Creating a secure video-on-demand (VOD) platform using AWS
Video has become the primary means of Information sharing and learning. Customers are investing in innovative solutions to tap into the e-learning and video space. Video content is their IP and needs to be protected and securely delivered. Online video is a powerful technology that every industry, from businesses to educational institutions to government agencies, is increasingly taking advantage of.
Many businesses and organizations need a secure streaming solution. In particular, following groups should consider security an absolute necessity: medical institutions, universities and schools, corporations, OTT and media businesses, intellectual privacy and piracy organizations, lawyers, and government offices.
Today, more and more businesses are using video streaming platforms to host and share content. Both live streaming and video-on-demand (VOD) are incredibly powerful tools that businesses and enterprises of all kinds can use to boost revenue, communicate effectively, and build an audience.
AWS provides a simplified way to stream your videos using Amazon S3 and Amazon CloudFront. You don’t want to spin-up a server to transcode your videos in different output formats; Luckily, in this post-cloud world, AWS delivers a serverless option. In this post, we describe how to create a fully automated and secure video-on-demand solution using AWS services.
This serverless, VOD workflow solution is built using several AWS services including Amazon Cognito, AWS AppSync, Amazon S3, AWS Lambda, Amazon DynamoDB, AWS Secrets Manager, AWS Elemental MediaConvert, Amazon CloudFront, AWS Amplify, and AWS CloudFormation.
In this solution, Cognito authenticates users for the web application through Cognito User Pools, which protect access to the GraphQL API. The API has fine-grained access based on the group in the Cognito User Pool. Cognito also generates temporary, limited-privilege AWS credentials for access to upload content into S3.
AppSync, which uses GraphQL API, enables client apps to fetch, change, and subscribe to data from servers. In our solution, we are performing CRUD (Create/Read/Update/Delete) operations on video using GraphQL API and storing the video in a S3 bucket.
Two S3 buckets are used in this workflow: one for storing raw videos and another for storing videos with different output formats and bitrate.
Multiple Lambda functions serve different purposes: triggering MediaConvert jobs, storing metadata in DynamoDB, creating signed URL tokens, and sending notifications as MediaConvert jobs finish.
MediaConvert automatically transcodes the uploaded video in HLS format for 2 Mbps, 1 Mpbs, 600 Kbps, and 400 Kbps. Video content is encoded as adaptive bitrate streams for playout on multiple devices with varying network bandwidth connections.
Secrets Manager securely stores CloudFront private keys, which are then used for signing the CloudFront URL. CloudFront securely delivers the content via CDN Edge locations to authorized users via the application at runtime.
Additional setup information
- Signed Cookies/URLs: Allow CloudFront to configure Expiry Time, Allowed IP Address, FileName for each URL. By default, No Read access is assigned to content distributed by the CDN. Content can only be downloaded and accessed when requested using the proper Signed Cookies generated by the app.
- S3 CORS configuration: Configure which website(s) can be allowed to access the content via S3/CDN. Learn more about S3 CORS configuration in this blog post.
- Amplify and CloudFormation facilitate quick deployment of resources and services involved on the backend of the solution.
Walkthrough of the workflow
- Admin logs into the application, authenticated by Cognito, and uploads the video.
- AppSync uses GraphQL API to upload the video to the S3 Input bucket.
- A Lambda function is triggered as soon as the video is dropped in the Input bucket. This function initiates the MediaConvert job to convert videos in different formats.
- An additional Lambda function is triggered to store the metadata of converted video in DynamoDB.
- Converted videos are then stored in Output bucket.
- CloudFront streams the videos to registered end-users.
- CloudFront signed URLs are generated when authenticated user request the video. The final stream plays as an Apple HLS adaptive bitrate stream.
Benefits of the this solution
- Scalability of video delivery solution using the CloudFront CDN
- Security of video content to prevent unauthorized access and ensure it can’t be played outside the customer’s application using S3 and CloudFront signed URLs
- Automated transcoding of video content using MediaConvert
- Support for multiple devices using adaptive bitrate streaming for playback in all network conditions without buffering delays
- Securely storing and retrieving secret keys from Secrets Manager
- Quickly building and deploying the solution using Amplify and CloudFormation
Deploying the solution in your own environment
Please download this detailed lab guide to build the above solution in your own AWS environment. When you are done testing, be sure to turn off services you deployed as part of this solution to avoid incurring additional costs.
The lab guide consists of following:
- Step-by-step instructions to deploy using AWS Amplify
- CloudFormation templates
- Lambda functions
- MediaConvert job templates
I want to give special thanks to AWS Solutions Architect Sam Patzer for helping develop the code and for troubleshooting issues. The code included in this blog was inspired by his work, available publicly on Github.
This post discussed how developers and architects can use GraphQL API, Lambda functions, Cognito, AWS Elemental Media Services and other AWS services to complete a secure, end-to-end video-on-demand automation process. You can stream videos to end-users at scale, deliver low-latency content, and most importantly, secure your videos from unexpected downloads. This solution removes the complexity of building the development steps manually. You should now be fully equipped to construct a solution in your own environment and demo it to your end-users.