How do you securely deliver high-quality video streaming on AWS, to reach your audience in multiple countries? Using Wowza Streaming Engine™ software through AWS Marketplace, you can deploy and operate streaming applications from UGC to high definition video streams. You can model your application stack with layers that define building blocks of your application in a highly available and self-healing architecture. In this webinar, you will learn how to quickly launch virtual Wowza Streaming Engine servers on Amazon EC2 from AWS Marketplace, pull on-demand content for live streams, set up a live workflow, tie with AWS KMS for encryption and key management and deliver streams globally using Amazon CloudFront and Amazon Route 53. You will also learn the secure VOD workflow using Amazon Elastic Transcoder, Amazon S3, Amazon CloudFront and AWS KMS and deploy a completely automated end-to-end workflow without servers, enabling you to reach a wide range of user devices across the globe. Learning Objectives: • How to deploy encrypted streaming (live and VOD) application using AWS Marketplace and other AWS products (Amazon S3, Amazon Elastic Transcoder, Amazon CloudFront, AWS KMS, and Amazon Route 53) • How to manage and configure Amazon EC2 instances based on the number of streams and users • How to deploy fully automated applications using services and software from AWS and AWS Marketplace partner solutions Who Should Attend: • Developers, Dev-Ops Engineers, Media IT Operations Professionals, and Marketing Technology Manager

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Usman Shakeel, Principal Solutions Architect Lead (M&E), AWS
Ryan Jespersen, Training and Support Manager, Wowza
April 29th 2015
Securely Deliver High-Quality
Content on AWS

2. Different Use Cases Call for Different Security Measures
Use Case
Example Media
Distributor
Content Security Solution
Commonly in Practice
Delivery Solution
Free/Public UGC Vimeo, WeVideo Open
Prgressive Downloads
Streaming
Free/Secure UGC WeVideo, YouTube Signed URLs
Progressive Downloads
Streaming
Ad Supported Sony Crackle, TMZ
AES Encryption
Signed URLs
Mostly HTTP or RTMP streaming
Premium Content
(Live Linear or VOD)
Netflix, Amazon Instant
Video
AES Encryption
Signed URLs
DRM
HTTP or RTMP streaming
Pre-Released Content Studios
Encryption
Watermarking
DRM
Mezzanine File transfer (mostly B2B)
Proxy streaming

3. Different Mechanisms for Securing the Delivery of
A Media Stream
Token /
Signed URLs
AES
Encryption
DRM
Geo-blocking
Watermarking
Allows you to restrict access to content intended for select users. Signed URL
can contain an end date/time, start date/time, and range of IP addresses.
Allows you to send encrypted video over HTTP to protect content from non-
authorized streaming, piracy, and redistribution by others.
Similar to AES encryption but adds the business rules layer. For example, you
can restrict the user to viewing this stream for only 1 day after first access.
Allows you to restrict access to content based on geographic location. For example,
you can block requests coming from a specific country due to copyright reasons.
Used to identify ownership of the content and prevent piracy or unauthorized
redistribution by others.

4. AWS Mechanisms for Securing Media Delivery
Token /
Signed URLs
AES
Encryption
DRM
Geo-blocking
Watermarking
Amazon CloudFront Private Content – Signed URLs, Signed Cookies, OAIs
Amazon Elastic Transcoder – HLS with AES-128 Encryption, Encrypted Media
Files
Amazon Elastic Transcoder – Play Ready DRM Packaging
Amazon CloudFront – Geo Restriction
Amazon Elastic Transcoder – Visual Watermarks

5. Sample AWS Architecture for VOD and
Live Streaming
CloudFront
distribution
Elastic TranscoderAmazon S3
bucket
Amazon S3
bucket Media File
RTMP Stream
Media Servers on
Amazon EC2
CloudFront
distribution
Origin Access Identity
HTTPS
HTTPS
Media Consumer

6. Bucket- and object-level permissions
• Owner only access (by default)
Signed URLs/query string authentication
IAM policies
Versioning (MFA delete)
Detailed access logging
Encryption
• Server Side (at Rest) + Client Side
• In Transit
• Encryption Keys
Amazon S3 Security Controls
✔Access Logs

7. Custom SSL certificate
CloudFront’s private content feature
Only deliver content to securely signed requests
HTTPS ONLY requests/delivery, origin fetches
HTTP to HTTPS redirect at the edge
Signed URL or Signed Cookie verification
Policy based on a timed URL/Cookie or a CIDR block of the requestor
CloudFront Origin Access Identity (OAI)
CloudFront Secure Cookie Feature
Amazon CloudFront Security
Amazon S3
(Media Storage)
Amazon CloudFront
End User
HTTP
________
HTTPS ONLY
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)

8. Encryption at rest: Server managed keys
Outputs are saved to Amazon S3 using S3 server side encryption
Downloaded media is not protected, it is decrypted as it is read from Amazon S3
Encryption at rest: Client provided keys
Inputs can be protected, client provides decryption key
Outputs can be encrypted, client provides encryption key
Downloaded media is protected (cannot play directly from S3 or Amazon CloudFront)
Protecting Keys
Amazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
Encryption for HLS streams
Built on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
Amazon Elastic Transcoder Security

9. Create, describe and list keys
Encrypt, Decrypt and re-encrypt data
Generate data-keys
• Consumed by applications to encrypt data
• Encrypt or decrypt data-keys
Amazon Key Management Service (KMS)
Customer Master Key
Plain text Data Key
Encrypted Data Key
Amazon KMS
Customer Master Key
Plain text Data Key
Encrypted Data Key
Amazon KMS

10. IAM Roles
Bucket containing ContentMedia Servers on
Amazon EC2
Elastic Transcoder Amazon KMS for encrypting/decrypting your keysIAM Role to generate Keys from KMS
IAM Role to read the file from S3
Call KMS end-point on your behalf to get the data key for encryption
Get access to S3 bucket for a content file
Launch the instance with IAM Role
Assign Role to Elastic Transcoder job

11. On-Demand Streaming Demo Components
AWS Services used:
• Amazon S3 for storage
• Amazon Elastic Transcoder for transformation and encryption
• Amazon CloudFront for global delivery
• AWS Key Management service
JW Player for delivery
Benefit from the high availability, scalability, and low cost
offered by AWS services.

12. On-Demand Transcoding and Encrypted
File Delivery
Amazon S3 bucket
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
EC2 Instance
web app
server
Availability Zone b
Elastic TranscoderMedia Owner
Key Management Service
Amazon S3 bucket
EC2 Instance
DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…

13. Demo: Secure on-demand
Streaming

14. Wowza Streaming Engine™
• Robust, customizable, and
scalable server software that
powers reliable streaming of
high-quality audio and video
to any device anywhere
• Use AWS Marketplace to live
stream with Wowza on
Amazon EC2
• Stream on-demand content
from Amazon S3
• Deliver streams globally using
Amazon CloudFront

15. All-Around Content Protection
•AES-128 encryption
•StreamLock, SSL, HTTPS,
RTMPS, and RTMPE
•SecureToken (Token
Authentication)
•Authentication for RTMP
and RTSP publishing
•GeoIP (Geographic Locking)
•Hotlink Denial protection
•Referrer verification
•Server-Side API to control
access
• IP white/black lists
•Stream name alias solutions

16. On-the-Fly DRM for Any Screen

17. Wowza and CloudFront: Live ABR Streaming
Source
Hong Kong
Paris
New York
Amazon
CloudFront
CDN
Encoder
RTSP
or
RTMP
MPEG-DASH,
HLS, HDS,
Smooth
Streaming
ABR Streaming
Origin Server
on Amazon EC2

18. Live Stream Failover Setup
Wowza Streaming
Engine
RTMP Stream
Availability Zone a
Amazon Route 53
DNS Failover
Availability Zonea
EC2 Instance
Availability Zone b
EC2 Instance
Amazon
CloudFront
Amazon Route 53
DNS Failover
Elastic Load
Balancing
Availability Zone b
Wowza Streaming
Engine

19. Demo: Secure Live Streaming

20. Best Practices
Limit access to port 1935 to only trusted sources
Define TTL settings for .ts files and .m3u8
Negative TTLs (sequential)
Geo Block access to stream if necessary
Rotate the key file as often as possible
Randomize the .ts filename for live streams

21. More Information
Wowza Security
•Overview: http://www.wowza.com/products/streaming-engine/features/security
•How To Articles: http://www.wowza.com/forums/content.php?619-security
Digital Rights Management
•Secure MPEG-DASH streaming using Common Encryption
(CENC):http://www.wowza.com/forums/content.php?580-How-to-secure-MPEG-DASH-
streaming-using-Common-Encryption-(CENC)
•Secure Apple HLS streaming using DRM encryption:
http://www.wowza.com/forums/content.php?437-How-to-secure-Apple-HLS-streaming-
using-DRM-encryption
AES 128 Encryption
•http://www.wowza.com/forums/content.php?59-How-to-use-the-internal-method-of-AES-
128-encryption-to-secure-live-or-VOD-streams-sent-to-Apple-iOS-devices-
(ModuleEncryptionHandlerCupertinoStreaming)

22. Sample AWS Architecture for *Secure* VOD
and Live Streaming
CloudFront
distribution
Elastic TranscoderAmazon S3
bucket
Amazon S3
bucket Media File
RTMP Stream
Media Servers on
Amazon EC2
CloudFront
distribution
Origin Access
Identity
HTTPS
HTTPS
Media Owner
Media Owner can create a primary key on KMS
ETS can have an IAM role to
request the data key from KMS
EC2, ETS can request the data-
key on behalf of customer
Media Server generating keys and
serving or using KMS via IAM Role
for key management
CloudFront Secure cookie to allow or
deny consumers the access to manifest
Encrypted Content Segments and
Keys stored in S3 (keys can be
served outside of S3 as well)
Media Consumer
Amazon Key
Management Service
(KMS)