AWS April Webinar Series - Securely Deliver High Quality Content with AWS and Wowza

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Usman Shakeel, Principal Solutions Architect Lead (M&E), AWS

Ryan Jespersen, Training and Support Manager, Wowza

April 29th 2015

Securely Deliver High-Quality

Content on AWS

Different Use Cases Call for Different Security Measures

Use CaseExample Media

Distributor

Content Security Solution

Commonly in PracticeDelivery Solution

Free/Public UGC Vimeo, WeVideo OpenPrgressive Downloads

Streaming

Free/Secure UGC WeVideo, YouTube Signed URLsProgressive Downloads

Streaming

Ad Supported Sony Crackle, TMZAES Encryption

Signed URLsMostly HTTP or RTMP streaming

Premium Content

(Live Linear or VOD)

Netflix, Amazon Instant

Video

AES Encryption

Signed URLs

DRM

HTTP or RTMP streaming

Pre-Released Content Studios

Encryption

Watermarking

DRM

Mezzanine File transfer (mostly B2B)

Proxy streaming

Different Mechanisms for Securing the Delivery of

A Media Stream

Token /

Signed URLs

AES

Encryption

DRM

Geo-blocking

Watermarking

Allows you to restrict access to content intended for select users. Signed URL

can contain an end date/time, start date/time, and range of IP addresses.

Allows you to send encrypted video over HTTP to protect content from non-

authorized streaming, piracy, and redistribution by others.

Similar to AES encryption but adds the business rules layer. For example, you

can restrict the user to viewing this stream for only 1 day after first access.

Allows you to restrict access to content based on geographic location. For example,

you can block requests coming from a specific country due to copyright reasons.

Used to identify ownership of the content and prevent piracy or unauthorized

redistribution by others.

AWS Mechanisms for Securing Media Delivery

Token /

Signed URLs

AES

Encryption

DRM

Geo-blocking

Watermarking

Amazon CloudFront Private Content – Signed URLs, Signed Cookies, OAIs

Amazon Elastic Transcoder – HLS with AES-128 Encryption, Encrypted Media

Files

Amazon Elastic Transcoder – Play Ready DRM Packaging

Amazon CloudFront – Geo Restriction

Amazon Elastic Transcoder – Visual Watermarks

Sample AWS Architecture for VOD and

Live Streaming

CloudFront

distribution

Elastic TranscoderAmazon S3

bucketAmazon S3

bucket Media File

RTMP StreamMedia Servers on

Amazon EC2

CloudFront

distribution

Origin Access Identity

HTTPS

HTTPS

Media Consumer

Bucket- and object-level permissions

• Owner only access (by default)

Signed URLs/query string authentication

IAM policies

Versioning (MFA delete)

Detailed access logging

Encryption

• Server Side (at Rest) + Client Side

• In Transit

• Encryption Keys

Amazon S3 Security Controls

✔Access Logs

Custom SSL certificate

CloudFront’s private content feature

Only deliver content to securely signed requests

HTTPS ONLY requests/delivery, origin fetches

HTTP to HTTPS redirect at the edge

Signed URL or Signed Cookie verification

Policy based on a timed URL/Cookie or a CIDR block of the requestor

CloudFront Origin Access Identity (OAI)

CloudFront Secure Cookie Feature

Amazon CloudFront Security

Amazon S3

(Media Storage)

Amazon CloudFront

End User

HTTP________

HTTPS ONLY

Delivery EC2 Instances

Security Group

Signed Request

Amazon S3

(Logs Storage)

Encryption at rest: Server managed keysOutputs are saved to Amazon S3 using S3 server side encryption

Downloaded media is not protected, it is decrypted as it is read from Amazon S3

Encryption at rest: Client provided keysInputs can be protected, client provides decryption key

Outputs can be encrypted, client provides encryption key

Downloaded media is protected (cannot play directly from S3 or Amazon CloudFront)

Protecting KeysAmazon Elastic Transcoder only accepts AWS KMS protected keys

Key is never written or stored in cleartext

Encryption for HLS streamsBuilt on top of “client provided keys” API

Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key

Amazon Elastic Transcoder Security

Create, describe and list keys

Encrypt, Decrypt and re-encrypt data

Generate data-keys

• Consumed by applications to encrypt data

• Encrypt or decrypt data-keys

Amazon Key Management Service (KMS)

Customer Master Key

Plain text Data Key

Encrypted Data Key

Amazon KMS

Customer Master Key

Plain text Data Key

Encrypted Data Key

Amazon KMS

IAM Roles

Bucket containing ContentMedia Servers on

Amazon EC2

Elastic Transcoder Amazon KMS for encrypting/decrypting your keysIAM Role to generate Keys from KMS

IAM Role to read the file from S3

Call KMS end-point on your behalf to get the data key for encryption

Get access to S3 bucket for a content file

Launch the instance with IAM Role

Assign Role to Elastic Transcoder job

On-Demand Streaming Demo Components

AWS Services used:

• Amazon S3 for storage

• Amazon Elastic Transcoder for transformation and encryption

• Amazon CloudFront for global delivery

• AWS Key Management service

JW Player for delivery

Benefit from the high availability, scalability, and low cost

offered by AWS services.

On-Demand Transcoding and Encrypted

File Delivery

Amazon S3 bucket

CloudFront

distribution

Availability Zone a

Elastic Load

Balancing

EC2 Instance

web app

server

Availability Zone b

Elastic TranscoderMedia Owner

Key Management Service

Amazon S3 bucket

EC2 Instance

DynamoDB

Key Name Base64 Encoded Key

Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…

Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…

Demo: Secure on-demand

Streaming

Wowza Streaming Engine™

• Robust, customizable, and

scalable server software that

powers reliable streaming of

high-quality audio and video

to any device anywhere

• Use AWS Marketplace to live

stream with Wowza on

Amazon EC2

• Stream on-demand content

from Amazon S3

• Deliver streams globally using

Amazon CloudFront

All-Around Content Protection

•AES-128 encryption

•StreamLock, SSL, HTTPS,

RTMPS, and RTMPE

•SecureToken (Token

Authentication)

•Authentication for RTMP

and RTSP publishing

•GeoIP (Geographic Locking)

•Hotlink Denial protection

•Referrer verification

•Server-Side API to control

access

• IP white/black lists

•Stream name alias solutions

On-the-Fly DRM for Any Screen

Wowza and CloudFront: Live ABR Streaming

Source

Hong Kong

Paris

New York

Amazon

CloudFront

CDN

Encoder

RTSP

or

RTMP

MPEG-DASH,

HLS, HDS,

Smooth

Streaming

ABR Streaming

Origin Server

on Amazon EC2

Live Stream Failover Setup

Wowza Streaming

Engine

RTMP Stream

Availability Zone a

Amazon Route 53

DNS Failover

Availability Zone a

EC2 Instance

Availability Zone b

EC2 Instance

Amazon

CloudFront

Amazon Route 53

DNS Failover

Elastic Load

Balancing

Availability Zone b

Wowza Streaming

Engine

Demo: Secure Live Streaming

Best Practices

Limit access to port 1935 to only trusted sources

Define TTL settings for .ts files and .m3u8

Negative TTLs (sequential)

Geo Block access to stream if necessary

Rotate the key file as often as possible

Randomize the .ts filename for live streams

More Information

Wowza Security•Overview: http://www.wowza.com/products/streaming-engine/features/security

•How To Articles: http://www.wowza.com/forums/content.php?619-security

Digital Rights Management•Secure MPEG-DASH streaming using Common Encryption (CENC):http://www.wowza.com/forums/content.php?580-How-to-secure-MPEG-DASH-streaming-using-Common-Encryption-(CENC)

•Secure Apple HLS streaming using DRM encryption:http://www.wowza.com/forums/content.php?437-How-to-secure-Apple-HLS-streaming-using-DRM-encryption

AES 128 Encryption•http://www.wowza.com/forums/content.php?59-How-to-use-the-internal-method-of-AES-128-encryption-to-secure-live-or-VOD-streams-sent-to-Apple-iOS-devices-(ModuleEncryptionHandlerCupertinoStreaming)

Sample AWS Architecture for *Secure* VOD

and Live Streaming

CloudFront

distribution

Elastic TranscoderAmazon S3

bucketAmazon S3

bucket Media File

RTMP StreamMedia Servers on

Amazon EC2

CloudFront

distribution

Origin Access

Identity

HTTPS

HTTPS

Media Owner

Media Owner can create a primary key on KMS

ETS can have an IAM role to

request the data key from KMS

EC2, ETS can request the data-

key on behalf of customer

Media Server generating keys and

serving or using KMS via IAM Role

for key management

CloudFront Secure cookie to allow or

deny consumers the access to manifest

Encrypted Content Segments and

Keys stored in S3 (keys can be

served outside of S3 as well)

Media Consumer

Amazon Key

Management Service

(KMS)