AWS for M&E Blog

Secure media delivery at the edge on AWS

Amazon Web Services (AWS) provides solutions for media distribution from encoding, packaging, and encryption using AWS Media Services, and broad distribution using the Amazon CloudFront content distribution network (CDN) for improved performance reaching the largest audiences. With the Secure Media Delivery at the Edge on AWS solution, customers can now add an easy-to-use and commonly supported solution to protect high-value live and on-demand content.

Protecting video assets from unauthorized use is key for media customers, as video subscriptions and purchases are a large part of the business. In a subscription-based delivery model, access by non-subscribed viewers to premium content translates into loss of revenue as well as increased costs to serve traffic to unauthorized viewers. In addition, many content owners dictate specific security requirements as part of the agreement to carry their assets (such as geo restrictions, tokenization, and other restrictions).

Token-based access is one of the more common approaches used as the first layer of content protection. It is based on the generation of cryptographically signed tokens scoped to a specific video asset and issued to individual viewers using viewer-specific attributes (for example, source IP address, geo location, browser attributes). In order to access the requested content, a client must attach a valid token to each request that is validated before access is granted. When content is distributed through a CDN like CloudFront, the token validation occurs at the edge by a supported mechanism.

Designing and implementing robust token-based controls for media workloads pose unique challenges in finding effective solutions with broad support. Many existing solutions require cookies, query string parameters, or specific headers in order to function properly. While cookies and custom headers are viable options for websites and apps, some clients block cookies when playing back media and some low-cost set-top boxes don’t support cookies at all. Also, some video services must operate over multiple domain names (serving the manifest, segments, and ads from various domain names), further increasing complexity. Another alternative approach commonly used is signed URLs carrying the token payload in query string parameters. This requires the use of an additional element between the video origin and the CloudFront caching layers continuously appending individual tokens to the manifest. This creates additional scaling considerations, decreasing cache hit ratio, and requires careful parsing and modification of the manifests.

Media consumption operates on a higher scale than other applications, so traditional solutions relying on external permission validation systems have proven problematic compared to those designed specifically for media where validation occurs within the CDN itself. The ideal solution should provide customizations needed by a variety of customers where token structure can be adjusted dynamically and extended as needed using standards-based claims. Also, customers want to enhance their capabilities to respond to an identified source of stream redistribution with the ability to monitor usage and even revoke tokens mid-stream, ceasing playback in the case tokens where leaked and reused.

Secure Media Delivery at the Edge on AWS is designed to address these challenges as a comprehensive implementation of an end-to-end token-based access control workflow that allows only authorized viewers access to content and serves to mitigate pervasive online piracy threats. The solution scales to hundreds of thousands of concurrent viewers with a low incremental cost, which is made possible with CloudFront Functions, the most scalable and lightweight runtime available on CloudFront. While the solution requires minimal effort to integrate into an existing video delivery workflow, it offers the flexibility for advanced customers and AWS Partners to adjust it to unique content restriction requirements or extend it as needed.

This solution is compatible with and has been tested all major AWS and third party origins.

Secure Media Delivery at the Edge on AWS is intended to improve CloudFront-based media workloads, preventing link sharing and designed to allow only authorized users to consume specific content during the time allotted. It also offers additional (optional) modules allowing for revocation of permissions if authorized playback sessions were compromised as a result of piracy.

Optional layered security may be added in the form of digital rights management (DRM) through the use of AWS Elemental MediaPackage. For more information, refer to the content encryption and DRM in MediaPackage documentation.


Secure media stream delivery is designed using a modular architecture, allowing either individual components to be deployed or the entire solution. You may choose to deploy the base module with only the token validation function and key management elements or to implement the entire workflow as depicted in the following diagram. Each component may be edited as needed by developers to add customizations. The solution serves as an incremental layer of protection to pre-existing video streaming distribution pipelines using CloudFront. The gray section in the following diagram represents components that should already exist before the solution is deployed. The media origin server is a source hosting the video content fronted with a CloudFront distribution for delivery. If the auto session revocation module is used, the ‘enable the CloudFront access logs’ option must be used.

A diagram is shown picturing the following: A demo website is show hosted on Amazon S3 containing a web application with an embedded player. Amazon CloudFront serves this content with a Lambda@Edge function attached. The Lambda@Edge function connects to Amazon API Gateway in front of another AWS Lambda script which interacts with an Amazon DynamoDB table. The middle of the diagram contains CloudFront Functions and an AWS WAF rule group to authenticate traffic. An AWS Step Function interacts with AWS Secrets Manager to update the CloudFront Function with new secrets. Below that, the same CloudFront distribution sends its logs to Amazon S3 and speaks to the Media Origin. At the bottom of the diagram is the Auto Session Revocation module. An AWS Lambda script queries an Amazon DynamoDB table which another AWS Lambda function populates. The Lambda is called by Amazon EventBridge, triggering an Amazon Athena query of the Amazon S3 logs from CloudFront. The initial AWS Lambda function will update the AWS WAF rule group.

Base module

The base module includes the AWS CloudFront Function required to validate secure tokens, permitting or denying access to media content. The function code is produced when the solution stack is deployed and the respective function is associated with the cache behaviors where token validation occurs.

Along with the function, the base module includes an AWS Secrets Manager configuration responsible for secure storage of the secret keys used for token generation and validation, rotated periodically according to a schedule.

If utilized, an AWS WAF (an web application firewall) rule group is created to block invalidated tokens. Tokens that are past the revocation period are automatically removed from the rule group, thus lowering costs. The revocation period is a configurable setting defined when deploying the solution.

In order to incorporate the token validation step, another process is required for vending the token compatible with the CloudFront Function logic. To make it as easy, the API module includes an AWS Lambda function behind Amazon API Gateway, exposing a simple process to generate new tokens. Tokens may also be generated remotely (for instance, on a content management system) using the included Node.js library. Note that the tokens are based on JWT (, so you can create tokens in this format using any language supporting JWT.

A solutions diagram picturing AWS WAF and Amazon CloudFront. A CloudFront function is attached to the CloudFront distribution. Behind the AWS WAF is an AWS WAF Rule group holding the rules used by WAF. To the right of the rule group is a Lambda function responsible for updating rules. Blocked sessions are stored in a DynamoDB table which is queried by Lambda. To the top right of the digram is AWS Secrets Manager and Amazon EventBridge. Below that is a state machine diagram that details how secrets are updated. A scheduled task runs during an interval and updates the secrets in the CloudFront function responsible for authentication requests.

Conceptually, the process of acquiring the playback URL with unique token and its validation can be presented as follows:

Playback URL workflow

Note that this solution does not cover the viewer authorization step in the process of acquiring the playback URL with the token. You would need to integrate your own mechanism of managing the user base and their permissions to watch specific video streams.

API module

An optional API module is available that represents a simple content management system (CMS) functionality built on Amazon DynamoDB and Amazon API Gateway integrated with Lambda functions. Using this solution, customers without an existing CMS or who are just experimenting can begin use immediately. Refer to the implementation guide to review possible options to add token generation logic in your application. An optional demo website may be deployed as well to discover what a full solution would look like, making integration even easier. This demo website also helps you quickly test the solution with minimal set up efforts along with the ability to troubleshoot.

If you choose to deploy the demo website (which we recommend deactivating after launching the solution in a production environment), the solution automatically deploys an Amazon Simple Storage Service (Amazon S3) bucket for storing the static website assets and uses the same CloudFront distribution created in front of the API Gateway endpoint.

A graphic is displayed describing the optional content management system workflow. The view will navigate to the CloudFront distribution serving the sample website and APIs. Behind the distribution is are two Lambda scripts behind API Gateway which may be called to generate tokens for playback and to revoke tokens. The Lambdas communicate to a DynamoDB table containing information about the sample assets. The lambda used to generate the token communicates with Secrets Manager for retrieval of the current secret used for authorization. The website contents are stored on an S3 Bucket behind the respective CloudFront distribution.

Auto session revocation module

Another optional module that may be added to the solution is the auto session revocation module. If this is chosen, an Amazon EventBridge rule is run periodically (as per the configuration inputs) launching an AWS Step Functions workflow. The step function then sequentially runs predefined steps revolving around Lambda functions that query Amazon Athena for suspicious video playback activity. Amazon Athena is used as it can directly query CloudFront logs stored in an Amazon S3 bucket. Information about suspicious activity and corresponding session IDs is then published into an Amazon DynamoDB table that is used to ultimately block suspicious traffic via AWS WAF.

A graphic dictation the session revocation workflow. On the left, an S3 Bucket is pictured which contains CloudFront Access Logs. An Amazon EventBridge rule runs the a Step Function periodically. The step function is pictured in separate diagram. The step function prepares an Athena query, starts it, then if there are results from the query, it will save the results to DynamoDB. The DynamoDB table is used in another diagram to query which sessions to add to the WAF rule to block sessions.

The auto session revocation module can only be added through AWS Cloud Development Kit (AWS CDK) deployment. You can find and download the AWS CDK app that launches the solution in the stack in the solution’s code repository. Refer to the implementation guide for more information on how to deploy the solution using AWS CDK.

Example Playback Session

A screenshot of the website is shown. It displayed the request URL to the content management system followed by the full playback URL returned from the content management system used for playback. The URL contains a token in the path. To the right, the JWT token is expanded. The JWT Header and Payload are shown. The Payload contains ip, co, city, reg, sen, exp, headers, intsig, paths, exc, nbf, and ist. There are two buttons on the bottom left. Revoke Current Session and Refresh Token which may be used to do each.

How can I learn more and deploy this solution?

The implementation guide with more details can be found here:

Also visit the solutions implementations page with links to the AWS CloudFormation template and code repository:

The public Github location with source code can be found here:

John Councilman

John Councilman

John Councilman is a Specialized Solutions Architect with AWS Elemental. He has years of experience as an architect for video systems for large telcos to small OTT startups. John lives in Atlanta, GA and enjoys working in his home lab as well as getting out to hike and kayak on weekends.

Kamil Bogacz

Kamil Bogacz

Kamil is an Edge Specialist Solutions Architect at AWS. He advises customers across industries on building performance optimized and secure solutions with AWS Edge Services.

Corneliu Croitoru

Corneliu Croitoru

Corneliu is a developer at heart, specialized on Serverless, Media Streaming and Edge services, and part of the EMEA Prototyping Team, based in Paris. He is building, jointly with customers, the most exciting and innovative prototypes on AWS. Outside of work Corneliu has a passion for street photography.