©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Secure media streaming and delivery
Usman Shakeel, Principal Solutions Architect, Amazon Web Services
Agenda
Secure media streaming overview
Use CaseExample Media
Distributor
Content Security Solution
Commonly in PracticeDelivery Solution
Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming
Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming
Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)Netflix, Amazon Instant
Video
AES encryption, signed URLs,
DRMHTTP or RTMP streaming
Prereleased Content StudiosEncryption, watermarking,
DRM
Mezzanine file transfer (mostly B2B),
proxy streaming
Token/
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking
Overview of secure streaming on AWS
AWS services stack in a media workflow
AWS Direct
Connect
Elastic
Load
Balancing
AWS Import/
Export
Amazon
S3
AWS Storage
Gateway
Amazon
EBS
Amazon
CloudFront
Amazon
CloudSearch Amazon
SQS
Amazon
Elastic
Transcoder
Amazon
EC2Amazon
EMRAmazon
VPC
Ingest/Create Store
Amazon
RDSAmazon
ElastiCacheAmazon
Route
53
DeliverProcess
Amazon
EC2
Token /
signed URLs
AES
encryption
DRM
Geoblocking
Watermarking
Sample AWS architecture for VOD and
live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucketAmazon S3
bucket Media file
RTMP streamMedia servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media consumer
Amazon S3 security controls
• Bucket-level and
object-level permissions
• Owner-only access (by default)
• Signed URLs/query string
authentication
• AWS IAM policies
• Versioning (MFA delete)
• Detailed access logging
✔Access logs
Amazon S3 client-side encryption with
AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Corporate data center
Content
Master key
AWS SDK for Java
Envelope key
Encrypted content
Encrypted envelope key
You can use AWS Key Management Service to manage your keys as well
Amazon S3 server-side encryption (at rest)
• Encryption
• Decryption
• Key management(Encrypted by Amazon S3 master
key; stored separately from your
data)
• 256-bit AES encryption
• User-provided keys
• Integration with AWS KMS
Content to be uploaded
(encryption enabled in the
HTTP header)
Envelop Key
Encrypted stored keyEncrypted stored data
Master Amazon S3 keyAmazon S3
Amazon CloudFront
• Global content delivery via 53 edge locations
• On-demand and live streaming
• Supports both HTTP and RTMP streaming• Native support for Smooth Streaming
• Set custom TTLs to cache all types of content
• TCP optimizations
• Customize content at the edge• Detect device type, geo-location, language, etc.
Amazon S3
(Media storage)
Amazon CloudFront
Amazon CloudFront security
End user
HTTP________
HTTPS ONLY
• Custom SSL certificate
• Amazon CloudFront private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery, origin fetches
• HTTP to HTTPS redirect at the edge
• Signed URL or signed cookie verification
Policy based on a timed URL/cookie or a CIDR block of the requestor
• Amazon CloudFront Origin Access Identity (OAI)
Delivery Amazon EC2
instances
Security group
Signed request
Amazon S3
(Logs storage)
"Effect":"Allow","Principal":{"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*”
Amazon Elastic Transcoder
• Scalable, cost effective (per-minute pricing)
• Integrated with AWS services and tools (Amazon
SNS, Amazon S3, AWS IAM, AWS CloudTrail, and
AWS SDK)
• Codecs, processing, and licensing baked in
• Outputs:• Popular web formats such as MP4 with H.264/AAC and
WebM with VP8/Vorbis
• Adaptive bitrate formats such as HLS and Smooth Streaming
• Audio-only processing for inputs and outputs
• Features include captions, visual watermarks,
clipping, and more
Amazon Elastic Transcoder security
• Encryption at restServer-managed keys
Client-provided keys
• Integration with AWS Key Management ServiceAmazon Elastic Transcoder accepts only AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streamsBuilt on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights Management (New)PlayReady DRM packaging
• CloudTrail Integration
Media software on
AWS Marketplace
• Launch software on AWS with
1-Click
• Pay-by-the-hour, monthly, or
annual
• Single invoice for AWS usage
& ISV software
• Free trials
Security certifications and compliance
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2, and SOC 3 (SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare),
FISMA (US federal government), DIACAP MAC III sensitive ATO,
International Traffic in Arms Regulations (ITAR)
AWS Identity and Access Management (IAM)
Unique security credentials
• Access keys, login/password, Multi-Factor Authentication (MFA)
device
• Federated authentication (AWS Security Token Service [STS])
Policies control access to AWS APIs
• API calls must be signed by either X.509 certificate or secret key
Deep integration with other AWS services
• Amazon S3: Policies on objects and buckets
• Amazon CloudFront: Resource permissions
• Amazon Elastic Transcoder
• Amazon EC2 IAM policies applicable to AWS Marketplace
software
Log, monitor, act proactively
You are making API calls and accessing your content ...
On a growing set of services around the world accessing your content
Amazon CloudTrail is continuously recording API calls…
And delivering log files to you…
Elastic Load Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon CloudWatch or monitor patterns on Logs
Act Fast or automate based on real-time notifications and alerts
Amazon CloudTrail
Amazon
Redshift
Amazon
EC2
AWS IAM
Amazon
RDS
Amazon
Elastic
Transcoder
Demo: Secure on-demand streaming
On-demand streaming demo components
• AWS services used:– Amazon S3 for storage
– Amazon Elastic Transcoder for transformation and encryption
– Amazon CloudFront for global delivery
– AWS Key Management Service
• JW Player for delivery
• Benefit from the high availability, scalability, and low cost offered by AWS services.
On-demand transcoding and
encrypted file delivery
Amazon S3 bucket
Amazon
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
Amazon EC2 instance
web app
server
Availability Zone b
Amazon Elastic
Transcoder
Media owner
AWS Key Management Service
Amazon S3 bucket
Amazon EC2 instance
Amazon DynamoDB
Key Name Base64-Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
Demo: Secure live streaming
Live streaming demo components
• Uses Amazon EC2 running nginx with plugin
nginx-rtmp-module
• Transcodes using FFmpeg (compiled with
RTMP module)
• RTMP/HLS/MPEG-DASH live streaming
• https://github.com/arut/nginx-rtmp-module
Live stream failover setup
nginx transcoder
RTMP stream
Availability Zone a
Amazon Route 53
DNS failover
Availability Zone a
Amazon EC2 instance
Availability Zone b
Amazon EC2 instance
Amazon
CloudFront
Amazon Route 53
DNS failover
Elastic Load
Balancing
nginx transcoder
Availability Zone b
Best practices
• Limit access to port 1935 to only trusted sources
• Define TTL settings for .ts files and .m3u8
• Negative TTLs (sequential)
• Geo-block access to stream if necessary
• Rotate the key file as often as possible
• Randomize the .ts file name for live streams
Allow access to port 1935 from
trusted sources
Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0
Custom TCP rule TCP 1935 54.255.255.0/32
Define TTL settings for .ts files and .m3u8
Geo-restrict access to stream if necessary
nginx RTMP / HLS configuration
rtmp {server {listen 1935;chunk_size 4096;application live {live on;record off;exec_push ffmpeg -i rtmp://localhost/live/$name -vcodec libx264 -vprofile baseline -g 5 -s 640x360 -acodec libfdk_aac -ar 44100 -ac 1 -f flv rtmp://localhost/hls/$name;
}application hls {
live on;hls on;hls_path /tmp/hls;hls_fragment 5s;
# Use HLS encryptionhls_keys on;
# Use stream timestamp rounded to 250ms as fragment nameshls_fragment_naming timestamp;hls_fragment_naming_granularity 250;
# Store autogenerated keys in this location rather than hls_pathhls_key_path /tmp/keys;
# Prepend key url with this valuehls_key_url https://enter URL here/keys/;
# Change HLS key every 2 fragmentshls_fragments_per_key 2;
# Create identical fragments on different nginx instances for high availability (without encryption)hls_fragment_slicing aligned;hls_cleanup on;
}}
Sample AWS architecture for VOD and live streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucketAmazon S3
bucket Media file
RTMP streamMedia servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media consumer
Sample AWS architecture for secure VOD and live
streaming
Amazon
CloudFront
distribution
Amazon Elastic
Transcoder
Amazon S3
bucketAmazon S3
bucket Media file
RTMP streamMedia servers on
Amazon EC2
Amazon
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media owner
1. Media owner can create a primary key on KMS
2. Elastic Transcoder can have an IAM role
to request the data key from AWS KMS
3. EC2, Elastic Transcoder can request
the data key on behalf of customer
3. Media server generating keys and
serving or using AWS KMS via IAM
role for key management
5. CloudFront secure cookie to allow or
deny consumers the access to manifest
4. Encrypted content segments and
keys stored in S3 (keys can be
served outside of S3 as well)
Media consumer
Amazon Key Management
Service (KMS)
CHICAGO