(med303) secure media streaming and delivery | aws re:invent 2014
DESCRIPTION
Media content, whether it be the latest blockbuster movie or a company's confidential webcasts, can be some of the most important assets for a media business. Storing, preparing, and delivering this content securely involves leveraging systems that can scale and ensure top-of-the-line security. Come find out how AWS can help you implement these workflows in the cloud using highly available, scalable, and secure cloud services such as Amazon S3 (storage), Amazon Elastic Transcoder (transcoding) and Amazon CloudFront (delivery). We also discuss the underlying concepts of secure media delivery (e.g., policy-based DRM and signed URLs), the challenges faced by customers who need to design and implement these critical modules, and how to leverage the power of AWS to accomplish those while saving on costs. In addition, we take a deep dive into a media processing stack implemented on AWS using open source components to deliver encrypted HTTP Live Streams (HLS) to various devices.TRANSCRIPT
Use CaseExample Media
Distributor
Content Security Solution
Commonly in PracticeDelivery Solution
Free/Public UGC Vimeo, WeVideo OpenPrgressive Downloads
Streaming
Free/Secure UGC WeVideo, YouTube Signed URLsProgressive Downloads
Streaming
Ad Supported Sony Crackle, TMZAES Encryption
Signed URLsMostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)
Netflix, Amazon
Instant Video
AES Encryption
Signed URLs
DRM
HTTP or RTMP streaming
Pre-Released Content Studios
Encryption
Watermarking
DRM
Mezzanine File transfer (mostly B2B)
Proxy streaming
Token /
Signed URLs
AES
Encryption
DRM
Geoblocking
Watermarking
AWS Direct
Connect
Elastic
Load
Balancing
AWS Import/
Export
Amazon
S3
AWS Storage
Gateway
Amazon
EBS
Amazon
CloudFront
Amazon
CloudSearch Amazon
SQS
Amazon
Elastic
Transcoder
Amazon
EC2Amazon
EMRAmazon
VPC
Ingest/Create Store
Amazon
RDSAmazon
Elasti-
Cache
Amazon
Route
53
DeliverProcess
Amazon
EC2
Sample AWS Architecture for VOD and Live
Streaming
Media File Amazon S3
bucket
Elastic Transcoder
Amazon S3
bucket
CloudFront
distribution
RTMP StreamMedia Servers on
Amazon EC2
• Global content delivery via 52 edge locations
• On-Demand and Live Streaming
• Supports both HTTP and RTMP streamingNative support for Smooth Streaming
• Set custom TTLs to cache all types of content
• TCP optimizations
• Customize content at the edgeDetect device type, geo-location, language, etc.
Amazon S3
(Media Storage)
Amazon CloudFront
End User
HTTP________
HTTPS ONLY
• Custom SSL certificate
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery, origin
fetches
• HTTP to HTTPS redirect at the edge
• Signed URL verification
Policy based on a timed URL or a CIDR block of the requestor
• CloudFront Origin Access Identity (OAI)
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
"Effect":"Allow","Principal":{"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::example-bucket/*”
• Scalable, cost effective (per minute pricing)
• Integrated with AWS services & tools (Amazon SNS,
Amazon S3, IAM, AWS CloudTrail, and AWS SDK)
• Codecs, processing, and licensing baked in
• Outputs:Popular web formats such as MP4 with H.264/AAC and WebM
with VP8/Vorbis
Adaptive bitrate formats such as HLS and Smooth Streaming
• Audio only processing for inputs and outputs
• Features include captions, visual watermarks,
clipping, and more
• Support for Amazon S3 encryption at rest
• Input and output media files can be encrypted
• Keys protected via AWS Key Management
Service
• Encryption for HLS streams
COMING SOON!
Shared Responsibility Model
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2, & SOC 3 (SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA
(healthcare), FISMA (US federal government), DIACAP MAC III
sensitive ATO, International Traffic in Arms Regulations (ITAR)
Unique security credentials
• Access keys, login/password, MFA device
• Federated authentication (AWS Security Token Service STS)
Policies control access to AWS APIs
• API calls must be signed by either: X.509 certificate or secret key
Deep integration with other AWS services
• Amazon S3: policies on objects and buckets
• Amazon CloudFront: resource permissions
JW Plays Everywhere
One video player for:
(Mobile) web browsers
Native mobile apps
OTT platforms
Consistent, cross-platform user interface,
adaptive streaming, video advertising,
media casting, and video analytics.
JW Player vs <video>
Cross-Browser
Support
Consistent design across
browsers & mobile devices.
Polyfills for non-supported
elements (e.g. , WebVTT).
Flash fallback for non-HTML5
browsers (e.g. , IE8).
Premium User Interface
Pixel-perfect skinning (fit your
brand & site design).
Interactivity (preview thumbnails,
chapter markers, hot spots).
Content discovery (social sharing
and related videos overlays).
Apple HLS on
Desktops
Adaptive, on-demand & live
streaming with DVR support.
Multiple audio-tracks and (live)
closed captions languages.
Fast (<500ms) startup time and
frame-accurate seeking.
JW Player & Security
● CDN Tokening
○ Support for access tokens from all
major CDNs, including CloudFront.
● Domain Restriction
○ Configure JW Player to only set up
when detecting specific domains.
● HLS AES Decryption
○ Play HD quality encrypted streams
using external keys and/or rotation.
● No DRM yet, but …
○ Browser support for HTML5 Encrypted
Media Extensions (EME) is growing.
EME currently works in Chrome (all platforms),
Safari 8 (Mac), and Internet Explorer 11 (Win8).
On-Demand Transcoding and Encrypted File
Delivery
Amazon S3 bucket
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
EC2 Instance
web app
server
Availability Zone b
Elastic TranscoderMedia Owner
AWS Key Management Service
Amazon S3 bucket
EC2 Instance
DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
https://github.com/arut/nginx-rtmp-module
nginx transcoder
RTMP Stream
Availability Zone a
Amazon Route 53
DNS Failover
Availability Zone a
EC2 Instance
Availability Zone b
EC2 Instance
Amazon
CloudFront
Amazon Route 53
DNS Failover
Live Stream Failover Setup
Elastic Load
Balancing
nginx transcoder
Availability Zone b
Type Protocol Port Range Source
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0
Custom TCP Rule TCP 1935 54.255.255.0/32
rtmp {server {listen 1935;chunk_size 4096;application live {live on;record off;exec_push ffmpeg -i rtmp://localhost/live/$name -vcodec libx264 -vprofile baseline -g 5 -s 640x360 -acodec libfdk_aac -ar 44100 -ac 1 -f flv rtmp://localhost/hls/$name;
}application hls {
live on;hls on;hls_path /tmp/hls;hls_fragment 5s;
# Use HLS encryptionhls_keys on;
# Use stream timestamp rounded to 250ms as fragment nameshls_fragment_naming timestamp;hls_fragment_naming_granularity 250;
# Store auto-generated keys in this location rather than hls_pathhls_key_path /tmp/keys;
# Prepend key url with this valuehls_key_url https://enter URL here/keys/;
# Change HLS key every 2 fragmentshls_fragments_per_key 2;
# Create identical fragments on different nginx instances for High Availability (without encryption)hls_fragment_slicing aligned;hls_cleanup on;
}}
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals