Restricting access to an AWS Elemental MediaPackage v2 origin
CloudFront provides origin access control (OAC) for restricting access to a MediaPackage v2 origin.
Note
CloudFront OAC only supports MediaPackage v2. MediaPackage v1 isn't supported.
Creating a new OAC
Complete the steps described in the following topics to set up a new OAC in CloudFront.
Prerequisites
Before you create and set up OAC, you must have a CloudFront distribution with a MediaPackage v2 origin. For more information, see Use a MediaStore container or a MediaPackage channel.
Giving the OAC permission to access the MediaPackage v2 origin
Before you create an OAC or set it up in a CloudFront distribution, make sure the OAC has permission to access the MediaPackage v2 origin. Do this after you create a CloudFront distribution, but before you add the OAC to the MediaPackage v2 origin in the distribution configuration.
To give the OAC permission to access the MediaPackage v2 origin, use a IAM policy to allow
the CloudFront service principal (cloudfront.amazonaws.com
) to access the origin. The
Condition
element in the policy allows CloudFront to access the MediaPackage v2 origin
only when the request is on behalf of the CloudFront distribution that
contains the MediaPackage v2 origin.
Example : IAM policy that allows read-only access to a CloudFront distribution
The following policy allows the CloudFront distribution
(
) access to the MediaPackage v2
origin. The origin is the ARN specified for the E1PDK09ESKHJWT
Resource
element.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": {"Service": "cloudfront.amazonaws.com"}, "Action": "mediapackagev2:GetObject", "Resource": "arn:aws:mediapackagev2:us-east-1:123456789012:channelGroup/
channel-group-name
/channel/channel-name
/originEndpoint/origin_endpoint_name
", "Condition": { "StringEquals": {"AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/E1PDK09ESKHJWT
"} } } ] }
Note
If you create a distribution that doesn't have permission to your MediaPackage v2 origin, you can choose Copy policy from the CloudFront console and then choose Update endpoint permissions. You can then attach the copied permission to the endpoint. For more information, see Endpoint policy fields in the AWS Elemental MediaPackage User Guide.
Creating the OAC
To create an OAC, you can use the Amazon Web Services Management Console, Amazon CloudFormation, the Amazon CLI, or the CloudFront API.
Advanced settings for origin access control
The CloudFront OAC feature includes advanced settings that are intended only for specific use cases. Use the recommended settings unless you have a specific need for the advanced settings.
OAC contains a setting named Signing behavior (in the console), or
SigningBehavior
(in the API, CLI, and Amazon CloudFormation). This setting provides the
following options:
- Always sign origin requests (recommended setting)
-
We recommend using this setting, named Sign requests (recommended) in the console, or
always
in the API, CLI, and Amazon CloudFormation. With this setting, CloudFront always signs all requests that it sends to the MediaPackage v2 origin. - Never sign origin requests
-
This setting is named Do not sign requests in the console, or
never
in the API, CLI, and Amazon CloudFormation. Use this setting to turn off OAC for all origins in all distributions that use this OAC. This can save time and effort compared to removing an OAC from all origins and distributions that use it, one by one. With this setting, CloudFront doesn't sign any requests that it sends to the MediaPackage v2 origin.Warning
To use this setting, the MediaPackage v2 origin must be publicly accessible. If you use this setting with a MediaPackage v2 origin that's not publicly accessible, CloudFront can't access the origin. The MediaPackage v2 origin returns errors to CloudFront and CloudFront passes those errors on to viewers. For more information, see the example MediaPackage v2 policy for Policies and Permissions in MediaPackage in the AWS Elemental MediaPackage User Guide.
- Don't override the viewer (client)
Authorization
header -
This setting is named Do not override authorization header in the console, or
no-override
in the API, CLI, and Amazon CloudFormation. Use this setting when you want CloudFront to sign origin requests only when the corresponding viewer request does not include anAuthorization
header. With this setting, CloudFront passes on theAuthorization
header from the viewer request when one is present, but signs the origin request (adding its ownAuthorization
header) when the viewer request doesn't include anAuthorization
header.Warning
To pass along the
Authorization
header from the viewer request, you must add theAuthorization
header to a cache policy for all cache behaviors that use MediaPackage v2 origins associated with this origin access control.