Highly secure content delivery at global scale with amazon cloudfront
•
2 likes•3,921 views
Our very own Canadian Solution Architects: Matt Nowina and Jonathan Dion, presented to an audience of broadcasters, special effects producers, video editors, during the AWS Media and Entertainment Symposium
Recommended
More Related Content
Viewers also liked
Viewers also liked (20)
Similar to Highly secure content delivery at global scale with amazon cloudfront
Similar to Highly secure content delivery at global scale with amazon cloudfront (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Highly secure content delivery at global scale with amazon cloudfront
- 1. ©2016, Amazon Web Services, Inc. or its affiliates. All rights reserved Highly Secure Content Delivery at Global Scale with Amazon CloudFront Matt Nowina, Solutions Architect, Amazon Web Services Jonathan Dion, Solutions Architect, Amazon Web Services
- 2. Secure media streaming overview
- 3. Use Case Example Media Distributor Content Security Solution Commonly in Practice Delivery Solution Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming Premium Content (Live Linear or VOD) Netflix, Amazon Instant Video, Shomi AES Encryption, signed URLs, DRM HTTP or RTMP streaming Prereleased Content Studios Encryption, watermarking, DRM Mezzanine file transfer (mostly B2B), proxy streaming
- 5. Overview of secure streaming on AWS
- 6. Three Approaches to Media Solutions on AWS Custom: Build your OwnElemental Media Solutions Partner Based Custom APIs Marketplace AMIs Other 3rd party Interface(s) Interface(s) Partner Platform/ App (e.g. Aspera, Ooyala) Other 3rd partyInterface(s) Elemental APIs (e.g. Live, Delta) Other 3rd party Appliance VM EFS/ EBS S3/ Glacier EC2 RDS/ NoSQL Lambda/ SWF Other AWS SERVICESOn-Premises
- 7. AWS services stack in a media workflow AWS Direct Connect Elastic Load Balancing AWS Import/ Export Amazon S3 AWS Storage Gateway Amazon EBS Amazon CloudFront Amazon CloudSearch Amazon SQS Amazon Elastic Transcoder Amazon EC2 Amazon EMRAmazon VPC Ingest/Create Store Amazon RDS Amazon ElastiCache Amazon Route 53 DeliverProcess Amazon EC2
- 8. Security certifications and compliance Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure Certifications • SOC 1, SOC 2, and SOC 3 (SSAE16/ISAE 3402 audit) • ISO 27001 certification • PCI level 1 service provider • FedRAMP (FISMA) • AWS GovCloud (US) • MPAA best practices alignment Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US federal government), DIACAP MAC III sensitive ATO, International Traffic in Arms Regulations (ITAR)
- 10. CloudFront distribution Elastic Transcoder Media File Live Stream Media Servers on Amazon EC2 CloudFront distribution Origin Access Identity HTTPS HTTPS Amazon S3 bucket Media Owner Amazon S3 bucket Media Consumer Elemental Cloud (Server) Elemental Cloud (Live) Elemental On-Prem Elemental Cloud (Delta) 10 Sample AWS architecture for VOD and live streaming
- 11. Amazon S3 security controls • Bucket-level and object-level permissions • Owner-only access (by default) • Signed URLs/query string authentication • AWS IAM policies • Versioning (MFA delete) • Detailed access logging ✔Access logs
- 12. Amazon S3 client-side encryption with AWS SDK for Java Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client) Corporate data center Content Master key AWS SDK for Java Envelope key Encrypted content Encrypted envelope key You can use AWS Key Management Service to manage your keys as well
- 13. Amazon S3 server-side encryption (at rest) • Encryption • Decryption • Key management (Encrypted by Amazon S3 master key; stored separately from your data) • 256-bit AES encryption • User-provided keys • Integration with AWS KMS Content to be uploaded (encryption enabled in the HTTP header) Envelop Key Encrypted stored keyEncrypted stored data Master Amazon S3 key Amazon S3
- 14. Amazon CloudFront • Global content delivery via 56 edge locations • On-demand and live streaming • Supports both HTTP and RTMP streaming • Native support for Smooth Streaming • Set custom TTLs to cache all types of content • TCP optimizations • Customize content at the edge • Detect device type, geo-location, language, etc.
- 15. Amazon S3 (Media storage) Amazon CloudFront Amazon CloudFront security End user HTTP ________ HTTPS ONLY • Custom SSL certificate • Integrated with Amazon Certificate Manager (ACM) • Amazon CloudFront’s private content feature Only deliver content to securely signed requests • HTTPS ONLY requests/delivery, origin fetches • HTTP to HTTPS redirect at the edge • Signed URL or signed cookie verification Policy based on a timed URL/cookie or a CIDR block of the requestor • Amazon CloudFront Origin Access Identity (OAI) Delivery Amazon EC2 instances Security group Signed request Amazon S3 (Logs storage) "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*”
- 16. Amazon Elastic Transcoder • Scalable, cost effective (per-minute pricing) • Integrated with AWS services and tools (Amazon SNS, Amazon S3, AWS IAM, AWS CloudTrail, and AWS SDK) • Codecs, processing, and licensing baked in • Outputs: • Popular web formats such as MP4 with H.264/AAC and WebM with VP8/Vorbis • Adaptive bitrate formats such as HLS, MPEG-DASH and Smooth Streaming • Audio-only processing for inputs and outputs • Features include captions, visual watermarks, clipping, and more
- 17. Amazon Elastic Transcoder security • Encryption at rest Server managed keys Client provided keys • Integration with AWS Key Management Service Amazon Elastic Transcoder accepts AWS KMS protected keys Key is never written or stored in cleartext • Encryption for HLS streams Built on top of “client provided keys” API Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key • Digital Rights Management PlayReady DRM packaging • CloudTrail Integration
- 18. Media Software on AWS Marketplace • Launch software on AWS with 1-Click • Pay-by-the-hour, monthly, or annual • Single invoice for AWS usage & ISV software • Free Trials
- 19. AWS Identity and Access Management (IAM) Unique security credentials • Access keys, login/password, multi-factor authentication (MFA) device • Federated authentication (AWS Security Token Service [STS]) Policies control access to AWS APIs • API calls must be signed by either X.509 certificate or secret key Deep integration with other AWS services • Amazon S3: Policies on objects and buckets • Amazon CloudFront: Resource permissions • Amazon Elastic Transcoder • Amazon EC2 IAM Policies applicable to AWS Marketplace software
- 20. Log, Monitor, Act Proactively You are making API calls and accessing your content ... On a growing set of services around the world accessing your content Amazon CloudTrail is continuously recording API calls… And delivering log files to you… Elastic Load Balancing Amazon S3 Amazon Glacier Amazon CloudFront Amazon S3/Amazon CloudFront/App Logs Access Logs Feed Logs in Amazon Cloudwatch or monitor patterns on Logs Act Fast or automate based on realtime notifications and alerts Amazon CloudTrail Amazon Redshift Amazon EC2 AWS IAM Amazon RDS Amazon Elastic Transcoder
- 21. Sample architecture of secure streaming on AWS
- 22. CloudFront distribution Elastic Transcoder Media File Live Stream Media Servers on Amazon EC2 CloudFront distribution Origin Access Identity HTTPS HTTPS Amazon S3 bucket Media Owner Amazon S3 bucket Media Consumer Elemental Cloud (Server) Elemental Cloud (Live) Elemental On-Prem 22 Sample AWS architecture for VOD and live streaming Elemental Cloud (Delta)
- 23. CloudFront distribution Elastic Transcoder Media File Live Stream Media Servers on Amazon EC2 CloudFront distribution Origin Access Identity HTTPS HTTPS Amazon S3 bucket Media Owner 1. Media Owner can create a primary key on KMS 2. ETS can have an IAM role to request the data key from KMS Amazon S3 bucket 3. EC2, ETS can request the data-key on behalf of customer 2. Media Server generating keys and serving or using KMS via IAM Role for key management 5. CloudFront Secure cookie to allow or deny consumers the access to manifest 4. Encrypted Content Segments and Keys stored in S3 (keys can be served outside of S3 as well) Media Consumer Amazon Key Management Service (KMS) Elemental Cloud (Server) Elemental Cloud (Live) Elemental On-Prem Sample AWS architecture for secure VOD and live streaming 23 Elemental Cloud (Delta)
- 24. VOD Best practices • Only allow CDN to access source content • Define high TTL settings for .ts and .m3u8 files • Geo Block access to stream if necessary • Define 4xx / 5xx Error Caching Minimum TTL to 0
- 25. Live Stream Best practices • Limit inbound Live Stream access only to trusted sources • Define TTL settings for .ts files and .m3u8 • Negative TTLs (sequential) • Geo Block access to stream if necessary • Rotate the key file as often as possible • Randomize the .ts file name for live streams
- 26. TORONTO