Streaming server side encrypted videos on S3 with cloudfront

时间:2017-06-15 09:27:42

标签: amazon-s3 video-streaming amazon-cloudfront

I am using amazon S3 storage along with Server-Side Encryption with Customer-Provided Keys (SSE-C) for storing video files. I am using Django as my backend server and have stored all the name keys and secret keys associated to each file in the database on an EC2 container.

I want to stream these videos using amazon cloudfront service. I have created and configured a cloudfront distribution with S3 storage. I am able to serve the non-encrypted videos very easily but i cannot access the encrypted videos as it requires the name key and secret key in order to access the server side encrypted data.

I couldn't find any help in this regard. Is it even possible to serve the server side encrypted (SSE-C) media files using cloudfront?

If possible, kindly guide me to the best solution. Any help in this regard would be highly appreciated. Thanks

1 个答案:

答案 0 :(得分:1)

  

它需要名称密钥和密钥才能访问服务器端的加密数据。

这不是问题的全部;然而。 CloudFront signed URLs with an origin access identity将透明地重新签名请求,以便当CloudFront认定请求已获得授权时,S3将允许访问这些对象,但您无法创建与SSE-C兼容的CloudFront签名URL。

反过来,这是因为S3中的SSE-C不支持在查询字符串中将必要的参数传递给S3。

  

使用预签名URL上传新对象,检索现有对象或仅检索对象元数据时,必须在客户端应用程序中提供所有加密标头

     

http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

必须使用SSE-C将加密参数作为标头发送,而不是作为查询参数发送。

而且,如果您考虑一下,使用每个请求显示并记录的密钥加密对象似乎没什么用处 - 密钥将在查询字符串中。< / p>

SSE-S3与CloudFront透明地协同工作。 SSE-KMS,我希望也得到支持(因为,根据S3 API文档,GET请求不需要(或允许)与加密相关的标头。

  

如果您的对象使用AWS KMS管理的加密密钥(SSE-KMS)或服务器端加密进行服务器端加密,则不应为GET请求发送加密请求标头(如x-amz-server-side-encryption)使用Amazon S3管理的加密密钥(SSE-S3)

     

http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectGET.html