how to secure HLS streaming using AWS for mobile devices?

Question

We have some videos in an S3 bucket. they've been transformed using AWS Elastic Transcoder to .m3u8 / .ts We want the users to be able to stream these videos on both a web app and a mobile app.

Now, we want to secure this streaming, so our videos won't get pirated.

So, our proposed solution is as follows:

• Prevent public access to the S3 bucket
• create a cloudfront distribution with the bucket as the origin
• Only enable access to this CDN using pre-signed URLs/cookies
• For web app: use a pre-signed cookie (set by an endpoint at our backend that requires authentication), so that it works well with HLS (since the app needs to fetch a new segment every few seconds)

But now we don't know what to do with our mobile app. We can't use pre-signed cookies since there's no browser, and we can't use pre-signed URLs, since we'll need a signed URL for each segment we need to fetch. Any suggestions and solutions are welcome.

Answer 1

For our similar use-case:

1. We used CloudFront url and not S3 signed url. Because S3 signed URL is valid at object level and not folder level.
2. For paid videos, security and access was managed by Lambda@Edge on viewer requests.
3. Although we used OAuth and database inside that lambda, but surprisingly, we didn't face any bottlenecks on Lambda@Edge. For future plans we considered using Redis for seamless access validation inside Lambda@Edge.