Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery).We also discuss the underlying concepts of secure media delivery (for example, policy-based DRM and signed cookies and URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to deal with these challenges while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streaming (HLS) to various devices.

1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Secure media streaming and delivery
Usman Shakeel, Principal Solutions Architect, Amazon Web Services

2. Agenda

3. Secure media streaming overview

4. Use Case
Example Media
Distributor
Content Security Solution
Commonly in Practice
Delivery Solution
Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming
Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming
Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)
Netflix, Amazon Instant
Video
AES Encryption, signed URLs,
DRM
HTTP or RTMP streaming
Prereleased Content Studios
Encryption, watermarking,
DRM
Mezzanine file transfer (mostly B2B),
proxy streaming

5. Token/
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking

6. Overview of secure streaming on AWS

7. AWS services stack in a media workflow
AWS Direct
Connect
Elastic
Load
Balancing
AWS Import/
Export
Amazon
S3
AWS Storage
Gateway
Amazon
EBS
Amazon
CloudFront
Amazon
CloudSearch Amazon
SQS
Amazon
Elastic
Transcoder
Amazon
EC2
Amazon
EMRAmazon
VPC
Ingest/Create Store
Amazon
RDS
Amazon
ElastiCache
Amazon
Route
53
DeliverProcess
Amazon
EC2

8. Token /
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking

9. Sample AWS architecture for VOD and
live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucket
Amazon S3
bucket Media file
RTMP stream
Media servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media consumer

10. Amazon S3 security controls
• Bucket-level and
object-level permissions
• Owner-only access (by default)
• Signed URLs/query string
authentication
• AWS IAM policies
• Versioning (MFA delete)
• Detailed access logging
✔Access logs

11. Amazon S3 client-side encryption with
AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Corporate data center
Content
Master key
AWS SDK for Java
Envelope key
Encrypted content
Encrypted envelope key
You can use AWS Key Management Service to manage your keys as well

12. Amazon S3 server-side encryption (at rest)
• Encryption
• Decryption
• Key management
(Encrypted by Amazon S3 master
key; stored separately from your
data)
• 256-bit AES encryption
• User-provided keys
• Integration with AWS KMS
Content to be uploaded
(encryption enabled in the
HTTP header)
Envelop Key
Encrypted stored keyEncrypted stored data
Master Amazon S3 key
Amazon S3

13. Amazon CloudFront
• Global content delivery via 53 edge locations
• On-demand and live streaming
• Supports both HTTP and RTMP streaming
• Native support for Smooth Streaming
• Set custom TTLs to cache all types of content
• TCP optimizations
• Customize content at the edge
• Detect device type, geo-location, language, etc.

14. Amazon S3
(Media storage)
Amazon CloudFront
Amazon CloudFront security
End user
HTTP
________
HTTPS ONLY
• Custom SSL certificate
• Amazon CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery, origin fetches
• HTTP to HTTPS redirect at the edge
• Signed URL or signed cookie verification
Policy based on a timed URL/cookie or a CIDR block of the requestor
• Amazon CloudFront Origin Access Identity (OAI)
Delivery Amazon EC2
instances
Security group
Signed request
Amazon S3
(Logs storage)
"Effect":"Allow",
"Principal":{
"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8"
},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*”

15. Amazon Elastic Transcoder
• Scalable, cost effective (per-minute pricing)
• Integrated with AWS services and tools (Amazon
SNS, Amazon S3, AWS IAM, AWS CloudTrail, and
AWS SDK)
• Codecs, processing, and licensing baked in
• Outputs:
• Popular web formats such as MP4 with H.264/AAC and
WebM with VP8/Vorbis
• Adaptive bitrate formats such as HLS and Smooth Streaming
• Audio-only processing for inputs and outputs
• Features include captions, visual watermarks,
clipping, and more

16. Amazon Elastic Transcoder security
• Encryption at rest
Server managed keys
Client provided keys
• Integration with AWS Key Management Service
Amazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streams
Built on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights Management (New)
PlayReady DRM packaging
• CloudTrail Integration

17. Media Software on
AWS Marketplace
• Launch software on AWS with
1-Click
• Pay-by-the-hour, monthly, or
annual
• Single invoice for AWS usage
& ISV software
• Free Trials

18. Security certifications and compliance
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2, and SOC 3
(SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare),
FISMA (US federal government), DIACAP MAC III sensitive ATO,
International Traffic in Arms Regulations (ITAR)

19. AWS Identity and Access Management (IAM)
Unique security credentials
• Access keys, login/password, multi-factor authentication (MFA)
device
• Federated authentication (AWS Security Token Service [STS])
Policies control access to AWS APIs
• API calls must be signed by either X.509 certificate or secret key
Deep integration with other AWS services
• Amazon S3: Policies on objects and buckets
• Amazon CloudFront: Resource permissions
• Amazon Elastic Transcoder
• Amazon EC2 IAM Policies applicable to AWS Marketplace
software

20. Log, Monitor, Act Proactively
You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon CloudTrail
Amazon
Redshift
Amazon
EC2
AWS IAM
Amazon
RDS
Amazon
Elastic
Transcoder

21. Demo: Secure on-demand streaming

22. On-demand streaming demo components
• AWS services used:
– Amazon S3 for storage
– Amazon Elastic Transcoder for transformation and encryption
– Amazon CloudFront for global delivery
– AWS Key Management Service
• JW Player for delivery
• Benefit from the high availability, scalability, and
low cost offered by AWS services.

23. On-demand transcoding and
encrypted file delivery
Amazon S3 bucket
Amazon
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
Amazon EC2 instance
web app
server
Availability Zone b
Amazon Elastic
Transcoder
Media owner
AWS Key Management Service
Amazon S3 bucket
Amazon EC2 instance
Amazon DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…

24. Demo: Secure live streaming

25. Live streaming demo components
• Uses Amazon EC2 running nginx with plugin
nginx-rtmp-module
• Transcodes using FFmpeg (compiled with
RTMP module)
• RTMP/HLS/MPEG-DASH live streaming
• https://github.com/arut/nginx-rtmp-module

26. Live stream failover setup
nginx transcoder
RTMP stream
Availability Zone a
Amazon Route 53
DNS failover
Availability Zonea
Amazon EC2 instance
Availability Zone b
Amazon EC2 instance
Amazon
CloudFront
Amazon Route 53
DNS failover
Elastic Load
Balancing
nginx transcoder
Availability Zone b

27. Best practices
• Limit access to port 1935 to only trusted
sources
• Define TTL settings for .ts files and .m3u8
• Negative TTLs (sequential)
• Geo-block access to stream if necessary
• Rotate the key file as often as possible
• Randomize the .ts file name for live streams

28. Allow access to port 1935 from
trusted sources
Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0
Custom TCP rule TCP 1935 54.255.255.0/32

29. Define TTL settings for .ts files and .m3u8

30. Geo-restrict access to stream if necessary

31. nginx RTMP / HLS configuration
rtmp {
server {
listen 1935;
chunk_size 4096;
application live {
live on;
record off;
exec_push ffmpeg -i rtmp://localhost/live/$name -vcodec libx264 -vprofile baseline -g 5 -s 640x360 -acodec libfdk_aac -ar 44100 -ac 1 -f flv rtmp://localhost/hls/$name;
}
application hls {
live on;
hls on;
hls_path /tmp/hls;
hls_fragment 5s;
# Use HLS encryption
hls_keys on;
# Use stream timestamp rounded to 250ms as fragment names
hls_fragment_naming timestamp;
hls_fragment_naming_granularity 250;
# Store autogenerated keys in this location rather than hls_path
hls_key_path /tmp/keys;
# Prepend key url with this value
hls_key_url https://enter URL here/keys/;
# Change HLS key every 2 fragments
hls_fragments_per_key 2;
# Create identical fragments on different nginx instances for high availability (without encryption)
hls_fragment_slicing aligned;
hls_cleanup on;
}
}

32. Sample AWS architecture for VOD and live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucket
Amazon S3
bucket Media File
RTMP Stream
Media Servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media Consumer

33. Sample AWS architecture for secure VOD and live
streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucket
Amazon S3
bucket Media File
RTMP Stream
Media Servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media Owner
1. Media Owner can create a primary key on KMS
2. Elastic Transcoder can have an IAM role
to request the data key from AWS KMS
3. EC2, Elastic transcoder can request
the data-key on behalf of customer
3. Media Server generating keys and
serving or using AWS KMS via IAM
Role for key management
5. CloudFront Secure cookie to allow or
deny consumers the access to manifest
4. Encrypted Content Segments and
Keys stored in S3 (keys can be
served outside of S3 as well)
Media Consumer
Amazon Key Management
Service (KMS)

34. NEW YORK