The Secure Media Delivery at the Edge solution protects your premium video content delivered through Amazon CloudFront from unauthorized access. The solution offers an additional layer of security based on individual access tokens added to the delivery URL. Existing or new CloudFront configurations used for Live Streaming and VOD workloads can benefit from this solution, whereby streaming operations engineers can control access to video assets by issuing individual tokens for each authorized viewer, verified at the Edge by CloudFront Functions.

• Secure Media Delivery at the Edge on AWS
  • On this Page
  • Architecture Overview
  • Deployment
  • WorkFlow Overview
    • Base module:
    • API Module:
    • Auto session revocation module
  • Solution components
    • Base Module
    • Key Rotation workflow
    • API Module
    • Auto session revocation module
  • Creating a custom build
    • Prerequisites:
    • Options 1: Deploying through the CDK.
      • 1. Clone the repo.
      • 2. Install the dependencies of the project to make it ready to use. To do so, simply run the below command.
      • 3. Run the built-in wizard which will prompt you with questions about the modules to deploy
      • 4. Ensure that the AWS CDK has been bootsrapped on the target account, this is typically the case if you have never used AWS CDK before on the account.
      • 5. Deploy the solution using the following command.
    • Option 2: Generate a CloudFormation template.
      • 1. Clone the repo
      • 2. Running unit tests for customization
      • 3. Create an Amazon S3 Bucket
      • 4. Create the deployment packages
      • 5. Launch the CloudFormation template.
  • License
  • Information
  • Requirements

_{Secure media stream delivery (click to enlarge)}

Deploying Secure Media Delivery solution in your environment will produce following infrastructure.

The solution is deployed using a CloudFormation template. For details on deploying the solution please see the details on the solution home page: Secure Media Delivery at the Edge

Customers can deploy the solution to protect their video stream from unauthorized access by adding a cookie-less tokenization embedded in the URL path.

The solution can be deployed though CDK or by using a pre generated CloudFormation template. With CDK, you can selectively choose which modules and elements should be deployed for each new stack you create:

• Base module (always deployed)
• API module (optional)
• Demo website (optional)
• Auto session revocation (optional)

HTML guide here PDF guide here

1. An Amazon CloudFront Function that validates secure tokens, permitting or denying access to video content
2. An AWS Secrets Manager stored secrets holding signing keys for generating and validating viewers’ tokens
3. An AWS Step Functions workflow that coordinates key rotation process
4. An AWS WAF Rule Group containing the list of playback sessions that should be blocked as they get identified as compromised
5. An Amazon API Gateway public API used to process the requests to generate the tokens for video playback and to manually revoke specified playback sessions
6. An AWS Lambda Function associated with API Gateway that generate the token for video playback based on the retrieved metadata about the video assets and token parameters
7. Solution provided library, providing the necessary methods to generate the tokens, imported in the AWS Lambda Function

8. An Amazon DynamoDB table storing metadata about video assets and corresponding parameters used to generate the tokens
9. An Amazon CloudFront distribution delivering the traffic from API Gateway and deliver demo website when enabled
10. Lambda@Edge function which signs outgoing requests towards API Gateway according to SigV4 specification
11. Demo website (when enabled) with video player embedded in it
12. Amazon S3 bucket storing static assets for demo website

13. An Amazon EventBridge rule that runs periodically to invoke session revocation workflow in AWS Step Functions
14. Lambda functions invoked in Step Functions workflow that produce SQL query submitted to Amazon Athena, then to obtain the results from Athena and push move them forward in the processing pipeline
15. Amazon Athena executing SQL queries against CloudFront access logs to list the suspicious video playback session ids with abnormal traffic characteristics
16. An Amazon DynamoDB table revocation list storing session ids that have been submitted to be revoked with additional information
17. Lambda function which compiles a final list of the playback sessions marked to be blocked and updates AWS WAF Rule Group with the appropriate rules matching selected sessions

_{Secure media stream delivery (click to enlarge)}

Base module includes the solution components which are core and central to the solution, while rest of the modules expands on it.

_{Secure media stream delivery (click to enlarge)}

This pipeline is initiated first time after the base module stack is deployed and after that periodically according to the key rotation setting specified when launching the solution. The configuration on when the key rotation process should be initiated is saved as EventBridge rule. Any time that workflow is initiated, the subsequent steps are controlled via AWS Step Functions workflow with the steps as depicted above.

_{Secure media stream delivery (click to enlarge)}

API Module is made available in the solution to represent an example of how to integrate token management process into playback API section of customer architecture. The central element of this module is API Gateway with two Lambda integrations responsible for performing token related operations, namely generate the token and revoke given session it.

_{Secure media stream delivery (click to enlarge)}

Auto session revocation module design leverages AWS Step Functions to coordinate this entire multi step process. Predefined workflow is invoked periodically as specified in the created EventBridge rule – for ongoing video delivery streaming it is reasonable to set that periodicity at the range of few minutes to reduce the time it takes to detect and block the suspicious sessions.

Note that before using auto revocation module, collection of access logs to S3 must be configured for each CloudFront distribution, the traffic of which should be analyzed through this process. It is also required to set up a database and a table in Athena referencing access logs in the S3 bucket.

Before getting started, verify that your configuration matches the list of requirements.

• AWS Command Line Interface
• Node.js 12.x or later
• AWS CDK 2.24.1

The are 2 options for deploying the solution: using the CDK deployment tools or running the build script to generate a CFN template and the packaged lambda code.

This options simply flollows the standard CDK deployment process. You will need to run cdk bootstrap before you run cdk deploy the first time to setup the cdk resource in your AWS account. Details on using the CDK can be found [here].

On Linux

cd source
./install_dependencies.sh

On Windows

cd source
./install_dependencies.ps1

npm run wizard

The wizard will then generate a configuration in the solution.context.json file that is at the root of this repository.

npx cdk bootstrap

You only need to bootstrap the target account once, you can then dismiss this step. If you're planning on using multiple regions, the bootstrap process must be done for each AWS region.

npx cdk deploy --all

The CloudFormation template (generated by the CDK) includes a lambda backed custom resource to configure MediaLive and create a UUID. To launch the solution the Lambda source code has to be deployed to an Amazon S3 bucket in the region you intend to deploy the solution.

Download or clone the repo and make the required changes to the source code.

Run unit tests to make sure added customization passes the tests:

cd ./deployment
chmod +x ./run-unit-tests.sh && ./run-unit-tests.sh

The CloudFormation template is configured to pull the Lambda deployment packages from Amazon S3 bucket in the region the template is being launched in. Create a bucket in the desired region with the region name appended to the name of the bucket. eg: for us-east-1 create a bucket named: my-bucket-us-east-1

aws s3 mb s3://my-bucket-us-east-1

Ensure that you are owner of the AWS S3 bucket.

aws s3api head-bucket --bucket my-bucket-us-east-1 --expected-bucket-owner YOUR-AWS-ACCOUNT-NUMBER

Build the distributable:

chmod +x ./build-s3-dist.sh
./build-s3-dist.sh <my-bucket> secure-media-delivery-at-the-edge <version>

Notes: The build-s3-dist script expects the bucket name as one of its parameters. This value should not have the region suffix (remove the -us-east-1)

Deploy the distributable to the Amazon S3 bucket in your account:

aws s3 sync ./regional-s3-assets/ s3://my-bucket-us-east-1/secure-media-delivery-at-the-edge/<version>/ 
aws s3 sync ./global-s3-assets/ s3://my-bucket-us-east-1/secure-media-delivery-at-the-edge/<version>/ 

• Get the link of the VIDEOSTREAM.template uploaded to your Amazon S3 bucket.
• Deploy the solution.

• This project is licensed under the terms of the Apache 2.0 license. See here LICENSE.

This solution collects anonymous operational metrics to help AWS improve the quality of features of the solution. For more information, including how to disable this capability, please see the implementation guide.

The below information displays approximate values associated with deploying and using this stack.

• An AWS Account (How to create an AWS account | How to create an AWS Organization account)
• Node JS 12+ must be installed on the deployment machine. (Instructions)
• The AWS CDK 2.24.1 must be installed on the deployment machine. (Instructions)