This session examines AWS’ approach to security for digital content. It examines the key security issues with regard to data at rest and in motion as well as the portfolio of services that AWS provides to address these issues. The presentation outlines the shared security model for customers to understand their responsibilities and explains AWS’ alignment to the MPAA security guidelines.
3. So where does AWS come in?
AWS makes security
more agile
Lets you move fast while
staying safe
4. Digital Media Workloads
Content Production
Content
Distribution
Processing &
Management
Content Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal
acquisition
Digital
dailies/approvals
B2C streaming of live
and VOD content
B2B distribution
Video advertising
insertion
High speed ingest
Library storage and
archiving
Tier management
Content/asset
management
En/Transcode
Packaging
Encryption,
watermarking
Digital Rights
Management
Workflow, job
scheduling,
automation
Content
Consumption
Analytics, reporting,
log analysis
Real-time monitoring
Content discovery
Content
recommendation
engine
Studio
Post House + Other Service Providers
Affiliates + Broadcasters + Distributors
5. Shared Responsibility
• AWS responsible for all
backend infrastructure
security
• Customer is responsible for
AWS architecture in their
account and application
security
8. Security of your content on AWS
Security of the Cloud
Security on the Cloud
Security on the Cloud
Cloud Security
Organization &
Management
Operations Data Security
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
9. Security of the Cloud
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Cloud Security
Organization &
Management
Operations Data Security
10. Alignment to MPAA guidelines
MPAA Guidelines
ISO
27001
MPAA Alignment
PCI DSS Level1
SOC
11. What’s in scope for MPAA (guidelines) alignment
The entire AWS Services stack
12. Security on the Cloud (application and content security)
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
16. Log, Monitor, Act Proactively
You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon CloudTrail
Elastic
Transcoder
17. Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Template
CloudFormation
Terminate
Template
Recycle Infrastructure often
19. Security of Studio/Post House Applications
Content Production
Processing &
Management
Content Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal
acquisition
Digital
dailies/approvals
High speed ingest
Library storage and
archiving
Tier management
Content/asset
management
En/Transcode
Packaging
Encryption,
watermarking
Digital Rights
Management
Workflow, job
scheduling,
automation
20. Security of Studio/Post House Workflows
• FAQs
– Highly Valued Pre-Released Assets
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Deletion Protection
– Isolated from public access (internet)
– Logging and Monitoring
– Content location
21. Security of the Studio/Post House Workflows
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Amazon S3 Amazon Glacier
Content
Encrypted at Rest
Encrypted in Transit
Using my Keys
Over Private Connection
Access Policies
Protection
Processing
Layer
Amazon EBS
22. Server-side encryption using KMS
Amazon S3 AWS KMSRequest
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage
23. Security of the Studio/Post House Workflows
(Content encryption and access)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
Encrypted
Content
AWS Import/Export
Snowball
24. Prior to S3 VPCE
Locking down S3 access with virtual private
endpoint (VPCE)
Using S3 VPCE
Public IP on EC2 Instances and IGW
Private IP on EC2 Instances and NAT
Access S3 using S3 Private Endpoint (VPE) without
using NAT instances or Gateways
Increased security
Amazon S3
S3
25. Security of the Studio/Post House Workflows
(No Public network traversal)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
role
Direct Connect
S3VPCEndpoint
26. Secure Media Supply Chains – A Reference Architecture
Key Management Service
Provide CPK for S3
encryption at rest
EC2, ETS can request
the data-key on behalf
of customerStore and deliver object
specific keys in Dynamo
S3 Ingest For Source, Renditions, Metadata Sidecar Files
Ingest
AWS Elastic
Beanstalk
Content
Consumption
CloudFront
Distribution
Amazon
DynamoDB
Individual Key Storage
Other Media
processing on EC2
Elastic
Transcoder
Processing
Authentication/
Authorization
Content owner provides
the master key
28. Source
(Virginia)
Destination
(Oregon)
• Only replicates new PUTs. Once S3 is
configured, all new uploads into a
source bucket will be replicated
• Entire bucket or prefix based
• 1:1 replication between any 2 regions
Use cases
Compliance - store data hundreds of miles apart
Lower latency - distribute data to regional customers)
Security - create remote replicas managed by separate AWS accounts
S3 cross-region replication
Automated, fast, and reliable asynchronous replication of data across AWS regions
30. Additional Security Controls
(Elastic Transcoder Security)
• Encryption at rest
Server managed keys
Client provided keys
• Integration with AWS Key Management Service
Amazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streams
Built on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights Management
PlayReady DRM packaging
• CloudTrail Integration
AWS CloudTrail
Elastic Transcoder
KMS
Amazon S3
role
Watermarking
32. Security of Content Distribution Applications
• FAQs
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Logging and Monitoring
33. Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM
IAM
role
S3 VPC Endpoint
Internal Users
Vendors/Partners
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Temporary Access
Access Logs
Remote Application
Streaming
34. Security of Distribution (B2C) applications
Content
Distribution
B2C streaming of live
and VOD content
Video advertising
insertion
Content
Consumption
Analytics, reporting,
log analysis
Real-time monitoring
Content discovery
Content
recommendation
engine
35. Security of Content Distribution Applications
• FAQs
– Access Control, Rights Management & Content
Monetization
– DRM Packaging
– Encryption
– Logging and Monitoring
36. Differentuse cases call for different
security measures
Use Case
Example Media
Distributor
Content Security Solution
Commonly in Practice
Delivery Solution
Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming
Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming
Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)
Netflix, Amazon Instant
Video
AES Encryption, signed URLs,
DRM
HTTP or RTMP streaming
Prereleased Content Studios
Encryption, watermarking,
DRM
Mezzanine file transfer (mostly B2B), proxy
streaming
37. AWS mechanisms for securing media delivery
Token / signed
URLs
AES encryption
DRM
Geoblocking
Watermarking
Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)
Amazon Elastic Transcoder – HLS with AES-128 encryption
AWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and
Amazon S3
Amazon Elastic Transcoder – PlayReady DRM packaging
Amazon CloudFront – Geo-restriction
Amazon Elastic Transcoder – Visual watermarks
38. Amazon S3
(Media Storage)
Amazon CloudFront
CDN Security (Amazon CloudFront Security)
End User
HTTP
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verification
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content
Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Signed Cookie
Verification
39. Amazon S3 bucket
Amazon
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
Amazon EC2 instance
web app
server
Availability Zone b
Amazon Elastic
Transcoder
Media owner
AWS Key Management Service
Amazon S3 bucket
Amazon EC2 instance
Amazon DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
Security of the Distribution Workflow (B2C) –
A reference streaming workflow
Amazon WAF
40. A few other topics
• FAQs
– Third Party Media Security Products
• Watermarking
• DRM
– Software Patching and Updates
– Real-time notifications on any security/access
breaches/anomalies
41. INGEST STORE MANAGE SECUREPROCESS
CREATE
MONETIZE
INTEGRATEDELIVER
Media Security Software on AWS
SECURE