Encrypted HLS through Cloudfront

I’m hoping to use Wowza to stream live content through Cloudfront. That sounds like a supported use case. However, I also want the content to be reasonably secure.

The Cloudfront FAQ (https://www.wowza.com/docs/frequently-asked-questions-cloudfront) says I can’t use signed Cloudfront URLs, which makes sense. Unfortunately, it doesn’t provide any other suggestions on how to protect content.

AES encryption seems like a good alternative - using a non-cloudfront server to control access to the keys. The HLS chunks would be publicly accessible, but without decryption keys they would be useless.

Is it possible to use AES encryption with Cloudfront? I haven’t seen anyone else doing it, but intuitively it seems like it could work. Has anyone tried this?

I have not tried this, but I do believe the AES internal method should work with Cloudfront:

How to secure Apple HTTP Live Streaming (AES-128 - internal method)

Salvadore