Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company’s bottom line. As the move to store, process and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multi-tenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing and archiving digital media assets on the AWS environment. AWS also enables customers to achieve compliance with the MPAA security best practices with minimal effort. Learn how AWS complies with the MPAA security best practices and how media companies can leverage that for their media workloads.

1. tweet #reinvent

2. Does AWS meet customer’s security requirements?

3. Does AWS meet customer’s security requirements?
TOGETHER

4. YOU
Account Management
Network Configuration
OS Firewalls
Security Groups
Application
Operating System
Virtualization Infrastructure
Network Infrastructure
Physical Infrastructure
Physical Security
Facilities

5. Certifications
• SOC 1
• ISO 27001 Certification
Facilities • PCI Level 1 Service Provider
• FedRAMP (FISMA moderate & low)
Physical Security • GovCloud
Physical Infrastructure • MPAA Best Practices Compliance
Network Infrastructure
Virtualization Infrastructure Customer are running Sarbanes-Oxley (SOX), HIPAA
(healthcare), FISMA (US Federal Government), DIACAP
MAC III Sensitive ATO, International Traffic in Arms
Regulations (ITAR)

6. Check out
AWS Security Center
• Security whitepaper
Facilities • Risk and compliance
whitepaper
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure Security Track at re:Invent
Security OF the AWS Cloud
Security IN The AWS Cloud
AWS Identity & Access Management

7. Amazon CloudFront
Amazon End User
Delivery EC2 Instances Route 53
Amazon S3
(Media Storage)
Content
Amazon Simple Ingest EC2 Instances
Processing EC2 Instances Queue Service (SQS)
AWS Cloud
Corporate Data Center

10. OK!

11. Facilities
✔
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Operating System A few nifty AWS features
Application
Security Groups IAM (Identity & Access Management)
OS Firewalls EC2 Security features
Network Configuration VPC (Virtual Private Cloud)
Account Management S3 Security features
CloudFront Security features

12. Unique security credentials
• Access keys, Login/Password, MFA device
• Federated Authentication (Secure Token Service STS)
Policies control access to AWS APIs
• API calls must be signed by either: X.509 certificate or secret key
Deep integration into some services
• S3: policies on objects and buckets
• Simple DB: domains
Not for Operating Systems or Applications
(use LDAP, Active Directory/ADFS, etc..)

14. Amazon S3
(Media Storage) Content
Ingest EC2 Instances
Amazon Simple
Queue Service (SQS)
AWS Cloud Corporate Data Center

15. S3 Client Side Encryption with AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Content
Envelope Key
Encrypted Content
Encrypted Envelope Key
Master Key
AWS SDK for Java
Corporate Data Center

17. AWS Direct Connect
SSL endpoints
• All AWS APIs provide SSL endpoints AWS Import/Export Service for very large datasets
AWS Import/Export
Amazon S3
AWS Direct
(Media Storage)
Connect
Co-Lo Content
Ingest EC2 Instances
Amazon Simple
Queue Service (SQS)
AWS Cloud
Corporate Data Center

19. • Bucket and Object level permissions
• Owner only access (by default)
• Signed URLs/Query String Authentication
• IAM Policies
• Versioning (MFA Delete)
• Detailed Access Logging
✔Access Logs

20. • Encryption Amazon S3
Master S3 Key
• Decryption
• Key Management
(Encrypted by S3 Master key)
(Stored Separately from your data)
• 256-bit AES encryption
Envelop Key
Encrypted Stored Data Encrypted Stored Key
Content to be Uploaded
(encryption enabled in the
HTTP Header)

22. Internet
Corporate
data center
10.0.0.0/16
S3
Glacier Internet Gateway VPN Gateway
SQS
Router
10.0.0.0/24 10.0.1.0/24
EC2 API endpoint
Instances Instances
NAT Instance
VPC Public Subnet VPC Private Subnet

23. EC2 (Guest) operating System
• Controlled by YOU
• YOU have admin/root
•
Instance
AWS has NO visibility Security Group
• YOU generate the key-pairs
Availability Zone A
Security Groups (Stateful Filters) AWS Cloud
• YOU control the mandatory inbound firewall
Security Group Adobe_FMS
• Default Deny All Configuration
• +Egress in the case of VPC Protocol Port Range Source
TCP 80 0.0.0.0/0
TCP 1111 0.0.0.0/0
Signed API calls TCP 1935 0.0.0.0/0
UDP 1935 0.0.0.0/0
SSH 22 192.168.0.41/10

24. EC2 Security Controls
• Security Groups (default deny all)
Internet Gateway Virtual Private Cloud (VPC)
• Isolated environment
• Ingress and Egress filters
S3 (Media Storage)
• Network ACLs
Instances
NAT Instance
• Routing rules
Security Group
EC2
VPC Private Subnet
VPC Public Amazon Simple OS Level Firewalls
Subnet Queue Service (SQS)
• IP Tables
Virtual Private Cloud
Patch Management
AWS Cloud

25. • Windows
• Windows Encrypting File System (EFS)
• TruCrypt – Works well with NTFS
• Linux
• EncFS
• Loop-AES
• Dm-Crypt
• TruCrypt

27. Amazon CloudFront
Delivery EC2 Instances
Amazon End User
Route 53
Amazon S3 (Media Storage)
AWS Cloud

28. CloudFront’s Private Content Feature Amazon S3
(Logs Storage)
Amazon CloudFront
Only deliver content to securely signed requests
Signed Request
• HTTPS ONLY requests/delivery HTTP
• CloudFront Origin Access Identity End User
• Signed URL Verification
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted Signers
• Access Logs
Delivery EC2 Instances
Amazon S3
(Media Storage)
Security Group

29. CloudFront supports:
RTMP – Adobe's Real-Time Message Protocol
RTMPT – Adobe streaming tunneled over HTTP
RTMPE – Adobe encrypted
RTMPTE – Adobe encrypted tunneled over HTTP

30. Live Streaming:
• Secure the instance
• Security Groups (source and port)
• Streaming server in a VPC
• Securing the content chunks and manifest
• Use Signed URLs provided by CloudFront
On-Demand Streaming:
• S3 content bucket security
• CloudFront private content features

31. Amazon CloudFront
Setup CloudFront for private content
A web application that:
• Send the IP address of the requestor to a
geo-location service (Digital Element, Max Mind)
• Evaluate the IP address
Geo-Location Service
• Generate a URL for CloudFront or return a EC2 WebServer Instances
not-allowed page

32. Amazon CloudFront
HTTPS
HTTPS
Amazon
Route 53 End User
Delivery EC2 Instances
Security Group
S3 (Media Storage)
AWS Direct
Connect
Content
Amazon Simple
Queue Service (SQS)
Processing EC2 Instances
Security Group Ingest EC2 Instances
Virtual Private Cloud AWS Cloud Security Group
Corporate Data Center

34. Set up application level logging on the EC2 instances
Several third-party products for logging along with EMR (Elastic Map Reduce)
If you are investigating a security event and need logs and forensics:
TALK TO US !

35. Facilities
✔
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Operating System
Application A few nifty AWS features
Security Groups
IAM (Identity & Access Management)
OS Firewalls
EC2 Security features
Network Configuration
VPC (Virtual Private Cloud)
Account Management
S3 Security features
CloudFront Security features

36. Content Security Experts

37. Pre-Production Production Production Wrap Post-Production Distribution
Digital Services Digital Services
Visual Effects Effects
Visual
Post Production Post Production
Creative Advertising
Creative Advertising
Distribution
Distribution
KODE Compliance Inc. | Accelerating Compliance

38. Pre-Production Production Production Wrap Post-Production Distribution
KODE Compliance Inc. | Accelerating Compliance

39. Amazon CloudFront
HTTPS
HTTPS
End User
Amazon
Delivery EC2 Instances Route 53
Security Group
S3 (Media Storage)
AWS Direct
Connect
Content
Amazon Simple
Queue Service (SQS)
Processing EC2 Instances
Security Group Ingest EC2 Instances
Virtual Private Cloud AWS Cloud Security Group
Corporate Data Center

40. KODE Compliance Inc. | Accelerating Compliance

41. • Experts in the MPAA standard
• Eliminate the guessing game
• Committed to getting you compliant
KODE Compliance Inc. | Accelerating Compliance

42. Heavy lifting for infrastructure security
OS and application level security

44. We are sincerely eager to tweet #reinvent
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.