Digital Rights Management (DRM) is an essential technology for safeguarding and controlling access to digital content, including Video-on-Demand (VOD) and live-streaming content. Amazon Web Services (AWS) provides AWS Elemental, a suite of services that offers a robust and scalable platform for implementing DRM solutions for both VOD and live-streaming content. 

This whitepaper begins with an explanation of how DRM can be easily implemented using the AWS Elemental suite. Readers are then provided with two tutorials: 

  1. Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration
  2. Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM integration

DRM Implementation with the AWS Elemental Suite

DRM implementation using AWS Elemental Suite - Architecture diagram

Content Ingestion

The DRM implementation process begins with content ingestion, where VOD assets or live streaming feeds are uploaded to AWS. AWS Elemental MediaConvert is a service used for transcoding and packaging content into various formats suitable for streaming. DRM protection can be seamlessly integrated into this process.


AWS Elemental MediaPackage or AWS Elemental Live can be used to apply encryption to content. These services support various DRM encryption standards such as Common Encryption (CENC), Microsoft PlayReady, Google Widevine, and Apple FairPlay.

DRM License Server

A crucial component of DRM is the License Server, which manages the encryption keys and grants licenses to authorized users/devices. The AWS Elemental suite does not provide a built-in DRM license server, but can integrate seamlessly with third-party DRM solutions. Popular DRM providers such as Verimatrix, BuyDRM, and EZDRM can be used with AWS Elemental services.

Integration with DRM Service

To implement DRM with the AWS Elemental suite, the services need to be configured to communicate with the chosen DRM provider. This involves providing API endpoints and credentials to link AWS Elemental MediaPackage or AWS Elemental Live to the DRM provider’s infrastructure.

User Authentication and Authorization

AWS offers Identity and Access Management (IAM), which can be integrated with DRM solutions for user authentication and authorization. This ensures that only authorized users or devices can access the encrypted content.

Content Delivery

After encryption and DRM integration, AWS Elemental MediaPackage can be used to deliver the protected content to end-users. The AWS Content Delivery Network (CDN) service Amazon CloudFront can be configured to distribute the content securely with low latency and high availability.

Playback Devices and Applications

To ensure playback on a wide range of devices and platforms, the DRM-protected content needs to be decoded using a compatible player or application. Major streaming platforms, including web browsers, smart TVs, mobile devices, and streaming media players, support the decryption of DRM-protected content when using industry-standard DRM protocols.

Monitoring and Analytics

AWS Elemental services provide comprehensive monitoring and analytics capabilities. They offer insights into how users are accessing and interacting with DRM-protected content, enabling informed decision-making in regard to content distribution and user engagement.

Scalability and Redundancy

Designed to be scalable and redundant, Elemental services can easily accommodate increasing demand for content while ensuring high availability and reliability, even during peak usage.

Compliance and Updates

The Elemental suite has been designed to assist companies in maintaining compliance with industry standards and regulations related to content protection and DRM. AWS also regularly updates its services to incorporate the latest security features and DRM standards.

Tutorial #1: Setting up Amazon API Gateway for BuyDRM Integration

By combining the capabilities of API Gateway for secure API management and Elemental MediaPackage for efficient content packaging and delivery, a third-party DRM service can seamlessly be integrated to protect valuable digital assets.

This first tutorial will walk readers through the process of setting up an Amazon API Gateway to establish a point of access for BuyDRM’s KeyOS MultiKey Services. This is a crucial step to facilitate communication between AWS MediaPackage, MediaConvert services, and BuyDRM.


1. Set up IAM Role

Before creating the API Gateway, an IAM role needs to be set up to provide access to CloudWatch logs.

  • Create IAM Role for API Gateway Logs:
    • Navigate to your AWS console: IAM > Roles > Create role.
    • Choose “API Gateway” in the “Use cases for other AWS services” field and click Next.
r2wC1heaC gGTtEA3RWUxtpbtOeg Xl rmqLK

  • Skip the “Add permissions” page.

7naPdLRb0xIFBvD2AZVR9VCFGPNzF35r6sQncXm6 iY1tv7ozKpTG8p7Mnq9v2a5Md2mtBzHZkPNgWeuFley sncBsv 79M1FJIVNPGTY pZKKNbZYxeFocT4LekV1qNZTyb 2cRIAGOW3N vPOdJKw

  • Name the role and optionally add a description.
  • Click “Create Role.”

KBGOpCXFZL8Ue4PMxAsNxIE70uEWka9UI5HDAeLh10rsZeMcooj5W 68PQMPGy2IK6YdU4I33ivNBdbZgNSXlCc4hVr0SF211jY7FxTpydNGkxL nu3mBmHenXvUFOtv8h4N SbzkkhS7ZPgjpMonMM

  • This completes the IAM role creation. Take note of the role’s ARN (Amazon Resource Name), as it will be required later during API Gateway setup.

2. Set up the API Gateway

Now, let’s create and configure the API Gateway.

  • Create API:
    • Navigate to AWS console: Services > API Gateway.
    • Click “Create API.”
    • In the REST API section, choose “REST” under protocol and “New API” for creating a new API.
    • Name your API in the settings section.
    • Optionally add a description and choose an Endpoint Type.
    • Click “Create API.”

X6xkPCmbjDVdN4dYXN7vft62rHjxI ixo XwSf1RkZrU3yPAmVbOCjbuBGRzdK2njNu5FqJpi pj2j3Fj46x ZS7FFAuZXc191QKUGyFDDCFKKWTIikJhOLjE0gTBWln66MIZToKJ4kz2567 wUrmyU

  • Create Resources:
    • Click “Actions” > “Create Resource.”

  • Fill in the Resource Name (e.g., copyProtection).
  • Click “Create Resource.”

sxSgZXpF7tjy7J43xcn ReCcDo7Y Vk3x2 YMh8j BEMX0SG70Ald9F6c1FKHReBtgsxtg9p UxnfC2r47PSTkbCDUNKL1KB1WVoaBp 7Unw4lkL5THUw ks2dIDX94QoStXpik6l D bT9bWcmpzyM

  • Create Methods:
    • Click “Actions” > “Create Method.”
    • Select “POST” from the dropdown menu and click the check mark.
    • Choose Integration type as “HTTP.”
    • Ensure “Use HTTP Proxy integration” is checked.
    • Set Content Handling to “Passthrough.”
    • Set Endpoint URL to the appropriate Speke version:
      • for Speke v2.0: (MediaPackage)
      • for Speke v1.0: (MediaConvert, MediaPackage)

  • Save your method settings.
  • Setting up Custom POST Headers:
    • If using Speke v2.0 or Speke v1.0 with contentKey encryption, skip this step.
    • To authenticate within KeyOS Services, set your UserKey/PackagingKey.
    • Get this value from your Account Settings page in the KeyOS Console.
    • Add a custom POST header called keyos-userkey in the Integration Request block and enter your UserKey into the HTTP Headers section.

VR5mWMHlKix9uRQWC1sW4mlIqxgRJUVuGh0heiykM1GQHbd30fhn6et5FiGxD2O SMPdWq16zmavZjpzPPdTHWOPDkWNJDH9daWhAkXKFHj9zzNfWx zwdltdURvzC99QqJHch5tR6zPsQ5 vNFbRh4

JMOJRhgDI8b6ViCmc8UmOrhgsVxHmtfBEaQyhgrToh2TbsWNmmnEP J3KTrTVb5rZ4kWEDR1a8mOTgGRDmqIEQBEvV9j4RRFOhk1mh7NmnJZL3DnztEbxU9DCegLvD2C0KRk 9fmbCC3tethyacDYik

  • Overriding the KeyID:
    • Add an additional header called kid-override to HTTP headers.
    • Values it can take:
      • uuidv5: Forces the KeyOS SPEKE API to override the KeyID following UUID v5 specification.
      • keyos-uuidv5: A custom KeyOS implementation similar to UUID v5, allowing for more randomness.

3. Deploy the API Gateway

The final step is to deploy the API Gateway for use by other AWS services.

  • Deploy API:
    • Click “Actions” > “Deploy API.”
    • Choose “[New Stage]” for the Deployment stage and give it a name (e.g., production_v1_0).
    • Optionally provide stage and deployment descriptions.
    • Click “Deploy.”
CjkbQ1hZYHiGb6Ss3yrhtglqfvdGb eDJyqnOl5JnRsgSDEYCaAG

  • Enable Logging:
    • Navigate to Logs/Tracing tab of the API Gateway stage editor.
    • Check “Enable CloudWatch Logs” and “Log full requests/responses data.”
    • Click “Save Changes.”

jKHrclTelzSx 6JSxpBKwoK8ZIA Hb5i tya6rYLvaFXKFyUVqpSLIH6HPUjuqU9IZP 3oMGOMe mGDLy ZmUUfz00lRhPnoP0 yj6AtN530ITuRdHXZcTOXYdz jClxDs9gRDbWpfuP cqP bKE30

  • Provide Access to CloudWatch:
    • Navigate to the Settings tab.
    • Enter the ARN of the IAM role created earlier in the “CloudWatch log role ARN” field.
    • Click “Save.”

3ltwQCDTZzGFTvUIHN9dTJoT0IM4hsVLFsZrhNX5IJcxaxw6gwoQV2uI4 hFA4bj9t07KAZuS5GFtzdQGePgyYBqHpHwq8XnWOFFO5vo1E6h7qI 8cPiDDWHgo

This completes the API Gateway setup, enabling it to retrieve keys from KeyOS Services for MediaConvert and MediaPackage.

Note: Make sure to replace placeholders such as <your_user_key> and <your_arn> with actual values from your setup. 

Tutorial #2: Setting up AWS Elemental MediaPackage with BuyDRM Integration

This second tutorial explains the process of configuring AWS MediaPackage, focusing on the packaging aspect of the setup, for seamless integration with BuyDRM. It is important to create an API Gateway before proceeding with the steps outlined below.


1. Create IAM Role for MediaPackage

Before setting up MediaPackage, an IAM role needs to be created.

  • Create IAM Role:
    • Navigate to AWS console: IAM > Roles > Create role.
    • Choose “MediaConvert” in the “Use cases for other AWS services” field and click Next.

e gMgSVHdWGpfcdJ2 KDRkBepNlmcqHQ9vDki8v6pTE83zHaS
  • Skip the “Add permissions” page.

uufQhsloKfI9jneXtqtbHpJg 4vX9z345o Q2hFI5hC 6fFtuAAOyok cXYpkUzYc oOr8hV9P hFKXgDyGb25IHpwc3Kt5S2tyS8tkPSMD7 T3OhuOBchLD0tZ9dgyni7M9c PyFVhHJlVTguBFuHE
  • Name the role and optionally add a description.
  • Click “Create Role.”

  • Convert Role for MediaPackage:
    • Find your role and click on it.
    • Navigate to the Trust relationships tab.

p6vQlCpbDncQPHqDoV1KpSylDi3EY52wI 7XJAaYaA3upzl9oN5w46R3RyS6XkM8 LlGG7HW V376B mpNy1 yt4CbDK8JDpLwzSnuoz5aYdlK5VdEW0QGcA2SgcrTI5fjJ51AMkcFhMen5bp2hUQZs

  • Click “Edit trust policy.”
  • Change Statement > Principal > Service value from to
  • Click “Update policy.”

rGt1ZxA LQpX1NxzLvUIIqm0Kla4zQmLhAfcJlHwWqNYXM1FpKOPDXVVM7d5GZgvDmfVASXD8F3RzmlNReHcuf BzQ9dgntS434TIKWHlRH22rg7CvNVLBLc dUUAxGksEInno6f1og 6SD16VN2KXg

  • Optionally, remove AmazonS3FullAccess from permissions.

2. Import Certificates for ContentKey Encryption

This step is optional for SPEKE v1.0.

  • Generate x509 Certificates:
    • Use the OpenSSL tool in your terminal with the provided command.
openssl req -x509 -newkey rsa:2048 -sha512 -keyout private_key.pem -out public_cert.pem -nodes -days 1461 -subj “/C=YOURCOUNTRY/O=YOURCOMPANYNAME/CN=YOURDOMAIN”
  • Open a ticket in KeyOS console and provide the generated public_cert.pem.
  • Store your private key securely.
  • Import Certificates into AWS Certificate Manager:
    • Navigate to Certificate Manager in your AWS Console.
    • Select the “Import certificate” option.
    • Insert your public certificate and private key.

MJT6UaGLOI9gmEwlW8Mpr5DN4oyt9J8A1aP5VmKZcwkn6mSMYWI6fkvkoPuZfRpkRdqHbLsQdiapbwLWQQnaE 1xlOiV Kq1qQtkw3uuP981KcLjxfqwZLu icRqahmO4BCHUgKAjNrX8UbHpNNFZsY

  • Click “Next,” skip tags, and click “Import.”

RhD0z04FAA5ZJriHp sX zYYVv6HdDELyl9IQ3IGuj74BEL3tXN4lBeimHzzbroESFqJUonf7PC78gp6iJlS1ms1N0UCb7e4PVJiOVmjfch0meAiKqdkEme NQ1zVZcvOTUYCyDSYU0A3yCyGcC7co

3. Setting up the MediaPackage Service

  • Create MediaPackage Channel:
    • Navigate to MediaPackage page in the AWS console.
    • Click “Create channel.”
    • Specify the ID for the channel.
    • Click “Create.”


KrV7W9S lyXw8 6LQq3Vhq5Y02EnyBiWO2 6gug6YkVEzoSt UdvJjni7fjaDsIGZXWCi0v9C0KC962lwNom5gwhOzn6yzRPYYf9EgiQ51ki pDfDqeWnHvqYtI7NypQhK7vH9faG12CsD1GHrovS78

  • Create Endpoints:
    • Clear DASH Endpoint:
      • Click “Manage endpoints” on the channel overview page.
      • Enter endpoint ID (e.g., dash-clear).
      • Pick DASH-ISO option in Packager settings > Packaging type.

  • DRM-encrypted DASH Endpoint:
    • Click “Add” in the Endpoints menu.
    • Enter endpoint ID (e.g., dash-drm).
    • Pick DASH-ISO option in Packager settings > Packaging type.
    • Choose “Encrypt content” option in Package encryption section.
    • Enter Resource ID, System IDs based on the DRM (e.g., PlayReady, Widevine), and URL of your API Gateway.
      • 9a04f079-9840-4286-ab92-e65be0885f95 – PlayReady
      • edef8ba9-79d6-4ace-a3c8-27dcd51d21ed – Widevine
      • 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 – FairPlay
    • Enter ARN Role of the IAM role created earlier.
    • Select the preferred SPEKE version.
    • If using SPEKE v2.0 or ContentKey Encryption with SPEKE v1.0, enter ARN of the imported certificate in the “Additional configuration” dropdown.

GaZ76if hq0Hczis0JUVORVwGCOUX 6yRBxawk5jMzUXUANz sLh17hDuwB HObfkhz3

  • Save and Complete:
    • Click “Save” on the top of the page.

MediaPackage is now fully configured and ready to use.

About TrackIt

TrackIt is an Amazon Web Services Advanced Tier Services Partner specializing in cloud management, consulting, and software development solutions based in Marina del Rey, CA. 

TrackIt specializes in Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization with specialized expertise in Media & Entertainment workflows, High-Performance Computing environments, and data storage.

In addition to providing cloud management, consulting, and modern software development services, TrackIt also provides an open-source AWS cost management tool that allows users to optimize their costs and resources on AWS.