# Deploy a solution to protect your premium video content from unauthorized access when delivered through Amazon CloudFront
<a name="solution-overview"></a>

Publication date: *August 2022 ([last update](revisions.md): November 2024*)

 Premium video content is one of the most valuable assets for media and entertainment companies. Video delivery teams must continue to raise the security bar to ensure that only authorized viewers consume the content over approved delivery channels. For a video streaming distribution of any scale, customers seek a complete, incremental solution that works universally on a variety of video clients without requiring a re-architecture of their workloads. 

 The Secure Media Delivery at the Edge on AWS solution integrates with Amazon CloudFront to offer a ready-to-use content protection mechanism that allows you to meet licensing obligations from the right holders by improving anti-piracy controls. Video Streaming Engineers and Content Delivery Network (CDN) operators can easily deploy the solution into their environment and incorporate it with a minimal number of steps without needing to rearchitect their video services. 

 This solution leverages [CloudFront Functions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html) to introduce a cookie-less approach that simplifies and automates the process of access token management for media streaming services. By using serverless resources based on a new edge serverless environment, customers can generate an encrypted token, inject it into the media delivery path, and validate the token for every request, without needing to produce and attach the token for the same playback session. The token authorization function at the edge can be associated with specific CloudFront path behavior, pointing to the media origin with original content. Shifting this functionality to the edge simplifies customers’ secure video streaming workflows by making it transparent for existing video origins, removing the complexity of manipulating media manifest files. 

 This implementation guide provides an overview of the Secure Media Delivery at the Edge on AWS solution, its reference architecture and components, considerations for planning the deployment, configuration steps for deploying the solution to the Amazon Web Services (AWS) Cloud. 

 The intended audience for using this solution’s features and capabilities in their environment includes solution architects, DevOps engineers, data scientists, and cloud professionals. 

 Use this navigation table to quickly find answers to these questions: 


|  If you want to . . .  |  Read . . .  | 
| --- | --- | 
|   Know the cost for running this solution.   The estimated cost for running this solution in the US East (N. Virginia) Region is **USD \$125.65** for the base module **per month** for AWS resources.   |  [Cost](cost.md)  | 
|  Understand the security considerations for this solution.  |  [Security](security.md)  | 
|  Know how to plan for quotas for this solution.  |  [Quotas](quotas.md)  | 
|  Know which AWS Regions support this solution.  |  [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions)  | 
|  Know which video streaming formats the solution supports.  |  [Supported formats](supported-formats.md)  | 
|  Know the requirements for using an existing CloudFront distribution.  |  [CloudFront prerequisites](cloudfront-prerequisites.md)  | 
|  View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the “stack”) for this solution.  |  [AWS CloudFormation template](aws-cloudformation-template.md)  | 
| Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution. |  [GitHub repository](https://github.com/aws-solutions/secure-media-delivery-at-the-edge-on-aws/)  | 

# Features and benefits
<a name="features-and-benefits"></a>

 The solution provides the following features: 

 **Ease of integration** 

 Easily integrate this solution into your existing workflows or add to new ones in a few configuration steps. Implemented as an incremental component, the solution is ready to use without redesigning the CloudFront architecture. 

 **Live and on demand workloads** 

 The solution supports Live streaming and Video on Demand (VOD) workloads. 

 **Widespread support across video clients** 

 With a wide range of devices and streaming formats, the solution is designed to provide the best possible support coverage. The URL-based token works universally with the clients you use today, and the ones you might need to support tomorrow.  

 **Flexible token structure** 

 Presenting secure tokens in the widely-adopted JSON Web Token (JWT) format offers flexibility in construction. Combine multiple viewer attributes and geolocation details provided by CloudFront to restrict playback to only authorized clients. Viewer attributes are not exposed in the token or URL path, ensuring the privacy of your end-users. 

 **Session revocation** 

 Quickly identify playback sessions with irregular traffic patterns suggesting unauthorized distribution of your content. Block playback sessions by reporting corresponding session identifiers, or leverage the automatic workflow offered by the solution to detect and block suspicious sessions.  

 **Scale and automation** 

 The solution seamlessly scales to the highest traffic events via CloudFront Functions. You can depend on the automated workflows implemented by the solution to handle regular key rotation, and process traffic patterns to detect and block sessions with suspicious traffic patterns. 

 **Integration with Service Catalog AppRegistry and Application Manager, a capability of AWS Systems Manager** 

 This solution includes a [Service Catalog AppRegistry](https://docs.aws.amazon.com/servicecatalog/latest/arguide/intro-app-registry.html) resource to register the solution’s CloudFormation template and its underlying resources as an application in both Service Catalog AppRegistry and [Application Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/application-manager.html). With this integration, you can centrally manage the solution’s resources and enable application search, reporting, and management actions. 

# Use cases
<a name="use-cases"></a>

 **Secure Content Delivery** 

 Building and deploying infrastructure or applications at the edge requires comprehensive security with a reliable cloud infrastructure, and securing your rich media or static content requires extra care. With the Secure Media Delivery at the Edge on AWS solution, you can add additional layers of security to prevent unauthorized access and common web exploits. This allows you to spend more time building applications, and less time monitoring threats. Often, it is also a contractual obligation content distributors need to adhere to with respect to security and access control methods. This solution can be used in combination with digital rights management (DRM) systems or used as a single protection from unauthorized playback. 

 **Streaming Media** 

 As consumer demand for video streaming increases, media and entertainment companies are looking for secure and reliable web-based video streaming alternatives to traditional television. Using this solution, you can avoid inefficient trial-and-error approaches and save on time and costs for your Video on Demand (VOD) and Live streaming media projects. This solution serves customers looking for a robust mechanism with widespread support across variety of clients, as well as more flexibility in adjusting the working parameters (for example, fine-grained geo restrictions, custom headers, source IPs) and logic of securing their video streams. 

# Concepts and definitions
<a name="concepts-and-definitions"></a>

 This section describes key concepts and defines terminology specific to this solution:  

 **application** 

 A logical group of AWS resources that you want to operate as a unit. 

 **Access control list** **(ACL)** 

 A web ACL gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. 

 **Common Media Application Format (CMAF)** 

 An HTTP-based streaming and packaging standard to improve delivery of media over the internet, compatible with HLS and DASH, and co-developed by Apple and Microsoft. 

 **Digital rights management** (**DRM)** 

 A technology used to control and manage access to copyrighted material. 

 **Dynamic Adaptive Streaming over HTTP (DASH)** 

 An HTTP-based streaming protocol (also known as MPEG-DASH) to deliver media over the internet and developed under MPEG (Motion Picture Experts Group). 

 **HTTP Live Streaming (HLS)** 

 An HTTP-based streaming protocol to deliver media over the internet and developed by Apple Inc. 

 **WCU** 

 AWS WAF Capacity Units (WCU) are used to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. AWS WAF enforces WCU limits when you configure your rule groups and web ACLs. WCUs don't affect how AWS WAF inspects web traffic. 

 For a general reference of AWS terms, see the [AWS Glossary](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html).