Step 3. Prepare your CloudFront distributions
After deploying the CloudFormation stack and configuring DynamoDB table with inputs needed to generate the token, follow the additional steps below to integrate the Secure Media Delivery at the Edge on AWS solution with the existing CloudFront distributions used to deliver video streams.
-
Validate if the defined cache behaviors related to the objects which are supposed to be token protected have their path pattern set correctly as described in the Design considerations section.
-
When using viewer’s geolocation as one of the token attributes, make sure the same cache behaviors have origin request policies attached, which include CloudFront-Viewer-Country and CloudFront-Viewer-Country-Region headers.
-
For each cache behavior subject to token protection, associate a function created when solution’s stack was launched. From CloudFront’s console, open distribution settings and navigate to a specific cache behavior configuration. In Function associations section, from Viewer Request select CloudFront Function event and form Function ARN / Name, then select the [Stack Name]_checkJWTToken function.
Function associations
-
Choose Save Changes and repeat the above steps for each distribution and cache behavior where token validation mechanism must be in place.
-
If you intend to use manual session revocation, add a WAF rule group created for storing session IDs (identified to be blocked) to the web ACL associated with the CloudFront distribution used for streaming video content. On the web ACL page, select Global (CloudFront), then select the web ACL associated with your CloudFront distribution and select the Rules tab then choose Add Rules > Add my own rules and rule groups.
-
In the rule type setting, select Rule group and enter a name to the rule you are defining. Under Rule Group, select the [Stack_Name]_BlockSessions rule group from the dropdown list .
-
Choose Add rule and adjust the priority of this rule group within the web ACL, then choose Save.
