We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
Konten ini tidak tersedia dalam bahasa yang dipilih. Kami terus berusaha menyediakan konten kami dalam bahasa yang dipilih. Terima kasih atas pengertian Anda.
The Secure Media Delivery at the Edge on AWS solution provides the ability to protect your premium video content from unauthorized access when delivered through Amazon CloudFront. The solution offers an additional layer of security based on individual access tokens added to the delivery URL. Existing or new CloudFront configurations used for Live Streaming and Video on Demand (VOD) workloads can benefit from this solution, whereby streaming operations engineers can control access to video assets by issuing individual tokens for each authorized viewer, verified at the edge by CloudFront Functions.
Benefits
Ease of integration
Easily integrate this solution into your existing workflows or add to new ones in a few configuration steps. Implemented as an incremental component, the solution is ready to use without redesigning the CloudFront architecture.
Widespread support across video clients
With a wide range of devices and streaming formats, the solution is designed to provide the best possible support coverage. The URL-based token works universally with the clients you use today, and the ones you may need to support tomorrow.
Flexible token structure
Presenting secure tokens in the widely-adopted JSON Web Token (JWT) format offers flexibility in construction. Combine multiple viewer attributes and geolocation details provided by CloudFront to restrict playback to only authorized clients. Viewer attributes are not exposed in the token or URL path, ensuring the privacy of your end-users.
Session revocation
Quickly identify playback sessions with irregular traffic patterns suggesting unauthorized distribution of your content. Block playback sessions by reporting corresponding session identifiers, or leverage the automatic workflow offered by the solution to detect and block suspicious sessions.
Scale and automation
The solution seamlessly scales to the highest traffic events via CloudFront Functions. You can depend on the automated workflows implemented by the solution to handle regular key rotation, and process traffic patterns to detect and block sessions with suspicious traffic patterns.
Technical Details
The following diagram presents the serverless architecture, which you can automatically deploy by either using the solution's implementation guide and accompanying AWS CloudFormation template, or by using the CDK deployment model.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10 A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11 A demo website (when activated) with an embedded video player.
Step 12 An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13 An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14 Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15 Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16 A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17 A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
Step 1 An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2 An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3 An AWS Step Functions workflow that coordinates key rotation process.
Step 4 An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5 An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6 An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7 A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8 An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10 A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11 A demo website (when activated) with an embedded video player.
Step 12 An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13 An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14 Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15 Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16 A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17 A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
Step 1 An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2 An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3 An AWS Step Functions workflow that coordinates key rotation process.
Step 4 An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5 An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6 An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7 A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8 An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10 A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11 A demo website (when activated) with an embedded video player.
Step 12 An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13 An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14 Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15 Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16 A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17 A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
Step 1 An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2 An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3 An AWS Step Functions workflow that coordinates key rotation process.
Step 4 An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5 An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6 An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7 A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8 An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10 A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11 A demo website (when activated) with an embedded video player.
Step 12 An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13 An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14 Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15 Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16 A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17 A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
Step 1 An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2 An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3 An AWS Step Functions workflow that coordinates key rotation process.
Step 4 An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5 An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6 An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7 A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8 An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9 A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Sportall revolutionizes the sport video distribution market by transforming every sports rights-holder into a direct-to-consumer provider. “We primarily stream live events, so it’s important to protect our content from being shared through unauthorized channels. We needed an easy to implement solution that provides strong security, and doesn’t impact latency metrics during live streaming. With the Secure Media Delivery at the Edge on AWS solution, Sportall can better control access to the video streams for intended viewers, and also automatically detect and stop piracy activities resulting in mass public viewings of our content. Plus, unlike the alternative approaches we considered, this AWS Solution integrates seamlessly into our existing ecosystem allowing us to evolve it in the future."