How to Configure a CloudFront Distribution for PDA Protected Videos

After setting up a private S3 bucket for your protected videos, you’ll need to set up a Cloudfront distribution and then input its URL and key pairs under PDA Protected Videos settings page accordingly.

It’s highly recommended to protect videos hosted on Amazon S3 bucket with HLS format. If you’re using HLS videos, please skip this step.

In this tutorial, we will show you how to set up a CloudFront distribution as well as getting an Access Key ID & RSA key for our PDA Protect Videos extension as quickly as possible.

  1. Log in to the AWS Console
  2. Setup a CloudFront Distribution
  3. Get CloudFront Key Pairs
  4. Create WAF Rules

Log in to the AWS Console

  • Already have an Amazon Web Services (AWS) account? Sign in here.
  • If you don’t have an AWS account yet, you will need to sign up here.

Setup a CloudFront Distribution

Step 1: Go to your CloudFront console and then choose Create Distribution.

Step 2: On the Create Distribution Wizard, click on Get Started button under Web section.

Step 3: Choose Origin Domain Name as your Amazon S3 Bucket for video content storage.



Step 4: Apply Restrict Bucket Access as image below.



Once you choose the option “Yes, Update Bucket Policy”, it will automatically generate and apply the policies to our bucket. Whichever option you choose, you need to double-check the bucket access permissions.

Step 5: Select Use legacy cache settings to configure the Default Cache Behavior Settings.



Step 6: Use Signed URLs.

Leave other options as they are. Finally, click on Save button to finish.

Step 7: Go back to CloudFront Distributions and locate the CloudFront link you have created under Domain Name column.

Simply copy and paste it into the CloudFront URL field under our plugin’s settings page. It’s important to add your domain protocol, i.e. http:// or https://, before the domain name.

Get CloudFront Key Pairs

Go back to your AWS console and then click on “My Security Credentials”


In the CloudFront key pairs section, click on Create New Key Pair button.


Click on “Download Private Key File” and you’ll get a .pem file with this format, XYZ.pem

The Access Key ID associated with created RSA key will display under the CloudFront key pairs section.

Fill in your CloudFront key pairs in our CloudFront Configuration with XYZ is Access Key ID and the downloaded .pem file content is the RSA KEY.

Create WAF Rules

Step 1: On the WAF console, click Create web ACL.


Step 2: In the first step, we will set the name and CloudFront distribution that we want to apply the rule.


Step 3: Create the condition.

Selected values:

  • Sample Name: only-accept-range-header
  • String match
  • Header
  • range
  • Contains
  • Convert to lowercase
  • bytes
Filter result:  Header ‘range’ contains: “bytes” after converting to lowercase.

Step 4: Only allow those requests that match the rule.


Step 5: Confirm and create it.

Next step: Embed our S3 shortcode into your content

Lasted updated on July 22, 2021