Infrastructure protection
Infrastructure protection for streaming media involves securing all resources from end to end, which includes the ingest endpoints, content origin endpoints, DRM services, and the client, from unintended or unauthorized access or potential vulnerabilities.
| SM_SEC4: How do you protect content ingest endpoints? |
|---|
| SM_SBP5 – Encrypt content ingest traffic using TLS |
| SM_SBP6 – Use private connectivity when working with partners |
| SM_SBP7 – Encrypt content at rest when delivering via physical medium |
Streaming media services depend on a reliable content ingest endpoint to upload, process, and deliver engaging content. These endpoints need to support transit protection to ensure that content being uploaded can’t be intercepted or intentionally degraded during transit. Live and file-based content uploads can be accomplished in several ways:
-
Direct upload over the public network to a custom processing fleet or a cloud service
-
Private network connectivity for direct uploading to a custom processing fleet or a cloud service
-
Offline delivery of content to a remote facility to store and process
To help ensure that content cannot be intercepted between the publisher and ingest endpoints, you should encrypt uploads in transit and use TLS at both the source and destination. To simplify configuration for global connectivity over public network paths, you should use anycast networks, such as AWS Global Accelerator, which helps clients connect to the closest available endpoint.
You can use AWS Direct Connect and Direct Connect Gateway to connect your network to an AWS Region and bypass public network paths between content source and cloud infrastructure. With Direct Connect, you establish a dedicated connection between a provider network and one of the Direct Connect locations. Established connections from a Direct Connect location to any other AWS Region around the world communicate over the AWS managed backbone—improving performance for geo-diverse media workloads while limiting the routers, networks, and parties involved in the physical transmission layer.
AWS PrivateLink is recommended to establish connectivity when working with partners that also use AWS. With AWS PrivateLink, a service provider can expose their service endpoint to you within Region, avoiding communication over the public networks. When a service provider provisions a PrivateLink endpoint in the consumer’s VPC, traffic can never initiate from that endpoint, and only receive requests from the consumer’s resources. Traffic flowing through the AWS PrivateLink VPC endpoint will adhere to routing rules and network access control lists placed on that subnet in which the endpoint resides.
When working with large content libraries, it’s possible that transmitting content over the network is not feasible. This is especially important to consider if the connectivity between the studio and the video processing infrastructure is non-existent or if the bandwidth requirement to transmit the footage is beyond the available bandwidth the network provider can provide. AWS offers AWS Snowball Edge Edge, a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS Cloud. AWS Snowball Edge Edge encrypts all data with 256-bit encryption. You manage your encryption keys by using the AWS Key Management Service (AWS KMS). Your keys are never stored on the device and all memory is erased when it is disconnected and returned to AWS. A user must have access to the customer managed key (AWS KMS key) that is associated with the Snowball Edge Edge device when it was requested to access the data stored in the Snowball Edge Edge device, which reduces concerns of data being intercepted in transit. Snowball Edge Edge devices come with an electronic screen that displays the customer and AWS shipping destination, which minimizes shipping discrepancies. Lastly, after your data has been transferred to AWS, your data is erased from the device using standards defined by National Institute of Standards and Technology.
| SM_SEC5: How do you protect content origin from unauthorized access and malicious attacks? |
|---|
| SM_SBP8 – Use DDoS protection service to maintain content availability |
| SM_SBP9 – Restrict content origin access to only allow known entities |
| SM_SBP10 – Use a web application firewall to monitor and control content access |
| SM_SBP11 – Encrypt origin to client communication in transit using TLS |
Protect your content origin layer from distributed denial of service (DDoS) attacks at both the network level (Layer 3) and application level (Layer 7), in addition to preventing unauthorized origin access. Protecting your content origin from unauthorized access or malicious attacks can help prevent improper re-distribution of private content and increase service reliability.
A DDoS attack is when multiple systems intentionally flood your resources, which can render your content origin unavailable or hidden to your viewers. It is important to use a DDoS protection tool, such as AWS Shield, to protect your resources. AWS Shield protects AWS resources such as Amazon CloudFront distributions and Amazon Route 53 so that your content can be located and reached globally. AWS Shield Advanced protects resources built upon services such as Elastic Load Balancing, Amazon EC2, and AWS Global Accelerator against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of your applications on AWS. If you need to protect resources that you are hosting privately, put a CDN, such as a CloudFront distribution, in front of it.
To reduce the likelihood of impact on your content origin from a volumetric attack such as a DDoS attack, limit the allowed traffic sources to trusted client IP addresses, such as the IP address ranges for your CDN.
When using AWS Elemental MediaPackage or a content origin built on Amazon EC2, restrict requests to originate only from known IP addresses of the CDN PoPs and, if applicable, use security groups to restrict incoming traffic. To isolate access to known Amazon CloudFront IP addresses, AWS provides a JSON resource that includes those address ranges, which is regularly updated.
If you are using AWS Application Load Balancers or Amazon CloudFront, you can also use AWS WAF (Web Application Firewall) to validate requests originating from known IP addresses. AWS WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs.