Deploy this solution to protect your premium video content from unauthorized access when delivered through Amazon CloudFront - Secure Media Delivery at the Edge on AWS

Deploy this solution to protect your premium video content from unauthorized access when delivered through Amazon CloudFront

Publication date: August 2022 (last update: October 2022)

For media and entertainment companies, premium video content is one of the most valuable assets. Video delivery teams must continue to raise the security bar to ensure that only authorized viewers consume the content over approved delivery channels. For a video streaming distribution of any scale, customers seek for a complete, incremental solution that works universally on a variety of video clients without requiring a re-architecture of their workloads.

The Secure Media Delivery at the Edge on AWS solution integrates with Amazon CloudFront to offer a ready-to-use content protection mechanism that allows you to meet licensing obligations from the right holders by improving anti-piracy controls. Video Streaming Engineers, and Content Delivery Network (CDN) operators can easily deploy the solution into their environment and incorporate it with minimal number of steps without the need to rearchitect their video services. Secure Media Delivery at the Edge on AWS introduces a cookie-less approach that simplifies and automates the process of access tokens management for media streaming services. By the use of serverless resources based on a new Edge serverless environment (CloudFront Functions), customers can generate an encrypted token, inject it into the media delivery path, and validate the token for every request, without the need to produce and attach the token for the same playback session. The token authorization function at the edge can be associated with specific CloudFront path behavior, pointing to the media origin with original content. Shifting this functionality to the edge simplifies customers’ secure video streaming workflows by making it transparent for existing video origins, removing the complexity of manipulating media manifest files. By leveraging CloudFront Functions, the solution also meets the highest demands in terms of scale it supports and manageable costs of running it for customers.

This solution provides the following features:

  • Player agnostic solution that uses serverless architecture to tokenize requests to media files

  • Supports Live and Video on Demand (VOD) workloads

  • Highly scalable and cost-efficient

  • Simplifies secure video streaming workflows, improves content protection, and removes the complexity of embedding a token in a media manifest file

  • Flexibility in defining viewer’s attributes validated when processing the token

  • Works with video streams with dynamically changing paths (for example, ad-insertion workflows)

  • Fully automated process of key management and scheduled key rotation

  • Ability to revoke the compromised playback session

  • Auto-revocation mechanism to detect and block suspicious sessions

  • Solution specific CloudWatch dashboards

  • Can be managed and deployed with CloudFormation templates or CDK

The primary use case of this solution is for customers who publish video content and want to add a security layer at the edge to protect their content distributed in a subscription-based model (OTT platforms), publishing content behind the paywall or having to restrict access for specific geography. This encompasses most organizations from the Media & Entertainment industry who stream VOD or live content, which is at core of their business. Often times, it is also a contractual obligation content distributors need to adhere to with respect to security and access control methods. This solution can be used in combination with Digital rights management (DRM) systems or used as a single protection from unauthorized playback. This solution serves customers looking for robust mechanism with widespread support across variety of clients, as well as more flexibility in adjusting the working parameters (for example, fine-grained geo restrictions, custom headers, source IPs) and logic of securing their video streams.

This implementation guide describes architectural considerations and configuration steps for deploying Secure Media Delivery at the Edge on AWS in the Amazon Web Services (AWS) Cloud. It includes links to an AWS CloudFormation template that launches and configures the AWS services required to deploy this solution using AWS best practices for security and availability.

The guide is intended for IT architects, video delivery engineers, developers, DevOps, data analysts, and marketing technology professionals who have practical experience architecting in the AWS Cloud.