Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery).
We also discuss the underlying concepts of secure media delivery (e.g., policy-based DRM and signed URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to accomplish those while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streams (HLS) to various devices.
(MED303) Secure Media Streaming and Delivery | AWS re:Invent 2014
1.
2.
3.
4. Use Case
Example Media Distributor
Content Security Solution
Commonly in Practice
Delivery Solution
Free/Public UGC
Vimeo, WeVideo
Open
Prgressive DownloadsStreaming
Free/Secure UGC
WeVideo, YouTube
Signed URLs
Progressive DownloadsStreaming
Ad Supported
SonyCrackle, TMZ
AES Encryption Signed URLs
Mostly HTTP or RTMP streaming
Premium Content (Live Linear or VOD)
Netflix, Amazon Instant Video
AES EncryptionSigned URLsDRM
HTTP or RTMP streaming
Pre-Released Content
Studios
Encryption WatermarkingDRM
Mezzanine File transfer (mostly B2B) Proxy streaming
5. Token / Signed URLs
AES Encryption
DRM
Geoblocking
Watermarking
8. Sample AWS Architecture for VOD and Live
Streaming
Media File Amazon S3
bucket
Elastic Transcoder
Amazon S3
bucket
CloudFront
distribution
RTMP Stream
Media Servers on
Amazon EC2
9.
10. •Global content delivery via 52 edge locations
•On-Demand and Live Streaming
•Supports both HTTP and RTMP streaming
Native support for Smooth Streaming
•Set custom TTLs to cache all types of content
•TCP optimizations
•Customize content at the edge
Detect device type, geo-location, language, etc.
11. Amazon S3
(Media Storage)
Amazon CloudFront
End User
HTTP
________
HTTPS ONLY
• Custom SSL certificate
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery, origin
fetches
• HTTP to HTTPS redirect at the edge
• Signed URL verification
Policy based on a timed URL or a CIDR block of the requestor
• CloudFront Origin Access Identity (OAI)
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
"Effect":"Allow",
"Principal":{
"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8"
},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*”
12. •Scalable, cost effective (per minute pricing)
•Integrated with AWS services &tools (Amazon SNS, Amazon S3, IAM, AWS CloudTrail, and AWS SDK)
•Codecs, processing, and licensing baked in
•Outputs:
Popular web formats such as MP4 with H.264/AAC and WebMwith VP8/Vorbis
Adaptive bitrate formats such as HLS and Smooth Streaming
•Audio only processing for inputs and outputs
•Features include captions, visual watermarks, clipping, and more
13. •Support for Amazon S3 encryption at rest
•Input and output media files can be encrypted
•Keys protected via AWS Key Management Service
•Encryption for HLS streams
COMING SOON!
15. Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2, & SOC 3
(SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA
(healthcare), FISMA (US federal government), DIACAP MAC III
sensitive ATO, International Traffic in Arms Regulations (ITAR)
16. Unique security credentials
•Access keys, login/password, MFA device
•Federated authentication (AWS Security Token Service STS)
Policies control access to AWS APIs
•API calls must be signed by either:X.509 certificateor secret key
Deep integration with other AWS services
•Amazon S3: policies on objects and buckets
•Amazon CloudFront: resource permissions
17.
18. JW Plays Everywhere
One video player for:
(Mobile) web browsers
Native mobile apps
OTT platforms
Consistent, cross-platform user interface, adaptive streaming, video advertising, media casting, and video analytics.
19. JW Player vs<video>
Cross-Browser Support
Consistent design across browsers & mobile devices.
Polyfillsfor non-supported elements (e.g. , WebVTT).
Flash fallback for non-HTML5 browsers (e.g. ,IE8).
Premium User Interface
Pixel-perfect skinning (fit your brand & site design).
Interactivity (preview thumbnails, chapter markers, hot spots). Content discovery (social sharing and related videos overlays).
Apple HLS on Desktops
Adaptive, on-demand & live streaming with DVR support.
Multiple audio-tracks and (live) closed captions languages.
Fast (<500ms) startup time and frame-accurate seeking.
20. JW Player & Security
●CDN Tokening
○Support for access tokens from all major CDNs, including CloudFront.
●Domain Restriction
○Configure JW Player to only set up when detecting specific domains.
●HLS AES Decryption
○Play HD quality encrypted streams using external keys and/or rotation.
●No DRM yet, but …
○Browser support for HTML5 Encrypted Media Extensions (EME) is growing.
EME currently works in Chrome(all platforms), Safari 8(Mac), and Internet Explorer 11(Win8).
21.
22.
23. On-Demand Transcoding and Encrypted File
Delivery
Amazon S3 bucket
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
EC2 Instance
web app
server
Availability Zone b
Media Owner Elastic Transcoder
AWS Key Management Service
Amazon S3 bucket
EC2 Instance
DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
27. nginx transcoder
RTMP Stream
Availability Zone a
Amazon Route 53
DNS Failover
Availability Zonea
EC2 Instance
Availability Zone b
EC2 Instance
Amazon
CloudFront
Amazon Route 53
DNS Failover
Live Stream Failover Setup
Elastic Load
Balancing
nginx transcoder
Availability Zone b
28.
29. Type
Protocol
Port Range
Source
HTTP
TCP
80
0.0.0.0/0
HTTPS
TCP
443
0.0.0.0/0
CustomTCP Rule
TCP
1935
54.255.255.0/32
30.
31.
32.
33. rtmp{
server {
listen 1935;
chunk_size4096;
application live {
live on;
record off;
exec_pushffmpeg-irtmp://localhost/live/$name -vcodeclibx264 -vprofilebaseline -g 5 -s 640x360 -acodeclibfdk_aac-ar44100 -ac 1 -f flvrtmp://localhost/hls/$name;
}
application hls{
live on;
hlson;
hls_path/tmp/hls;
hls_fragment5s;
# Use HLS encryption
hls_keyson;
# Use stream timestamp rounded to 250ms as fragment names
hls_fragment_namingtimestamp;
hls_fragment_naming_granularity250;
# Store auto-generated keys in this location rather than hls_path
hls_key_path/tmp/keys;
# Prepend key urlwith this value
hls_key_urlhttps://enter URL here/keys/;
# Change HLS key every 2 fragments
hls_fragments_per_key2;
# Create identical fragments on different nginx instances for High Availability (without encryption)
hls_fragment_slicingaligned;
hls_cleanupon;
}
}
34. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals