How to secure downloads using Cloudfront - amazon

I have videos containing educational content. I'd like to distribute these videos using S3 and my DNN site. I've created my s3 bucket with all the videos.
I'd like users to be able to log in and be able to download the videos that they have paid for.
Also, i'd like to prevent users from sharing video urls(hotlinking).
I've looked into private distributions but it seems a little complicated as far as signed urls.
Ideally, I'd have some kind of a policy on cloudfront that would only allow videos to be download from my own domain.(i remember doing something like this with s3 itself where i would add a custom acl that would specify the httpreferrer)
Thanks for your help, my head was about to explode due to information overload.
Cristian

The ideal would be to use a plugin that generates the expiring URLs for you.
If you are on Joomla or Wordpress, you may want to look into S3Media Stream.
Just google it and you will find it quite easily.
I hope this helps?

Related

How to properly handle repeatedly served images on S3

I am developing a web app kind of like canva so I have design images I need to store. Is the best way to store them on s3 just to manually upload each design, make the bucket public, and input the url to each image in my web app?
I ask this question because
I don't know if just making the bucket public is standard practice.
Since the user will be repeatedly loading the main page with all the designs, the images will be constantly reloading. That's why I say repeatedly in the title. Is there a way to better handle the images so it doesn't constantly request?
What I've tried- I've looked at the documentation, but honestly I do not like the AWS documentation. In my opinion it doesn't give clear answers to questions like these. I've looked for other stack overflow questions, and I could not find a lot clearly discussing this either.
Let me know if I'm not being clear on anything. Obviously I am not well versed in image storage or anything in that realm so any advice would be greatly appreciated.
Its fine to make such buckets public with permissions like u can add domain specific permission and keep it public.
If you directly serving from S3, at some point it will cost u more. Provision cloudfront with S3 to serve images. AWS already provides image handler, you can find in cloud formation templates

Protecting the AWS S3 download links

I have been developing a website where people can buy digital products and then download them after the payment. I am using MERN stack and thinking of using AWS S3 for storing the digital products.
I am quite worried about implementing the security. I want to make sure that nobody can find an evil way to download files unless they purchased the product.
Not only about AWS S3 but anything you can suggest is appreciated.
I am not really an experienced guy on this industry since I am a mechanical engineer. So, I appreciate even a single bit of your suggestions.
You should use Amazon S3 pre-signed URLs.
It works like this:
All files in Amazon S3 remain private
Users interact with your website and purchase the software
Your website then generates a pre-signed URL, which is a time-limited link to a private object stored in Amazon S3
Users can click that link to download the file. After the expiry period (which you can set), the link will no longer work.
Yes, they could share that link with other people, but it would only work for the stated time period (eg 5 minutes).
The signed URL only takes a couple of lines of code to generate. It can be generated within your app, without having to make an API call to S3.

How companies like UDEMY protects videos from being downloaded

DISCLAIMER :) :)
Some of them may think it's not relevant for discussion as it does not
fit here. Why not? As I think in StackOverflow we find smartest people
around the globe. Even if I try to create in other StackOverflow
domains it won't be that visible.
NOTE: So if your the kind of guy who is trying to pull this down. Please
have some pity on me as I won't get good answers in other Q&A sites
like Quora
I would like to understand how companies like UDEMY protects the videos that are not allowed to download. I know they cant just fully protect but can harden it via various methods. Some of them what I found is as follows:
In Udemy I saw with point 3. Sounds interesting.
Starting from basic one
1. Disable right-click to download (Can be hacked by disabling the browser js).
2. You can use custom video libraries or no download options but god knows how fairly it plays. As I was able to download that kind of video.
3. Using BLOB URL for the video, this downloads the video in bytes. (Kind of secure using but can use HLS video downloader)
4. Can use On-demand live HTTP video streaming from Amazon or Vimeo but over time they may cost much price.
5. Then I read about large giants like Netflix, Amazon Prime uses multiple streaming files which will be stored in different chucks. Which makes it harder to download.
Any other ways you guys might have found an interesting way to harden it would love to hear.
AT THE END OF THE DAY USER CAN STILL SCREEN RECORD YOUR VIDEOS DAMMMMMM IT!
Streaming IS downloading. If you want someone to be able to watch a video, you MUST let them download it.
The way large sites protect the content is not through downloading, but by encrypting the files BEFORE they are downloaded. Then the player knows how it request the decryption key from a DRM server.
For more information, read about DRM and EME on Wikipedia.

Stream videos securely using AWS CloudFront

I am attempting to serve paid videos to the users of my website, which is using php and is hosted on AWS.
I was wondering if:
1) anyone has successfully managed to serve video content through CloudFront securely? No matter what I try, FlashDownloadPlayer has managed to download the video.
2) will the video I upload automatically play in all devices/platforms regardless of input raw file I use ? I wasn't able to confirm this through AWS documentation.
Regardless, any ideas to make video downloading extremely difficult (atleast not through flashDownloadPlayer) would really be appreciated.
My videos are stored in AWS S3.
Thanks!
Yes you can do this through Cloudfront and have it be just as fast as Youtube, with a CDN on a similar scale as Google. The difference being you can make Cloudfront private and encrypted as you mention. For example, we host dozens of confidential online videos behind our business Intranet and Extranet site. Obviously the site is password protected, and the videos needed to be private. Cloudfront let's you encrypt the video and embed inside a video player such as JWPlayer. This was the only way we could pass our security audit, while still serving massive video content and have it be fast. It sounds quite involved, but we followed a great guide in this tutorial and got this going in a few hours. Very straight forward.
https://centroy.com/blog/secure-video-alternative-to-youtube

How to securely serve S3 files to blog

I'm starting a blog and i'm in the process of choosing where should i host it. For now i want a free solution like Blogger or Wordpress.com.
The problem i'm facing is that i want to use files i have in a S3 bucket in my blog but none of the blog solutions i found supports any kind of server code, which means that in order to use S3 query string authentication i would have to put vulnerable information in the client. For obvious reasons i don't want to do that.
So, i'm looking for ideas on how i can safely include content from S3 in a free blog host.
Im not aware of any blog software that by default supports Amazon S3. So your best shot is to get a cheap hosting (hosting is really cheap these days, a few dollars a month). Then you can install a plugin which supports Amazon S3.
I think we might need a bit more detail here. For example, if you just want to link to files on S3 from your blog, you can make the files globally readable on S3 and then just link to them, with no authentication necessary.
If you want to do something more complex, maybe look into hosting WordPress yourself using WordPress.org, at which point you can use server-side code yourself, perhaps as a plugin. Or, maybe there's an existing plugin that works with WordPress that would suit you -- there's definitely a plug-in which copies WordPress file uploads to S3 and then serves them from there, rather than from your blog host, for example. It's not free a free solution, but hosting starts pretty cheap.
For fairly obvious reasons of security, there aren't any blog service providers I can think of who provide server-side code access.

Resources