Secure Media Delivery at the Edge on AWS

Protect your premium video content from unauthorized access when delivered through Amazon CloudFront


The Secure Media Delivery at the Edge on AWS solution provides the ability to protect your premium video content from unauthorized access when delivered through Amazon CloudFront. The solution offers an additional layer of security based on individual access tokens added to the delivery URL. Existing or new CloudFront configurations used for Live Streaming and Video on Demand (VOD) workloads can benefit from this solution, whereby streaming operations engineers can control access to video assets by issuing individual tokens for each authorized viewer, verified at the edge by CloudFront Functions.


Ease of integration

Easily integrate this solution into your existing workflows or add to new ones in a few configuration steps. Implemented as an incremental component, the solution is ready to use without redesigning the CloudFront architecture.

Widespread support across video clients

With a wide range of devices and streaming formats, the solution is designed to provide the best possible support coverage. The URL-based token works universally with the clients you use today, and the ones you may need to support tomorrow. 

Flexible token structure

Presenting secure tokens in the widely-adopted JSON Web Token (JWT) format offers flexibility in construction. Combine multiple viewer attributes and geolocation details provided by CloudFront to restrict playback to only authorized clients. Viewer attributes are not exposed in the token or URL path, ensuring the privacy of your end-users.

Session revocation

Quickly identify playback sessions with irregular traffic patterns suggesting unauthorized distribution of your content. Block playback sessions by reporting corresponding session identifiers, or leverage the automatic workflow offered by the solution to detect and block suspicious sessions. 

Scale and automation

The solution seamlessly scales to the highest traffic events via CloudFront Functions. You can depend on the automated workflows implemented by the solution to handle regular key rotation, and process traffic patterns to detect and block sessions with suspicious traffic patterns.

Technical Details

The following diagram presents the serverless architecture, which you can automatically deploy by either using the solution's implementation guide and accompanying AWS CloudFormation template, or by using the CDK deployment model.

Use cases for this AWS Solution
  • Headline
Deployment options
Ready to get started?
Deploy this solution by launching it in your AWS Console
Sportall Logo

Sportall revolutionizes the sport video distribution market by transforming every sports rights-holder into a direct-to-consumer provider. “We primarily stream live events, so it’s important to protect our content from being shared through unauthorized channels. We needed an easy to implement solution that provides strong security, and doesn’t impact latency metrics during live streaming. With the Secure Media Delivery at the Edge on AWS solution, Sportall can better control access to the video streams for intended viewers, and also automatically detect and stop piracy activities resulting in mass public viewings of our content. Plus, unlike the alternative approaches we considered, this AWS Solution integrates seamlessly into our existing ecosystem allowing us to evolve it in the future."

Thomas Fayoux, Senior Product Manager

Was this page helpful?