Video content protection

Protecting video content from un-authorized access is one of the top priorities of media companies. Pirated videos impact their business because of lost revenues from subscription or advertisement, and legal liabilities towards content right holders.

When you have rights to stream content exclusively in specific countries, you should block requests coming from other countries. This article explain the different options you have for geo-blocking using CloudFront, AWS WAF and edge functions. When you use AWS WAF for geo-blocking, consider two managed rule groups, that are relevant in the case of video streaming to block users that are using VPNs to bypass your geo-fencing policy:

• Anonymous IP List Managed Rule which is provided in AWS WAF at no additional charge
• IP Fraud Detection and Prevention Managed Rule provided by GeoGuard in the AWS Marketplace.

When your application is only access via browsers (vs mobile apps or Smart TVs), consider the using CloudFront's native Signed Cookies, a simple tokenization mechanism to block unauthorized users at no additional charge. All you need to do is to enabled signed cookies on your streaming CloudFront distribution, then update your backend to generate and set the cookie on the streaming domain (e.g. using Set-Cookie response header or using javascript and an API call). Subsequent requests from the player in the browser will contain the signed cookie, and will be authorized by CloudFront. Learn about this implementation in the following blog series (1 & 2).

Another multi-CDN approach to address the aforementioned challenges is using CloudFront as an origin to your other CDNs. However, this approach requires additional scrutiny over the redundancy of the architecture. For example, it is recommended to disable third-party CDN’s origin shield or centralized cache when using CloudFront as their origin, to reduce the blast radius of a localized CloudFront PoP impairment. It's also recommended to enable Origin Shield on CloudFront to increase availability and cache hit ratio. If you have a CloudFront private pricing agreement, and you'd like to implement this architecture, please get in touch with your AWS Account team to discuss it.

For advanced use cases, where you have a heterogeneous user device base (Set Top Boxes, Smart TVs), and require more sophisticated tokenization logic with custom fields computed in the token signature, consider the Secure Media Delivery at the edge solution. It's a JWT based tokenization solution, with the following benefits:

• The token is part of the path, requiring minimal to no changes on the client or server side, making the solution very simple to integrate with your video workflow:\
• Path based tokens, unlike cookie based tokens, are supported by all device types.
  The token signature is customizable, allowing you to include different dimensions such as IP, Country, User Agent header, etc.
• It is based on CloudFront Functions, which makes it scalable and cost effective, even for large scale events.

In addition, the solution provides you with an SDK to generate the token, a sample UI to test it, and most importantly a session revocation system to detect and automatically block pirated sessions within minutes.

Note CloudFront Functions has now released KeyValueStore, which you might want to investigate and use as an alternative for storing blocked/revoked tokens and/or implementing extra custom logic in your CloudFront function.

• Talk: The Routing Loop - Secure media delivery at the edge on AWS
• Blog: Optimizing video delivery and cache efficiency using CORS headers and Amazon CloudFront
• Blog: Back to basics: conditional access vs. digital rights management