Implementing Digital Rights Management (DRM) on AWS
Author
Adi
Date Published
Digital Rights Management (DRM) is an essential technology for safeguarding and controlling access to digital content, including Video-on-Demand (VOD) and live-streaming content. Amazon Web Services (AWS) provides AWS Elemental, a suite of services that offers a robust and scalable platform for implementing DRM solutions for both VOD and live-streaming content.
This whitepaper begins with an explanation of how DRM can be easily implemented using the AWS Elemental suite. Readers are then provided with two tutorials:
- Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration
- Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM integration
DRM Implementation with the AWS Elemental Suite
Content Ingestion
The DRM implementation process begins with content ingestion, where VOD assets or live streaming feeds are uploaded to AWS. AWS Elemental MediaConvert is a service used for transcoding and packaging content into various formats suitable for streaming. DRM protection can be seamlessly integrated into this process.
Encryption
AWS Elemental MediaPackage or AWS Elemental Live can be used to apply encryption to content. These services support various DRM encryption standards such as Common Encryption (CENC), Microsoft PlayReady, Google Widevine, and Apple FairPlay.
DRM License Server
A crucial component of DRM is the License Server, which manages the encryption keys and grants licenses to authorized users/devices. The AWS Elemental suite does not provide a built-in DRM license server, but can integrate seamlessly with third-party DRM solutions. Popular DRM providers such as Verimatrix, BuyDRM, and EZDRM can be used with AWS Elemental services.
Integration with DRM Service
To implement DRM with the AWS Elemental suite, the services need to be configured to communicate with the chosen DRM provider. This involves providing API endpoints and credentials to link AWS Elemental MediaPackage or AWS Elemental Live to the DRM provider's infrastructure.
User Authentication and Authorization
AWS offers Identity and Access Management (IAM), which can be integrated with DRM solutions for user authentication and authorization. This ensures that only authorized users or devices can access the encrypted content.
Content Delivery
After encryption and DRM integration, AWS Elemental MediaPackage can be used to deliver the protected content to end-users. The AWS Content Delivery Network (CDN) service Amazon CloudFront can be configured to distribute the content securely with low latency and high availability.
Playback Devices and Applications
To ensure playback on a wide range of devices and platforms, the DRM-protected content needs to be decoded using a compatible player or application. Major streaming platforms, including web browsers, smart TVs, mobile devices, and streaming media players, support the decryption of DRM-protected content when using industry-standard DRM protocols.
Monitoring and Analytics
AWS Elemental services provide comprehensive monitoring and analytics capabilities. They offer insights into how users are accessing and interacting with DRM-protected content, enabling informed decision-making in regard to content distribution and user engagement.
Scalability and Redundancy
Designed to be scalable and redundant, Elemental services can easily accommodate increasing demand for content while ensuring high availability and reliability, even during peak usage.
Compliance and Updates
The Elemental suite has been designed to assist companies in maintaining compliance with industry standards and regulations related to content protection and DRM. AWS also regularly updates its services to incorporate the latest security features and DRM standards.
Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration
By combining the capabilities of API Gateway for secure API management and Elemental MediaPackage for efficient content packaging and delivery, a third-party DRM service can seamlessly be integrated to protect valuable digital assets.
This first tutorial will walk readers through the process of setting up an Amazon API Gateway to establish a point of access for BuyDRM's KeyOS MultiKey Services. This is a crucial step to facilitate communication between AWS MediaPackage, MediaConvert services, and BuyDRM.
Steps
1. Set up IAM Role
Before creating the API Gateway, an IAM role needs to be set up to provide access to CloudWatch logs.
- Create IAM Role for API Gateway Logs:
- Skip the "Add permissions" page.
- Name the role and optionally add a description.
- Click "Create Role."
- This completes the IAM role creation. Take note of the role's ARN (Amazon Resource Name), as it will be required later during API Gateway setup.
2. Set up the API Gateway
Now, let's create and configure the API Gateway.
- Create API:
- Create Resources:
- Fill in the Resource Name (e.g., copyProtection).
- Click "Create Resource."
- Create Methods:
- Save your method settings.
- Setting up Custom POST Headers:
- Overriding the KeyID:
3. Deploy the API Gateway
The final step is to deploy the API Gateway for use by other AWS services.
- Deploy API:
- Enable Logging:
- Provide Access to CloudWatch:
This completes the API Gateway setup, enabling it to retrieve keys from KeyOS Services for MediaConvert and MediaPackage.
Note: Make sure to replace placeholders such as <your_user_key> and <your_arn> with actual values from your setup.
Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM Integration
This second tutorial explains the process of configuring AWS MediaPackage, focusing on the packaging aspect of the setup, for seamless integration with BuyDRM. It is important to create an API Gateway before proceeding with the steps outlined below.
Steps
1. Create IAM Role for MediaPackage
Before setting up MediaPackage, an IAM role needs to be created.
- Create IAM Role:
- Skip the "Add permissions" page.
- Name the role and optionally add a description.
- Click "Create Role."
- Convert Role for MediaPackage:
- Click "Edit trust policy."
- Change Statement > Principal > Service value from mediaconvert.amazonaws.com to mediapackage.amazonaws.com.
- Click "Update policy."
- Optionally, remove AmazonS3FullAccess from permissions.
2. Import Certificates for ContentKey Encryption
This step is optional for SPEKE v1.0.
- Generate x509 Certificates:
openssl req -x509 -newkey rsa:2048 -sha512 -keyout private_key.pem -out public_cert.pem -nodes -days 1461 -subj "/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=YOURDOMAIN"
- Open a ticket in KeyOS console and provide the generated public_cert.pem.
- Store your private key securely.
- Import Certificates into AWS Certificate Manager:
- Click "Next," skip tags, and click "Import."
3. Setting up the MediaPackage Service
- Create MediaPackage Channel:
- Create Endpoints:
- DRM-encrypted DASH Endpoint:
- Save and Complete:
MediaPackage is now fully configured and ready to use.
About TrackIt
https://www.youtube.com/watch?v=QBiJ156cA2I
TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.
We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.
Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.