Upload
amazon-web-services
View
607
Download
6
Tags:
Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Usman Shakeel, Principal Solutions Architect Lead (M&E), AWS
Ryan Jespersen, Training and Support Manager, Wowza
April 29th 2015
Securely Deliver High-Quality
Content on AWS
Different Use Cases Call for Different Security Measures
Use CaseExample Media
Distributor
Content Security Solution
Commonly in PracticeDelivery Solution
Free/Public UGC Vimeo, WeVideo OpenPrgressive Downloads
Streaming
Free/Secure UGC WeVideo, YouTube Signed URLsProgressive Downloads
Streaming
Ad Supported Sony Crackle, TMZAES Encryption
Signed URLsMostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)
Netflix, Amazon Instant
Video
AES Encryption
Signed URLs
DRM
HTTP or RTMP streaming
Pre-Released Content Studios
Encryption
Watermarking
DRM
Mezzanine File transfer (mostly B2B)
Proxy streaming
Different Mechanisms for Securing the Delivery of
A Media Stream
Token /
Signed URLs
AES
Encryption
DRM
Geo-blocking
Watermarking
Allows you to restrict access to content intended for select users. Signed URL
can contain an end date/time, start date/time, and range of IP addresses.
Allows you to send encrypted video over HTTP to protect content from non-
authorized streaming, piracy, and redistribution by others.
Similar to AES encryption but adds the business rules layer. For example, you
can restrict the user to viewing this stream for only 1 day after first access.
Allows you to restrict access to content based on geographic location. For example,
you can block requests coming from a specific country due to copyright reasons.
Used to identify ownership of the content and prevent piracy or unauthorized
redistribution by others.
AWS Mechanisms for Securing Media Delivery
Token /
Signed URLs
AES
Encryption
DRM
Geo-blocking
Watermarking
Amazon CloudFront Private Content – Signed URLs, Signed Cookies, OAIs
Amazon Elastic Transcoder – HLS with AES-128 Encryption, Encrypted Media
Files
Amazon Elastic Transcoder – Play Ready DRM Packaging
Amazon CloudFront – Geo Restriction
Amazon Elastic Transcoder – Visual Watermarks
Sample AWS Architecture for VOD and
Live Streaming
CloudFront
distribution
Elastic TranscoderAmazon S3
bucketAmazon S3
bucket Media File
RTMP StreamMedia Servers on
Amazon EC2
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media Consumer
Bucket- and object-level permissions
• Owner only access (by default)
Signed URLs/query string authentication
IAM policies
Versioning (MFA delete)
Detailed access logging
Encryption
• Server Side (at Rest) + Client Side
• In Transit
• Encryption Keys
Amazon S3 Security Controls
✔Access Logs
Custom SSL certificate
CloudFront’s private content feature
Only deliver content to securely signed requests
HTTPS ONLY requests/delivery, origin fetches
HTTP to HTTPS redirect at the edge
Signed URL or Signed Cookie verification
Policy based on a timed URL/Cookie or a CIDR block of the requestor
CloudFront Origin Access Identity (OAI)
CloudFront Secure Cookie Feature
Amazon CloudFront Security
Amazon S3
(Media Storage)
Amazon CloudFront
End User
HTTP________
HTTPS ONLY
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Encryption at rest: Server managed keysOutputs are saved to Amazon S3 using S3 server side encryption
Downloaded media is not protected, it is decrypted as it is read from Amazon S3
Encryption at rest: Client provided keysInputs can be protected, client provides decryption key
Outputs can be encrypted, client provides encryption key
Downloaded media is protected (cannot play directly from S3 or Amazon CloudFront)
Protecting KeysAmazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
Encryption for HLS streamsBuilt on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
Amazon Elastic Transcoder Security
Create, describe and list keys
Encrypt, Decrypt and re-encrypt data
Generate data-keys
• Consumed by applications to encrypt data
• Encrypt or decrypt data-keys
Amazon Key Management Service (KMS)
Customer Master Key
Plain text Data Key
Encrypted Data Key
Amazon KMS
Customer Master Key
Plain text Data Key
Encrypted Data Key
Amazon KMS
IAM Roles
Bucket containing ContentMedia Servers on
Amazon EC2
Elastic Transcoder Amazon KMS for encrypting/decrypting your keysIAM Role to generate Keys from KMS
IAM Role to read the file from S3
Call KMS end-point on your behalf to get the data key for encryption
Get access to S3 bucket for a content file
Launch the instance with IAM Role
Assign Role to Elastic Transcoder job
On-Demand Streaming Demo Components
AWS Services used:
• Amazon S3 for storage
• Amazon Elastic Transcoder for transformation and encryption
• Amazon CloudFront for global delivery
• AWS Key Management service
JW Player for delivery
Benefit from the high availability, scalability, and low cost
offered by AWS services.
On-Demand Transcoding and Encrypted
File Delivery
Amazon S3 bucket
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
EC2 Instance
web app
server
Availability Zone b
Elastic TranscoderMedia Owner
Key Management Service
Amazon S3 bucket
EC2 Instance
DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
Wowza Streaming Engine™
• Robust, customizable, and
scalable server software that
powers reliable streaming of
high-quality audio and video
to any device anywhere
• Use AWS Marketplace to live
stream with Wowza on
Amazon EC2
• Stream on-demand content
from Amazon S3
• Deliver streams globally using
Amazon CloudFront
All-Around Content Protection
•AES-128 encryption
•StreamLock, SSL, HTTPS,
RTMPS, and RTMPE
•SecureToken (Token
Authentication)
•Authentication for RTMP
and RTSP publishing
•GeoIP (Geographic Locking)
•Hotlink Denial protection
•Referrer verification
•Server-Side API to control
access
• IP white/black lists
•Stream name alias solutions
Wowza and CloudFront: Live ABR Streaming
Source
Hong Kong
Paris
New York
Amazon
CloudFront
CDN
Encoder
RTSP
or
RTMP
MPEG-DASH,
HLS, HDS,
Smooth
Streaming
ABR Streaming
Origin Server
on Amazon EC2
Live Stream Failover Setup
Wowza Streaming
Engine
RTMP Stream
Availability Zone a
Amazon Route 53
DNS Failover
Availability Zone a
EC2 Instance
Availability Zone b
EC2 Instance
Amazon
CloudFront
Amazon Route 53
DNS Failover
Elastic Load
Balancing
Availability Zone b
Wowza Streaming
Engine
Best Practices
Limit access to port 1935 to only trusted sources
Define TTL settings for .ts files and .m3u8
Negative TTLs (sequential)
Geo Block access to stream if necessary
Rotate the key file as often as possible
Randomize the .ts filename for live streams
More Information
Wowza Security•Overview: http://www.wowza.com/products/streaming-engine/features/security
•How To Articles: http://www.wowza.com/forums/content.php?619-security
Digital Rights Management•Secure MPEG-DASH streaming using Common Encryption (CENC):http://www.wowza.com/forums/content.php?580-How-to-secure-MPEG-DASH-streaming-using-Common-Encryption-(CENC)
•Secure Apple HLS streaming using DRM encryption:http://www.wowza.com/forums/content.php?437-How-to-secure-Apple-HLS-streaming-using-DRM-encryption
AES 128 Encryption•http://www.wowza.com/forums/content.php?59-How-to-use-the-internal-method-of-AES-128-encryption-to-secure-live-or-VOD-streams-sent-to-Apple-iOS-devices-(ModuleEncryptionHandlerCupertinoStreaming)
Sample AWS Architecture for *Secure* VOD
and Live Streaming
CloudFront
distribution
Elastic TranscoderAmazon S3
bucketAmazon S3
bucket Media File
RTMP StreamMedia Servers on
Amazon EC2
CloudFront
distribution
Origin Access
Identity
HTTPS
HTTPS
Media Owner
Media Owner can create a primary key on KMS
ETS can have an IAM role to
request the data key from KMS
EC2, ETS can request the data-
key on behalf of customer
Media Server generating keys and
serving or using KMS via IAM Role
for key management
CloudFront Secure cookie to allow or
deny consumers the access to manifest
Encrypted Content Segments and
Keys stored in S3 (keys can be
served outside of S3 as well)
Media Consumer
Amazon Key
Management Service
(KMS)