Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
What's the best practice for sharing videos hosted on Amazon S3 using presigned URLs?
We're considering using presigned URLs to share videos hosted on Amazon S3. What's the best way to do that while still securely managing the endpoints?
There are two use cases that present a potential security problem for us:
- If the user is streaming a video, the video starts off with an incomplete byte-range request of 0- to download the whole file. Then, if the user jumps ahead in the video, and the client hasn't yet received the bytes for that part of the file, another request to the same URL with a byte range starting from the part of the video the user has jumped to.
- If a download is paused halfway through the download natively in the browser and the user resumes the download after the initial request has expired, another byte-range request for the remainder of the content will be made.
To support either of these use cases with a presigned URL, we'd need to keep the signing valid for the duration of the download, which is a concern from a security perspective.
Is there a best practice for handling this?
- Newest
- Most votes
- Most comments
Consider using Amazon CloudFront, which has enhanced singed URL features like custom policies. You can use the custom policies to restrict access to only the source IP address or address range, allowing you to more securely set a longer duration before the signed URL expires.
For more information, see Creating a signed URL using a custom policy in the Amazon CloudFront developer guide.
Note: Creating a signed URL using a custom policy in Amazon CloudFront is also great way to manage formats such as HLS/HDS because you can use wildcard characters.
Relevant content
- asked 2 years ago
- asked 3 months ago
AWS OFFICIALUpdated 4 months ago- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 8 months ago
Is there a way to use a custom policy to sign the hls url in CloudFront and only sign the initial cloudfront url and not each individual underlying url in s3?