CloudFront Signed Cookies for Private Content

Posted on: Mar 12, 2015

Amazon CloudFront now gives you a new way to secure your private content: CloudFront signed HTTP cookies. In the past, you could control who is able to access your CloudFront content by adding a custom signature to each object URL. Now you can get that same degree of control by including the signature in an HTTP cookie instead. This lets you restrict access to multiple objects (e.g., whole site authentication) or to a single object without needing to change URLs.

Signed HTTP cookies make it easy to restrict viewer access to your streaming media content. For example, if your media content is in HTTP Live Streaming (HLS) format, you can use Amazon Elastic Transcoder or your media server to generate the playlist and media segments. You then write your web application to authenticate each user and to send a Set-Cookie header that sets a cookie on the user's device. When a user requests a restricted object, the browser forwards the signed cookie in the request, and CloudFront checks the cookie attributes to determine whether to allow or restrict access to the HLS stream. CloudFront checks for this cookie when the player requests the playlist and when the player requests each segment, which ensures that the end-to-end stream is secured.

There are no additional charges for using private content with Amazon CloudFront. To learn more, see the Amazon CloudFront Developer Guide. We will also be showing a demo of this functionality in our next CloudFront office hours on Thursday, March 26th. You can sign-up for this office hours session here.