New – Amazon CloudFront Signed Cookies for Private Content

My colleague Omid Behzadian sent a guest post with information about a useful new feature for CloudFront.

— Jeff;

Amazon CloudFront now gives you a new way to secure your private content: CloudFront signed HTTP cookies. In the past, you could control who is able to access your CloudFront content by adding a custom signature to each object URL. Now you can get that same degree of control by including the signature in an HTTP cookie instead. This lets you restrict access to multiple objects (e.g., whole site authentication) or to a single object without needing to change URLs.

Signed HTTP cookies make it easy to restrict viewer access to your streaming media content. For example, if your media content is in HTTP Live Streaming (HLS) format, you can use Amazon Elastic Transcoder or your media server to generate the playlist and media segments. You then write your web application to authenticate each user and to send a Set-Cookie header that sets a cookie on the user’s device. When a user requests a restricted object, the browser forwards the signed cookie in the request, and CloudFront checks the cookie attributes to determine whether to allow or restrict access to the HLS stream. CloudFront checks for this cookie when the player requests the playlist and when the player requests each segment, which ensures that the end-to-end stream is secured. Here is a diagram that illustrates this use case:

This is a nice addition to AWS’ growing portfolio of security features targeted for media delivery. You may remember that Amazon Elastic Transcoder released HLS Content Protection earlier this year. Also, be sure to check out a recording of the Secure Media Streaming and Delivery Session at re:Invent for tips on architecting an end-to-end secure media solution on AWS.

There are no additional charges for using private content with Amazon CloudFront. To learn more, see the Amazon CloudFront Developer Guide. The CloudFront team will also be showing a demo of this functionality in the next CloudFront office hours on Thursday, March 26th. You can sign-up for this office hours session here.

— Omid Behzadian, Senior Product Manager