- Newest
- Most votes
- Most comments
Since you are using S3 as the origin for your Videos you can use CloudFront Origin Access Control (OAC), for details see
For S3 use OAC and apply the OAC policy at your bucket.
This way any request from CloudFront to your S3 Bucket will have to be compliant to the OAC Policy that will only allow requests to be served if coming from your CloudFront destribution endpoint.
If you use any other types of Origin Servers or services you can also potentially configure CloudFront to add custom HTTP headers to the requests that it sends to your origin. For more information see: https://someshsrivastava1983.medium.com/secure-custom-origin-with-cloud-front-custom-header-and-aws-waf-9156dc7b5d5b or https://repost.aws/knowledge-center/cloudfront-authorization-header
This way any request to the Origin will add a custom HTTP header, if users inspect your front-end and copy the playback URL they will not be able to access directly your Origin.
The short answer is "not easily" and the longer answer is "not at all".
If the user can see the content then they already have the content - this is true for images, videos, text, etc. Even if there was a way to hide the originating link the content is still being streamed to the end user so a determined user could still get access to it. And the reason why video (or images) are sent as a link in this case is so that the browser does all the heavy lifting of rendering the content.
You could build your own rendering code on the front end; coupled with some other code at the back end which avoids a single link - but it's a lot of work and (again) a determined user is going to figure it out.
I understand. Is there a way within AWS to encrypt the downloaded video?
Apart from Bretsski answer maybe there can be a workaround you can use AWS Elemental MediaConvert Service to encrypt your videos I have added the below link for you to track how to
https://docs.aws.amazon.com/mediaconvert/latest/ug/using-encryption.html
You can ingest your MP4 on MediaPackage and make it available as HLS. Since HLS is made up of manifests that point to multiple file segments this will make harder for users to use the right-click then selecting "Save Video As..."
Please see the following documentation: https://docs.aws.amazon.com/mediapackage/latest/ug/vod-content.html
Alternatively you can create HLS videos with MediaConvert and serve the HLS content from the S3 bucket in the same fashion you do the MP4. The only difference is that your URL will point to the parent manifest i.e. filename.m3u8 Please see: https://docs.aws.amazon.com/mediaconvert/latest/ug/outputs-file-ABR.html
Relevant content
- asked 4 months ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Additionally you can use the following AWS Solution - https://aws.amazon.com/solutions/implementations/secure-media-delivery-at-the-edge/ this solution allows you to secure the distribution of video at the edge by leveraging signed JSON Web Tokens in the request and the ability to revoke sessions
Yes, I actually use AOC in my Cloudfront distribution. The video is can be downloaded using Cloudfront endpoint and not directly using S3 URL.
Vince, For players to play the video the video has to be streamed to the device and decoded. Once the video arrives at the device is is not hard for savvy users to capture the network packets and have access to the content. If what you are trying to accomplish is to have a robust system in place to stop your content to be distributed then you should look at encrypting your assets with DRM Key Providers that allow the use of rotating keys like Google Widevine, Microsoft PlayReady and Apple FairPlay. (1/2)
You will also have to take into consideration the coverage of devices you will want to target and that support the DRM(s) that you choose (please see https://castlabs.com/resources/drm-comparison/) you will also have to consider the costs you will incur by applying DRM. Using DRM might become too expensive if the content you are looking to protect is not valuable enough to generate the necessary revenue to protect it. If that is the case you can look at the solution above (Secure Media at the Edge) and only allow access to the content to authenticated users. (2/2)
to apply encryption with MediaConvert please see https://docs.aws.amazon.com/mediaconvert/latest/ug/using-encryption.html. You will have to deploy a SPEKE API Gateway (https://docs.aws.amazon.com/speke/latest/documentation/what-is-speke.html) and choose a DRM Key provider that will provide the AES Encryption keys to MediaConvert thru the SPEKE API Gateway. How to deploy SPEKE Gateway API - https://aws.amazon.com/blogs/media/using-and-extending-the-open-source-speke-reference-server/