Digital Rights Management (DRM) is an essential technology for safeguarding and controlling access to digital content, including Video-on-Demand (VOD) and live-streaming content. Amazon Web Services (AWS) provides AWS Elemental, a suite of services that offers a robust and scalable platform for implementing DRM solutions for both VOD and live-streaming content.
This whitepaper begins with an explanation of how DRM can be easily implemented using the AWS Elemental suite. Readers are then provided with two tutorials:
- Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration
- Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM integration
Contents
DRM Implementation with the AWS Elemental Suite
Content Ingestion
The DRM implementation process begins with content ingestion, where VOD assets or live streaming feeds are uploaded to AWS. AWS Elemental MediaConvert is a service used for transcoding and packaging content into various formats suitable for streaming. DRM protection can be seamlessly integrated into this process.
Encryption
AWS Elemental MediaPackage or AWS Elemental Live can be used to apply encryption to content. These services support various DRM encryption standards such as Common Encryption (CENC), Microsoft PlayReady, Google Widevine, and Apple FairPlay.
DRM License Server
A crucial component of DRM is the License Server, which manages the encryption keys and grants licenses to authorized users/devices. The AWS Elemental suite does not provide a built-in DRM license server, but can integrate seamlessly with third-party DRM solutions. Popular DRM providers such as Verimatrix, BuyDRM, and EZDRM can be used with AWS Elemental services.
Integration with DRM Service
To implement DRM with the AWS Elemental suite, the services need to be configured to communicate with the chosen DRM provider. This involves providing API endpoints and credentials to link AWS Elemental MediaPackage or AWS Elemental Live to the DRM provider’s infrastructure.
User Authentication and Authorization
AWS offers Identity and Access Management (IAM), which can be integrated with DRM solutions for user authentication and authorization. This ensures that only authorized users or devices can access the encrypted content.
Content Delivery
After encryption and DRM integration, AWS Elemental MediaPackage can be used to deliver the protected content to end-users. The AWS Content Delivery Network (CDN) service Amazon CloudFront can be configured to distribute the content securely with low latency and high availability.
Playback Devices and Applications
To ensure playback on a wide range of devices and platforms, the DRM-protected content needs to be decoded using a compatible player or application. Major streaming platforms, including web browsers, smart TVs, mobile devices, and streaming media players, support the decryption of DRM-protected content when using industry-standard DRM protocols.
Monitoring and Analytics
AWS Elemental services provide comprehensive monitoring and analytics capabilities. They offer insights into how users are accessing and interacting with DRM-protected content, enabling informed decision-making in regard to content distribution and user engagement.
Scalability and Redundancy
Designed to be scalable and redundant, Elemental services can easily accommodate increasing demand for content while ensuring high availability and reliability, even during peak usage.
Compliance and Updates
The Elemental suite has been designed to assist companies in maintaining compliance with industry standards and regulations related to content protection and DRM. AWS also regularly updates its services to incorporate the latest security features and DRM standards.
Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration
By combining the capabilities of API Gateway for secure API management and Elemental MediaPackage for efficient content packaging and delivery, a third-party DRM service can seamlessly be integrated to protect valuable digital assets.
This first tutorial will walk readers through the process of setting up an Amazon API Gateway to establish a point of access for BuyDRM’s KeyOS MultiKey Services. This is a crucial step to facilitate communication between AWS MediaPackage, MediaConvert services, and BuyDRM.
Steps
1. Set up IAM Role
Before creating the API Gateway, an IAM role needs to be set up to provide access to CloudWatch logs.
- Create IAM Role for API Gateway Logs:
- Navigate to your AWS console: IAM > Roles > Create role.
- Choose “API Gateway” in the “Use cases for other AWS services” field and click Next.
- Skip the “Add permissions” page.
- Name the role and optionally add a description.
- Click “Create Role.”
- This completes the IAM role creation. Take note of the role’s ARN (Amazon Resource Name), as it will be required later during API Gateway setup.
2. Set up the API Gateway
Now, let’s create and configure the API Gateway.
- Create API:
- Navigate to AWS console: Services > API Gateway.
- Click “Create API.”
- In the REST API section, choose “REST” under protocol and “New API” for creating a new API.
- Name your API in the settings section.
- Optionally add a description and choose an Endpoint Type.
- Click “Create API.”
- Create Resources:
- Click “Actions” > “Create Resource.”
- Fill in the Resource Name (e.g., copyProtection).
- Click “Create Resource.”
- Create Methods:
- Click “Actions” > “Create Method.”
- Select “POST” from the dropdown menu and click the check mark.
- Choose Integration type as “HTTP.”
- Ensure “Use HTTP Proxy integration” is checked.
- Set Content Handling to “Passthrough.”
- Set Endpoint URL to the appropriate Speke version:
- for Speke v2.0: https://speke-keyos.licensekeyserver.com/speke/v2.0/ (MediaPackage)
- for Speke v1.0: https://speke-keyos.licensekeyserver.com/speke/v1.0/ (MediaConvert, MediaPackage)
- Save your method settings.
- Setting up Custom POST Headers:
- If using Speke v2.0 or Speke v1.0 with contentKey encryption, skip this step.
- To authenticate within KeyOS Services, set your UserKey/PackagingKey.
- Get this value from your Account Settings page in the KeyOS Console.
- Add a custom POST header called keyos-userkey in the Integration Request block and enter your UserKey into the HTTP Headers section.
- Overriding the KeyID:
- Add an additional header called kid-override to HTTP headers.
- Values it can take:
- uuidv5: Forces the KeyOS SPEKE API to override the KeyID following UUID v5 specification.
- keyos-uuidv5: A custom KeyOS implementation similar to UUID v5, allowing for more randomness.
3. Deploy the API Gateway
The final step is to deploy the API Gateway for use by other AWS services.
- Deploy API:
- Click “Actions” > “Deploy API.”
- Choose “[New Stage]” for the Deployment stage and give it a name (e.g., production_v1_0).
- Optionally provide stage and deployment descriptions.
- Click “Deploy.”
- Enable Logging:
- Navigate to Logs/Tracing tab of the API Gateway stage editor.
- Check “Enable CloudWatch Logs” and “Log full requests/responses data.”
- Click “Save Changes.”
- Provide Access to CloudWatch:
- Navigate to the Settings tab.
- Enter the ARN of the IAM role created earlier in the “CloudWatch log role ARN” field.
- Click “Save.”
This completes the API Gateway setup, enabling it to retrieve keys from KeyOS Services for MediaConvert and MediaPackage.
Note: Make sure to replace placeholders such as <your_user_key> and <your_arn> with actual values from your setup.
Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM Integration
This second tutorial explains the process of configuring AWS MediaPackage, focusing on the packaging aspect of the setup, for seamless integration with BuyDRM. It is important to create an API Gateway before proceeding with the steps outlined below.
Steps
1. Create IAM Role for MediaPackage
Before setting up MediaPackage, an IAM role needs to be created.
- Create IAM Role:
- Navigate to AWS console: IAM > Roles > Create role.
- Choose “MediaConvert” in the “Use cases for other AWS services” field and click Next.
- Skip the “Add permissions” page.
- Name the role and optionally add a description.
- Click “Create Role.”
- Convert Role for MediaPackage:
- Find your role and click on it.
- Navigate to the Trust relationships tab.
- Click “Edit trust policy.”
- Change Statement > Principal > Service value from mediaconvert.amazonaws.com to mediapackage.amazonaws.com.
- Click “Update policy.”
- Optionally, remove AmazonS3FullAccess from permissions.
2. Import Certificates for ContentKey Encryption
This step is optional for SPEKE v1.0.
- Generate x509 Certificates:
- Use the OpenSSL tool in your terminal with the provided command.
| openssl req -x509 -newkey rsa:2048 -sha512 -keyout private_key.pem -out public_cert.pem -nodes -days 1461 -subj “/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=YOURDOMAIN” |
- Open a ticket in KeyOS console and provide the generated public_cert.pem.
- Store your private key securely.
- Import Certificates into AWS Certificate Manager:
- Navigate to Certificate Manager in your AWS Console.
- Select the “Import certificate” option.
- Insert your public certificate and private key.
- Click “Next,” skip tags, and click “Import.”
3. Setting up the MediaPackage Service
- Create MediaPackage Channel:
- Navigate to MediaPackage page in the AWS console.
- Click “Create channel.”
- Specify the ID for the channel.
- Click “Create.”
- Create Endpoints:
- Clear DASH Endpoint:
- Click “Manage endpoints” on the channel overview page.
- Enter endpoint ID (e.g., dash-clear).
- Pick DASH-ISO option in Packager settings > Packaging type.
- Clear DASH Endpoint:
- DRM-encrypted DASH Endpoint:
- Click “Add” in the Endpoints menu.
- Enter endpoint ID (e.g., dash-drm).
- Pick DASH-ISO option in Packager settings > Packaging type.
- Choose “Encrypt content” option in Package encryption section.
- Enter Resource ID, System IDs based on the DRM (e.g., PlayReady, Widevine), and URL of your API Gateway.
- 9a04f079-9840-4286-ab92-e65be0885f95 – PlayReady
- edef8ba9-79d6-4ace-a3c8-27dcd51d21ed – Widevine
- 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 – FairPlay
- Enter ARN Role of the IAM role created earlier.
- Select the preferred SPEKE version.
- If using SPEKE v2.0 or ContentKey Encryption with SPEKE v1.0, enter ARN of the imported certificate in the “Additional configuration” dropdown.
- Save and Complete:
- Click “Save” on the top of the page.
MediaPackage is now fully configured and ready to use.
About TrackIt
TrackIt is an Amazon Web Services Advanced Tier Services Partner specializing in cloud management, consulting, and software development solutions based in Marina del Rey, CA.
TrackIt specializes in Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization with specialized expertise in Media & Entertainment workflows, High-Performance Computing environments, and data storage.
In addition to providing cloud management, consulting, and modern software development services, TrackIt also provides an open-source AWS cost management tool that allows users to optimize their costs and resources on AWS.