Figure 8
–
Amazon CloudFront with Origin Shield
Security
Video content is valuable and your business model might depend on publishing content
only to authorized users. Many video streaming platforms use a subscription-based
business model, where content protection mechanisms are vital. This is an important
factor when selecting a CDN.
Content protection can guard against piracy activities, such as link sharing, and might
also be required under the terms of content rights or licensing agreements. Licensing
terms might require you to restrict delivery to specific countries, or to integrate specific
security controls in the media delivery workflow such as digital rights management
(DRM) solutions
Geographical restriction
Amazon CloudFront allows you to configure geographical restrictions to prevent users in
certain countries from accessing your content. You can enforce this by either specifying
a list of countries where requests will be allowed or by specifying countries where
Amazon Web Services
Amazon CloudFront for Media
18
requests will be blocked. If a request is received from a blocked geography CloudFront
will return 403 Forbidden HTTP status code to the end user. In testing,
CloudFront’s
accuracy of determining a
user’s location is 99.8%.
Figure 9
–
Geographic restriction in CloudFront console
CloudFront’s Geo Restriction applies
to an entire distribution. If more granular geo
blocking rules are needed, you can shard your content into multiple CloudFront
distributions and group content together with the same geographical restrictions.
Alternatively, you can use AWS Web Application Firewall (AWS WAF) with
Geographic
match rules
. These rules work in a similar way to CloudFront
’s geo
-restrictions, but they
can be combined with other rules and matching statements to limit unwanted traffic, for
example to block traffic incoming from VPNs, proxies or Tor nodes using the AWS
Manager Rule
Anonymous IP list
.
Access control through CloudFront
There are two common approaches to access control for media content:
•
In an
encryption-based
approach, you encrypt your video segments and
distribute decryption keys to authorized users using a digital rights management
(DRM) solution. DRM systems require integration with the origin for exchanging
encryption keys and authorizing users to retrieve the decryption key. Commercial
DRM systems providers offer a range of solutions with particular features and
support for different devices. A multi-DRM solution is often necessary for
operating at scale with a diverse population of devices.
Amazon Web Services
Amazon CloudFront for Media
19
•
In an
access-control
based approach, you use tokenization to serve the content
to authorized users only. For delivery at scale, the access control mechanism
must be incorporated into CDN processing logic, because a
viewer’s request
will
be received by a cache server that validates the request and either allows or
denies access.
