Figure 8 –Amazon CloudFront with Origin Shield Security Video content is valuable and your business model might depend on publishing content only to authorized users. Many video streaming platforms use a subscription-based business model, where content protection mechanisms are vital. This is an important factor when selecting a CDN. Content protection can guard against piracy activities, such as link sharing, and might also be required under the terms of content rights or licensing agreements. Licensing terms might require you to restrict delivery to specific countries, or to integrate specific security controls in the media delivery workflow such as digital rights management (DRM) solutions Geographical restriction Amazon CloudFront allows you to configure geographical restrictions to prevent users in certain countries from accessing your content. You can enforce this by either specifying a list of countries where requests will be allowed or by specifying countries where
Amazon Web Services Amazon CloudFront for Media 18 requests will be blocked. If a request is received from a blocked geography CloudFront will return 403 Forbidden HTTP status code to the end user. In testing, CloudFront’saccuracy of determining a user’s location is 99.8%. Figure 9 –Geographic restriction in CloudFront console CloudFront’s Geo Restriction applies to an entire distribution. If more granular geo blocking rules are needed, you can shard your content into multiple CloudFront distributions and group content together with the same geographical restrictions. Alternatively, you can use AWS Web Application Firewall (AWS WAF) with Geographic match rules. These rules work in a similar way to CloudFront’s geo-restrictions, but they can be combined with other rules and matching statements to limit unwanted traffic, for example to block traffic incoming from VPNs, proxies or Tor nodes using the AWS Manager Rule Anonymous IP list. Access control through CloudFront There are two common approaches to access control for media content: •In an encryption-basedapproach, you encrypt your video segments and distribute decryption keys to authorized users using a digital rights management (DRM) solution. DRM systems require integration with the origin for exchanging encryption keys and authorizing users to retrieve the decryption key. Commercial DRM systems providers offer a range of solutions with particular features and support for different devices. A multi-DRM solution is often necessary for operating at scale with a diverse population of devices.
Amazon Web Services Amazon CloudFront for Media 19 •In an access-controlbased approach, you use tokenization to serve the content to authorized users only. For delivery at scale, the access control mechanism must be incorporated into CDN processing logic, because a viewer’s request will be received by a cache server that validates the request and either allows or denies access.