Encrypting the input file Decrypting the input file Encrypting the output file HLS content protection Elastic Transcoder encryption context

How Amazon Elastic Transcoder uses Amazon KMS

You can use Amazon Elastic Transcoder to convert media files stored in an Amazon S3 bucket into formats required by consumer playback devices. Both input and output files can be encrypted and decrypted. The following sections discuss how Amazon KMS is used for both processes.

Encrypting the input file

Before you can use Elastic Transcoder, you must create an Amazon S3 bucket and upload your media file into it. You can encrypt the file before uploading by using AES client-side encryption or after uploading by using Amazon S3 server-side encryption.

If you choose client-side encryption using AES, you are responsible for encrypting the file before uploading it to Amazon S3, and you must provide Elastic Transcoder access to the encryption key. You do this by using a symmetric Amazon KMS Amazon KMS key to protect the AES encryption key you used to encrypt the media file.

If you choose server-side encryption, you allow Amazon S3 to encrypt and decrypt all files on your behalf. You can configure Amazon S3 to use one of three different types of encryption keys to protect the unique data key that encrypts your file:

An Amazon S3 key, an encryption key that Amazon S3 owns and manages. It is not part of your Amazon Web Services account.
The Amazon managed key for Amazon S3, a KMS key that is part of your account, but is created and managed by Amazon
Any symmetric customer managed key that you create by using Amazon KMS

Important

For both client-side and server-side encryption, Elastic Transcoder supports only symmetric KMS keys. You cannot use an asymmetric KMS key to encrypt your Elastic Transcoder files. For help determining whether a KMS key is symmetric or asymmetric, see Identifying asymmetric KMS keys.

You can enable encryption and specify a key by using the Amazon S3 console or the appropriate Amazon S3 APIs. For more information about how Amazon S3 performs encryption, see Protecting data using server-side encryption with KMS keys (SSE-KMS) in the Amazon Simple Storage Service User Guide.

When you protect your input file by using the Amazon managed key for Amazon S3 in your account or a customer managed key, Amazon S3 and Amazon KMS interact in the following manner:

Amazon S3 requests a plaintext data key and a copy of the data key encrypted under the specified KMS key.
Amazon KMS creates a data key, encrypts it with the specified KMS key, and then sends both the plaintext data key and the encrypted data key to Amazon S3.
Amazon S3 uses the plaintext data key to encrypt the media file and then stores the file in the specified Amazon S3 bucket.
Amazon S3 stores the encrypted data key alongside of the encrypted media file.

Decrypting the input file

If you choose Amazon S3 server-side encryption to encrypt the input file, Elastic Transcoder does not decrypt the file. Instead, Elastic Transcoder relies on Amazon S3 to perform decryption depending on the settings you specify when you create a job and a pipeline.

The following combination of settings are available.

Encryption mode	Amazon KMS key	Meaning
`S3`	Default	Amazon S3 creates and manages the keys used to encrypt and decrypt the media file. The process is opaque to the user.
`S3-AWS-KMS`	Default	Amazon S3 uses a data key encrypted by the default Amazon managed key for Amazon S3 in your account to encrypt the media file.
`S3-AWS-KMS`	Custom (with ARN)	Amazon S3 uses a data key encrypted by the specified customer managed key to encrypt the media file.

When S3-AWS-KMS is specified, Amazon S3 and Amazon KMS work together in the following manner to perform the decryption.

Amazon S3 sends the encrypted data key to Amazon KMS.
Amazon KMS decrypts the data key by using the appropriate KMS key, and then sends the plaintext data key back to Amazon S3.
Amazon S3 uses the plaintext data key to decrypt the ciphertext.

If you choose client-side encryption using an AES key, Elastic Transcoder retrieves the encrypted file from the Amazon S3 bucket and decrypts it. Elastic Transcoder uses the KMS key you specified when you created the pipeline to decrypt the AES key and then uses the AES key to decrypt the media file.

Encrypting the output file

Elastic Transcoder encrypts the output file depending on how you specify the encryption settings when you create a job and a pipeline. The following options are available.

Encryption mode	Amazon KMS key	Meaning
`S3`	Default	Amazon S3 creates and manages the keys used to encrypt the output file.
`S3-AWS-KMS`	Default	Amazon S3 uses a data key created by Amazon KMS and encrypted by the Amazon managed key for Amazon S3 in your account.
`S3-AWS-KMS`	Custom (with ARN)	Amazon S3 uses a data key encrypted by using the customer managed key specified by the ARN to encrypt the media file.
`AES-`	Default	Elastic Transcoder uses the Amazon managed key for Amazon S3 in your account to decrypt the specified AES key you provide and uses that key to encrypt the output file.
`AES-`	Custom (with ARN)	Elastic Transcoder uses the customer managed key specified by the ARN to decrypt the specified AES key you provide and uses that key to encrypt the output file.

When you specify that the Amazon managed key for Amazon S3 in your account or a customer managed key is used to encrypt the output file, Amazon S3 and Amazon KMS interact in the following manner:

Amazon S3 requests a plaintext data key and a copy of the data key encrypted under the specified KMS key.
Amazon KMS creates a data key, encrypts it under the KMS key, and sends both the plaintext data key and the encrypted data key to Amazon S3.
Amazon S3 encrypts the media using the data key and stores it in the specified Amazon S3 bucket.
Amazon S3 stores the encrypted data key alongside the encrypted media file.

When you specify that your provided AES key be used to encrypt the output file, the AES key must be encrypted using a KMS key in Amazon KMS. Elastic Transcoder, Amazon KMS, and you interact in the following manner:

You encrypt your AES key by calling the Encrypt operation in the Amazon KMS API. Amazon KMS encrypts the key by using the specified KMS key. You specify which KMS key to use when you are creating the pipeline.
You specify the file containing the encrypted AES key when you create the Elastic Transcoder job.
Elastic Transcoder decrypts the key by calling the Decrypt operation in the Amazon KMS API, passing the encrypted key as ciphertext.
Elastic Transcoder uses the decrypted AES key to encrypt the output media file and then deletes the decrypted AES key from memory. Only the encrypted copy you originally defined in the job is saved to disk.
You can download the encrypted output file and decrypt it locally by using the original AES key that you defined.

Important

Amazon never stores your private encryption keys. Therefore, it is important that you manage your keys safely and securely. If you lose them, you won't be able to decrypt your data.

HLS content protection

HTTP Live Streaming (HLS) is an adaptive streaming protocol. Elastic Transcoder supports HLS by breaking your input file into smaller individual files called media segments. A set of corresponding individual media segments contain the same material encoded at different bit rates, thereby enabling the player to select the stream that best fits the available bandwidth. Elastic Transcoder also creates playlists that contain metadata for the various segments that are available to be streamed.

When you enable HLS content protection, each media segment is encrypted using a 128-bit AES encryption key. When the content is viewed, during the playback process, the player downloads the key and decrypts the media segments.

Two types of keys are used: a KMS key and a data key. You must create a KMS key to use to encrypt and decrypt the data key. Elastic Transcoder uses the data key to encrypt and decrypt media segments. The data key must be AES-128. All variations and segments of the same content are encrypted using the same data key. You can provide a data key or have Elastic Transcoder create it for you.

The KMS key can be used to encrypt the data key at the following points:

If you provide your own data key, you must encrypt it before passing it to Elastic Transcoder.
If you request that Elastic Transcoder generate the data key, then Elastic Transcoder encrypts the data key for you.

The KMS key can be used to decrypt the data key at the following points:

Elastic Transcoder decrypts your provided data key when it needs to use the data key to encrypt the output file or decrypt the input file.
You decrypt a data key generated by Elastic Transcoder and use it to decrypt output files.

For more information, see HLS Content Protection in the Amazon Elastic Transcoder Developer Guide.

Elastic Transcoder encryption context

An encryption context is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, Amazon KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context.

Elastic Transcoder uses the same encryption context in all Amazon KMS API requests to generate data keys, encrypt, and decrypt.


"service" : "elastictranscoder.amazonaws.com"

The encryption context is written to CloudTrail logs to help you understand how a given Amazon KMS KMS key was used. In the requestParameters field of a CloudTrail log file, the encryption context looks similar to the following:


"encryptionContext": {
  "service" : "elastictranscoder.amazonaws.com"
}

For more information about how to configure Elastic Transcoder jobs to use one of the supported encryption options, see Data Encryption Options in the Amazon Elastic Transcoder Developer Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Elastic Block Store (Amazon EBS)

Amazon EMR