![\"Untitled](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/Untitled-Diagram.png\")
<\/p>\nI came across a scenario where we have to stream Videos On Demand (VOD) using \u00a0Amazon CloudFront and Amazon Simple Storage Service (S3). The on-demand streaming is done using Cloudfront Content Delivery Network (CDN). The videos to be served are stored on Amazon S3. I have designed a secure\u00a0architecture for the same setup.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
The following steps are performed to create Amazon S3 bucket and modify its permissions:<\/p>\n
1. Go to S3 console by logging into AWS console. Click on S3 option as shown below:
\n![\"EC2](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/EC2-Management-Console.png\")
<\/p>\n
2. Create a new S3 bucket by clicking on\u00a0Create Bucket\u00a0<\/strong>button. Specify the name and region of the bucket.<\/p>\n 3. Upload the video files to be served on the bucket by using AWS console or AWS CLI.<\/p>\n 4. Create a file named crossdomain.xml\u00a0<\/strong>and upload it. The file should contain the following content:<\/p>\n [js] 5.\u00a0Update CORS information by clicking on Edit CORS configuration<\/strong> as shown: 6. \u00a0Put the following content in the CORS configuration file:<\/p>\n [js] Here AllowedOrigin<\/strong> tag ensures the host from which the access to the content is allowed. You can set it to your desired host. AllowedMethod<\/strong> tag ensures methods allowed on the bucket.<\/p>\n 7. Now update the S3 bucket policy by clicking on\u00a0Add Bucket Policy\u00a0<\/strong>near Edit CORS configuration\u00a0<\/b>option. The policy must contain the following content:<\/p>\n [js] The\u00a0bucket_name\u00a0<\/strong>should be replaced by the name of the bucket and\u00a0OriginAccessIdentityID\u00a0<\/strong>should be replaced by CloudFront Origin Access Identity. It will be obtained when we create the CloudFront distribution below.<\/p>\n Here “Effect”:”Deny” \u00a0<\/strong>aws:SecureTransport”: false\u00a0<\/strong>is used to prevent HTTP access to S3 bucket. The GetObject permission is given of the content in S3 only to the cloud front user.<\/p>\n <\/p>\n 1. \u00a0Go to CloudFront console by logging into AWS console. Click on CloudFront option as shown below: 2.\u00a0Click then on Create Distribution<\/strong> to create a new cloud front distribution. The new distribution will be used to stream videos.<\/p>\n 3. Click on\u00a0Create Web Distribution.<\/strong><\/p>\n 4. Now enter the required details in the boxes as shown in the image below: Origin is where you store your content to be served.<\/p>\n 5. SSL Certificate: <\/strong>You can\u00a0use default CloudFront certificate or can create your own certificate. To create your own certificate, follow the below steps:<\/p>\n [js] <\/p>\n YOURNAME<\/strong> \u2013 Identifying the certificate once it is uploaded to AWS console. The certificate will then be available on your AWS console. The certificate generated above can be verified by:<\/p>\n [js] Leave other options as default and click on\u00a0Create Distribution.<\/strong><\/p>\n 6. On Web distribution page, you will get DNS of your CloudFront as\u00a0**************.net.\u00a0<\/strong>Copy this and create a Cname\u00a0in Route 53 as shown: <\/p>\n 7.\u00a0Now update this DNS in CloudFront distribution. Go to your web distribution. Click on\u00a0General and then click on Edit. Then update DNS as shown: <\/p>\n 8.\u00a0The origin access identity will be obtained after you create the cloud front\u00a0distribution. After creating the distribution, edit the distribution and origin access identity will be seen as below: The CloudFront distribution will take some time to create. You can check the status at main distribution page. After the distribution is created, you can check out the complete secure architecture. The few testing steps are as follows:<\/p>\n The secure architecture has been implemented. The architecture can be modified at ease by modifying the parameters or policies.<\/p>\n","protected":false},"excerpt":{"rendered":" I came across a scenario where we have to stream Videos On Demand (VOD) using \u00a0Amazon CloudFront and Amazon Simple Storage Service (S3). The on-demand streaming is done using Cloudfront Content Delivery Network (CDN). The videos to be served are stored on Amazon S3. I have designed a secure\u00a0architecture for the same setup. The […]<\/p>\n","protected":false},"author":163,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":36},"categories":[1174,2348,1],"tags":[2937,1332,2947,2939,2936,2940,2938],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/31107"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/163"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=31107"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/31107\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=31107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=31107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=31107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n<cross-domain-policy>
\n<allow-access-from domain="*" secure="false"\/>
\n<site-control permitted-cross-domain-policies="all"\/>
\n<\/cross-domain-policy>
\n[\/js]<\/p>\n
\n![\"CORS\"](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/CORS.png\")
<\/p>\n
\n<?xml version="1.0" encoding="UTF-8"?>
\n<CORSConfiguration xmlns="http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/">
\n<CORSRule>
\n<AllowedOrigin>*<\/AllowedOrigin>
\n<AllowedMethod>PUT<\/AllowedMethod>
\n<AllowedMethod>POST<\/AllowedMethod>
\n<AllowedMethod>DELETE<\/AllowedMethod>
\n<AllowedMethod>GET<\/AllowedMethod>
\n<ExposeHeader>ETag<\/ExposeHeader>
\n<AllowedHeader>*<\/AllowedHeader>
\n<\/CORSRule>
\n<\/CORSConfiguration>
\n[\/js]<\/p>\n
\n{
\n"Version": "2008-10-17",
\n"Id": "some_policy",
\n"Statement": [
\n{
\n"Sid": "AddPerm",
\n"Effect": "Deny",
\n"Principal": "*",
\n"Action": "s3:*",
\n"Resource": "arn:aws:s3:::<strong>bucket_name<\/strong>\/*",
\n"Condition": {
\n"Bool": {
\n"aws:SecureTransport": false
\n}
\n}
\n},
\n{
\n"Sid": "2",
\n"Effect": "Allow",
\n"Principal": {
\n"AWS": "arn:aws:iam::cloudfront:user\/CloudFront Origin Access Identity <strong><strong>OriginAccessIdentityID<\/strong><\/strong>"
\n},
\n"Action": "s3:GetObject",
\n"Resource": "arn:aws:s3:::<strong><strong>bucket_name<\/strong><\/strong>\/*"
\n}
\n]
\n}
\n[\/js]<\/p>\nCreating Amazon CloudFront distribution to stream video content<\/span><\/h3>\n
\n![\"Cloudfront\"](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/Cloudfront.png\")
<\/p>\n
\n![\"CLoudfront\"](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/Selection_100.png\")
<\/p>\n\n
\n
\naws iam upload-server-certificate –server-certificate-name YOURNAME –certificate-body file:\/\/YOURSIGNEDCERT.pem –private-key file:\/\/YOURPRIVATEKEY.pem –certificate-chain file:\/\/INTERMEDIATECERT.pem –path \/cloudfront\/path\/
\n[\/js]<\/p>\n
\nYOURSIGNEDCERT<\/strong> \u2013 The certificate received from Certificate Authority(CA).
\nYOURPRIVATEKEY<\/strong> \u2013 The private key, which is generated as a part of certificate process.
\nINTERMEDIATECERT<\/strong> \u2013 The intermediate key provided by CA.<\/p>\n
\naws iam get-server-certificate –server-certificate-name YOURNAME
\n[\/js]<\/p>\n
\n![\"Route](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/Route-53-Management-Console.png\")
<\/p>\n
\n![\"AWS](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/AWS-CloudFront-Management-Console.png\")
<\/p>\n
\n![\"cfr\"](\"\/blog\/wp-ttn-blog\/uploads\/2016\/01\/cfr.png\")
<\/p>\n\n