Networking & Content Delivery

Restrict access to AWS Elemental MediaPackage v2 using origin access control

AWS Elemental MediaPackage provides customers the ability to deliver live and video on demand (VOD) securely and reliably at scale. Integrating with other Media Services on AWS and content delivery networks (CDNs) like Amazon CloudFront, MediaPackage offers resilient video origination while reducing media workflow complexity for customers. In 2023, we announced the support for low-latency HTTP Live Streaming (LL-HLS) with MediaPackage v2 endpoint reducing end-to-end latency for live workflows between 5 and 10 seconds, a rate that rivals broadcast video latency.

Configuring MediaPackage v2 endpoints as an origin for CloudFront takes advantage of caching content at the edge inside CloudFront points of presences (PoPs). This results in faster delivery of content and a better experience for the end user. CloudFront provides the ability to protect premium video content with signed cookies, signed URLs, or our Secure Media Delivery at the Edge solution to integrate into your video player clients. In addition, CloudFront geographic restrictions can be used to limit regionalized content based on client geographic location.

Using MediaPackage v2 endpoint as an origin for CloudFront requires the MediaPackage v2 endpoint policy to be public to the internet. To prevent the bypass of edge security controls provided by CloudFront, customers previously had to create static IP allow lists of CloudFront IP addresses into the MediaPackage v2 origin endpoint policy. This process introduced operational overhead in the on-going management of the IP allow lists.

Origin access control for MediaPackage v2 endpoint

Starting today, you can now use origin access control (OAC) to authorize and secure access to your MediaPackage v2 endpoint origin. The simplified setup needs to be performed only one time. OAC enables CloudFront to cryptographically sign requests using AWS Signature Version4. This ensures secure communications between your authorized CloudFront distributions and your origin the MediaPackage v2 endpoint. Making sure communications are secure fortifies your media delivery by ensuing traffic has not bypassed your existing edge security mechanisms. Traffic that is not signed will be denied by the MediaPackage v2 endpoint. With this new capability, you can secure the origin traffic and mitigate the risk of a bypass of CloudFront edge security policies, geographic restrictions, and caching.

Configuring OAC for MediaPackage v2 endpoint

The following step-by-step instructions show you how to configure a MediaPackage v2 endpoint to only allow traffic from a CloudFront distribution with OAC.

Step 1: Create an origin access control setting

  1. In the AWS Management Console navigate to the CloudFront console and select Origin access on the left-hand menu.
  2. Choose Create control setting.
  3. Provide a Name, then under Signing behavior select Sign requests. For Origin type, select MediaPackage v2. Choose Save changes.

    Creating an OAC policy with origin type MediaPackage V2

    Figure 1: Creating an OAC policy with origin type MediaPackage V2

Step 2: Update your CloudFront distribution origin settings

  1. In the AWS Management Console, navigate to the CloudFront console.
  2. Select your CloudFront distribution. Under the Origins tab select your MediaPackage v2 origin and choose Edit.
  3. Under Origin access control, from the dropdown menu, the OAC policy created in step 1 and choose Save changes.

    Configuring your CloudFront distribution to use the newly created OAC policy

    Figure2: Configuring your CloudFront distribution to use the newly created OAC policy

  4. Go back to the General tab and make note of the Amazon Resource Number (ARN) of your CloudFront distribution because you will need it in the following steps.

Step 3: Update MediaPackage v2 endpoint policy to allow OAC

Note: In the preceding step, you’ll be provided a link to Update endpoint permissions that will take you directly to the page required to modify your MediaPackage v2 endpoint. If you select this link, skip the following steps 1 and 2 below and go directly to step 3.

  1. In the AWS Management Console navigate to MediaPackage v2 channel group and select your channel group.
  2. Select your Channel and then the Origin endpoint you’d like to configure for OAC.
  3. On the endpoint page, choose Edit.

    MediaPackage V2 endpoint origin endpoint

    Figure 3: MediaPackage V2 endpoint origin endpoint

  4. Scroll down to Endpoint policy and select Attach a custom policy.

    Figure 4: Attaching a custom endpoint policy for MediaPackage V2 endpoint

  5. Include the following policy, substituting the AWS:SourceArn value with the ARN of your CloudFront distribution from step 2. 
    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCloudFrontServicePrincipal",
			"Effect": "Allow",
			"Principal": {
				"Service": "cloudfront.amazonaws.com"
			},
			"Action": [
				"mediapackagev2:GetObject",
				"mediapackagev2:GetHeadObject"
			],
			"Resource": "arn:aws:mediapackagev2:us-east-1:xxxxxxxxxxxx:channelGroup/empv2-oac-demo/channel/empv2-oac-demo/originEndpoint/empv2-oac-demo",
				"Condition": {
					"StringEquals": {
						"AWS:SourceArn": "arn:aws:cloudfront::xxxxxxxxxxxx:distribution/xxxxxxxxxxxxxx"
				}
			}
		}
	]
}
  6. Choose Update to save your updated endpoint policy configuration change.

Validating it works

To validate that OAC is working as expected, you’ll perform two HEAD requests using curl, the first to the MediaPackage v2 endpoint directly and the second to the CloudFront distribution we attached an OAC policy to.

MediaPackage v2 endpoint

curl -I "https://pqvrje.egress.szy3xx.mediapackagev2.us-east-1.amazonaws.com/out/v1/empv2-oac-demo/empv2-oac-demo/empv2-oac-demo/index.m3u8“

Result:
HTTP/2 403
date: Thu, 11 Apr 2024 16:07:39 GMT
content-type: application/json
content-length: 28
x-amzn-requestid: 9b9d0d01-4f9c-46c4-8137-2818a4e33bc4
access-control-allow-origin: *
x-amzn-errortype: AccessDeniedException
access-control-expose-headers: x-amzn-requestid,x-amzn-errortype,x-amzn-mediapackage-last-sequence,x-amzn-mediapackage-last-updated,Content-Encoding,Date
access-control-allow-credentials: true

As expected, we can no longer access the MediaPackage v2 endpoint directly because the endpoint policy only allows signed OAC requests coming from the CloudFront distribution.

CloudFront endpoint

curl -I “https://d2pubtaxuzxjmm.cloudfront.net/out/v1/empv2-oac-demo/empv2-oac-demo/empv2-oac-demo/index.m3u8”

Result:
HTTP/2 200
content-type: application/json
content-length: 47
date: Thu, 11 Apr 2024 16:08:12 GMT
x-amzn-requestid: 6f3b48a8-6811-4a7f-a9a2-749b03e17124
x-amzn-mediapackage-endpoint-id: empv2-oac-demo
access-control-allow-origin: *
x-amzn-mediapackage-channel-uniqueid: 44a2bb9e1344470896a305bb26c7e69b
x-amzn-mediapackage-endpoint-uniqueid: 1acbeee66a3c497fa7d3207a704a5d0c
cache-control: max-age=3
access-control-expose-headers: x-amzn-requestid,x-amzn-errortype,x-amzn-mediapackage-last-sequence,x-amzn-mediapackage-last-updated,Content-Encoding,Date
x-amzn-mediapackage-active-input: 1
x-amzn-mediapackage-channel-id: empv2-oac-demo
access-control-allow-credentials: true
x-cache: Miss from cloudfront
via: 1.1 7eeed291abf48890d3f36565208941a8.cloudfront.net (CloudFront)
x-amz-cf-pop: IAD12-P1
x-amz-cf-id: 6BFREkLmnIRGE-sbcfYla6wiPT9jemyUcN2g_mnzEmahmZWTp2kptw==

Success, we get an HTTP 200 response!

Conclusion

In this post, you learned how to configure CloudFront with OAC to limit access to your MediaPackage v2 endpoint. You validated your configuration was working and could only send traffic through your CloudFront distribution and not directly to the MediaPackage v2 endpoint. Sign in to the CloudFront console and try it out today!

Joe Viggian Headshot.jpg

Joe Viggiano

Joe Viggiano is a Principal Solutions Architect helping media and entertainment companies accelerate their adoptions of cloud-based solutions.