Step 8: Prevent Undesired Content and Viewers (Recommended)

Malicious users may try to re-stream undesirable content (e.g., professional sports) on your platform, or try to embed your platform’s streams on another website without permission. This kind of streaming can dramatically increase the amount of live-streamed video that your application is serving as well as the costs associated with it, without adding value to your business. In addition to providing you with controls to stop active streams, Amazon IVS provides resources to help detect and prevent this kind of behavior in the first place; see Undesired Content and Viewers in IVS.

To constrain playback to specific origins and/or countries, use a playback restriction policy.

Console Instructions (Playback Restriction Policy)

1. Create a playback restriction policy

   1. Open the Amazon IVS console. On the left navigation pane, select Playback security > Playback restriction policies.

   2. Select Create policy.

   3. Optionally, name the policy.

   4. Optionally, toggle Strict origin enforcement (see note below).

   5. Specify Allowed countries and Allowed origins.

   6. Select Create policy.

2. Attach this policy to a new or existing channel

   1. Create a new channel or edit an existing channel.

   2. In the Restrict playback section (of the Create channel or Update channel window), select Enable playback restriction.

   3. From the Playback restriction policy drop-down list, select the policy you created in Step 1.

   4. Select Create channel (for a new channel) or Save (to update an existing channel).

Note on strict origin enforcement: This is an optional setting that can be used to strengthen the origin restriction specified with allowed origins. By default, the origin restriction applies only to the multivariant playlist. If strict origin enforcement is enabled, the server will enforce a requirement that the requesting origin matches the token for all playback requests (including multivariant playlist, variant playlist, and segments). This means that all clients (including non-browser clients) will have to provide a valid origin-request header with each request. Use the setOrigin method to set the header in the IVS iOS and Android player SDKs. It is set automatically in web browsers except iOS Safari. For iOS Safari, you need to add crossorigin="anonymous" to the video element, to ensure that the origin request header is sent. Example: <video crossorigin="anonymous"></video>.

Note on mapping between IP addresses and countries: IVS determines the location of your users by using a third-party database. The accuracy of the mapping between IP addresses and countries varies by region. Based on recent tests, the overall accuracy is 99.8%. If IVS can't determine a user's location, IVS serves the content that the user requested.

CLI Instructions (Playback Restriction Policy)

1. Create a playback restriction policy. Here is an example. For the allowed-countries and allowed-origins fields, replace the example values below with your actual values, or delete one or both fields, depending on your use case.

   aws ivs create-playback-restriction-policy --name test-playback-restriction-policy --enable-strict-origin-enforcement --allowed-countries "US","JP" --allowed-origins "https://example1.com","https://*.example2.com"

   This returns a new playback restriction policy. For its fields, see PlaybackRestrictionPolicy in the IVS Low-Latency Streaming API Reference.

2. Attach the new policy to a channel. For an existing channel, run update-channel and pass in the ARN of the playback restriction policy created in the previous step:

   aws ivs update-channel --arn "arn:aws:ivs:us-west-2:123456789012:channel/abcdABCDefgh" --playback-restriction-policy-arn "arn:aws:ivs:us-west-2:123456789012:playback-restriction-policy/abcdABCDefgh"

   For a new channel, include the --playback-restriction-policy-arn statement during channel creation.