Overview
The Secure Media Delivery at the Edge on AWS solution provides the ability to protect your premium video content from unauthorized access when delivered through Amazon CloudFront. The solution offers an additional layer of security based on individual access tokens added to the delivery URL. Existing or new CloudFront configurations used for Live Streaming and Video on Demand (VOD) workloads can benefit from this solution, whereby streaming operations engineers can control access to video assets by issuing individual tokens for each authorized viewer, verified at the edge by CloudFront Functions.
Benefits
Easily integrate this solution into your existing workflows or add to new ones in a few configuration steps. Implemented as an incremental component, the solution is ready to use without redesigning the CloudFront architecture.
With a wide range of devices and streaming formats, the solution is designed to provide the best possible support coverage. The URL-based token works universally with the clients you use today, and the ones you may need to support tomorrow.
Presenting secure tokens in the widely-adopted JSON Web Token (JWT) format offers flexibility in construction. Combine multiple viewer attributes and geolocation details provided by CloudFront to restrict playback to only authorized clients. Viewer attributes are not exposed in the token or URL path, ensuring the privacy of your end-users.
Quickly identify playback sessions with irregular traffic patterns suggesting unauthorized distribution of your content. Block playback sessions by reporting corresponding session identifiers, or leverage the automatic workflow offered by the solution to detect and block suspicious sessions.
The solution seamlessly scales to the highest traffic events via CloudFront Functions. You can depend on the automated workflows implemented by the solution to handle regular key rotation, and process traffic patterns to detect and block sessions with suspicious traffic patterns.
Technical Details
The following diagram presents the serverless architecture, which you can automatically deploy by either using the solution's implementation guide and accompanying AWS CloudFormation template, or by using the CDK deployment model.
Step 1
An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2
An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3
An AWS Step Functions workflow that coordinates key rotation process.
Step 4
An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5
An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6
An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7
A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8
An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9
A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10
A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11
A demo website (when activated) with an embedded video player.
Step 12
An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13
An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14
Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15
Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16
A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17
A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
Step 1
An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content.
Step 2
An AWS Secrets Manager stores secrets holding signing keys for generating and validating viewers’ tokens.
Step 3
An AWS Step Functions workflow that coordinates key rotation process.
Step 4
An AWS WAF rule group containing the list of playback sessions that should be blocked as the solution identifies them as compromised.
Step 5
An Amazon API Gateway public API used to process requests to generate the tokens for video playback, and to manually revoke specified playback sessions.
Step 6
An AWS Lambda function associated with API Gateway that generates the token for video playback based on the retrieved metadata about the video assets and token parameters.
Step 7
A solution-provided library that provides the necessary methods to generate the tokens, imported into the Lambda Function.
Step 8
An Amazon DynamoDB table to store metadata about video assets and corresponding parameters used to generate the tokens.
Step 9
A CloudFront distribution to deliver the traffic from API Gateway and deliver demo website when activated.
Step 10
A Lambda@Edge function that signs outgoing requests towards API Gateway according to SigV4 specification.
Step 11
A demo website (when activated) with an embedded video player.
Step 12
An Amazon S3 bucket that stores static assets for the demo website, and an auto session revocation module.
Step 13
An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in Step Functions.
Step 14
Lambda functions invoked in a Step Functions workflow that produce a SQL query submitted to Amazon Athena, obtain the results from Athena, and move them forward in the processing pipeline.
Step 15
Athena running SQL queries against CloudFront access logs to list the suspicious video playback session IDs with abnormal traffic characteristics.
Step 16
A DynamoDB table revocation list to store IDs and additional information for sessions that have been submitted to be revoked.
Step 17
A Lambda function which compiles a final list of the playback sessions marked to be blocked and updates the AWS WAF rule group with the appropriate rules matching selected sessions.
- Publish Date
Sportall revolutionizes the sport video distribution market by transforming every sports rights-holder into a direct-to-consumer provider. “We primarily stream live events, so it’s important to protect our content from being shared through unauthorized channels. We needed an easy to implement solution that provides strong security, and doesn’t impact latency metrics during live streaming. With the Secure Media Delivery at the Edge on AWS solution, Sportall can better control access to the video streams for intended viewers, and also automatically detect and stop piracy activities resulting in mass public viewings of our content. Plus, unlike the alternative approaches we considered, this AWS Solution integrates seamlessly into our existing ecosystem allowing us to evolve it in the future."