANY project.</p> <p>In the following post, we will go over the rest of the Property stack, which is responsible for CRUD operations with best practices and best performance for fetching images from S3 and data from DynamoDB tables.</p> <p>Thank you for reading, see you in the next post!</p> aws webdev ai programming