Amazon CloudFront - protect video with Signed URL

1
votes

BACKGROUND:

Amazon Cloudfront video delivery with S3 storage: I am using a custom 360-degree video player. The player simply links to MP4 videos. The videos are not streamed but just a direct link with progressive download.

ISSUE TO SOLVE ---> Signed URL

1) The videos should ONLY play back from my website and not from other websites. Otherwise someone will just hotlink to the videofiles, and I will have to pay for the Amazon traffic.

2) Where and how to insert CloudFront "Signed URL" policies?? Most tips suggest to use "Signed URL" that is connected to CloudFront. But I cannot put the puzzles together, too confusing as I am only a semi-advanced self-taught guy. So..:

2A --> where to insert the CloudFront policy? On S3 console?Or where?

2B --> what exactly to write, pls. provide a working example!

2C --> how to include one specific domain

3)I also suspect that protecting the file permissions in a S3 bucket is not enough, CloudFront may ignore that permission rule. Is that correct?

GUIDANCE:

If nothing works, I am looking for a paid, 1-hour Skype guidence session where we set up 1 video together with CloudFront Signed URL, using screensharing. All with step-by-step explanation, so I can repeat the process for the other videos myself. And the Skype session is affordable for a budget sensitive Kickstarter / Indiegogo project.

I appreciate any help, really do! Thanks!

1
amazon-web-servicesamazon-s3amazonamazon-cloudfront
Did you read through this article? docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/…error2007s
Yes, but I don't understand where to insert the policies. It doesn't say, or I missed... (And to be honest, their documentation is way too difficult and confusing for a small startup, who only wants to set up a few secure videos.)James
Do you know where to insert the policies?James
Where are going to store the Videos?Also this videos contains demo youtube.com/watch?v=tpdlVrliMf0error2007s
Yes, I watched that video but they don't say WHERE and HOW to insert the Signed URL policy.. they just simply skip that part saying "you can set that up if you want". (great..) Videos will be stored on Amazon S3.James

1 Answers

3
votes

1) The videos should ONLY play back from my website and not from other websites. Otherwise someone will just hotlink to the videofiles, and I will have to pay for the Amazon traffic.

Right, so your web site needs to be running on a platform that can dynamically generate the HTML pages that link to the videos.

2) Where and how to insert CloudFront "Signed URL" policies?? Most tips suggest to use "Signed URL" that is connected to CloudFront. But I cannot put the puzzles together, too confusing as I am only a semi-advanced self-taught guy. So..:

The policy is used to generate the signature, and it is included as part of the link you generate, if you use a custom policy ... it looks like &Policy=... followed by a base64 encoded version of the policy.

It's in the URL?! Yes. The signature makes the policy tamper-proof. This is embedded in the signed URL that your code generates with each page load. If you use a canned policy, then you don't save/send it anywhere. You use it for signature calculation and then throw it away because CloudFront already knows what it contained, because it matches the request that's being made (else, it's invalid, so the request correctly fails).

2A --> where to insert the CloudFront policy? On S3 console?Or where?

Nowhere like that. See above.

2B --> what exactly to write, pls. provide a working example!

There is a working example in the documentation.

Stack Overflow does not have a free code giveaway service.

2C --> how to include one specific domain

That's not exactly how this works. Securing content by domain is not securing content at all, because that can be forged.

Your web site provides signed links. The links are valid because they were obtained from you. They are only good for a few seconds -- long enough to start the download -- and then they expire... so even of somebody hotlinks to them, you don't care, because the link is already stale. But that is why you generate them with each page load.

Alternately, serve your entire site through CloudFront, and then use CloudFront signed cookies to allow access to your restricted content by anyone logged in to your site.

3)I also suspect that protecting the file permissions in a S3 bucket is not enough, CloudFront may ignore that permission rule. Is that correct?

No, CloudFront has no privileged access to your bucket, unless you arrange it. A CloudFront origin access identity gives it the necessary rights to access objects in your bucket.

Read Serving Private Content through CloudFront.