Monday, February 24, 2014

Serving Private content using Amazon Cloudfront


A lot of people are using Amazon Cloudfront as Content Delivery Platform(CDN) nowadays. It is very easy. If you want to stream any videos, upload them to Amazon s3 bucket, create a cloudfront distribution, associate the distribution with the s3 bucket. That's it. You can now stream the videos with cloudfront url.

But, is this secure? What if a third party came to know about your urls? can they access it? Of course they can! What if you got the videos from a Production house and you have signed privacy agreements? Can you still serve you content unprotected? They will sue you.
So it is better to use a little more security. Cloudfront offers a lot of security features.

Configuring Amazon s3 bucket:

First thing is block the s3 access for outsiders.
How to do this? Deny all the read/write permissions on this s3 bucket. Allow only read access to cloudfront distribution via Origin Access Identity(OAI).

Origin Access Identity is a cloudfront user. On s3 buckets you set permission for this OAI to read the files in s3 buckets.

How it works?
You need to create a cloudfront key pair from the aws console. It will give you a pair of public key and private key. Download the private key. The key pair will have an ID also. Note it down.

Whenever you make a request to play a video, sign the request with the private key as explained here and send the request. Cloudfront will validate the url along with the signature,key paid-id and expiry time and play the content.

See the diagram for the detailed view of how signed urls works with amazon cloudfront.

Serving Private content using Amazon Cloudfront
Serving private content through amazon cloudfront

As you are specifying the url is valid for only a particular time, even if some third person gets the url, it becomes invalid(you need to set this a small time and create a new signed url whenever making a request) and they wont be able to play the urls without signing it.

The examples programs for signing had given in the Amazon documentation. See it here.

Related :
how to check the amazon cloudfront edge-location in use.

how to create custom error pages in amazon cloudfront.

No comments:

Post a Comment

Be nice. That's all.