Implementing server-side encryption - MediaConvert
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Implementing server-side encryption

Server-side encryption with Amazon S3 is one of the encryption options that you can use with AWS Elemental MediaConvert.

You can protect your input and output files at rest by using server-side encryption with Amazon S3:

  • To protect your input files, set up server-side encryption as you would for any object in an Amazon S3 bucket. For more information, see Protecting data using server-side encryption in the Amazon Simple Storage Service User Guide.

  • To protect your output files, specify in your AWS Elemental MediaConvert job that Amazon S3 encrypts your output files as MediaConvert uploads them. By default, your output files are not encrypted. The rest of this topic provides more information about setting up your job to encrypt your output files.

When you set up an AWS Elemental MediaConvert job output for server-side encryption, Amazon S3 encrypts it with a data key. As an additional security measure, the data key itself is encrypted with a master key.

You choose whether Amazon S3 encrypts the data key by using the default Amazon S3 managed key or a KMS key that is managed by Amazon Key Management Service (Amazon KMS). Using the default Amazon S3 master key is simplest to set up. If you prefer more control over your key, use an Amazon KMSkey. For more information about the different types of KMS keys managed with Amazon KMS, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

If you choose to use an Amazon KMS key, you can specify a customer managed key in your Amazon account. Otherwise, Amazon KMS uses the Amazon managed key for Amazon S3, which has the alias aws/s3.

To set up your job outputs for server-side encryption

  1. Open the MediaConvert console at https://console.aws.amazon.com/mediaconvert.

  2. Choose Create job.

  3. Set up your input, output groups, and outputs for video and audio, as described in Configuring jobs in MediaConvert and Creating outputs.

  4. For each output group that has outputs that you want encrypted, set up server-side encryption:

    1. In the Job pane on the left, choose the output group.

    2. In the group settings section on the right, choose Server-side encryption. If you use the API or an SDK, you can find this setting in the JSON file of your job. The setting name is S3EncryptionSettings.

    3. For Encryption key management, choose the Amazon service that protects your data key. If you use the API or an SDK, you can find this setting in the JSON file of your job. The setting name is S3ServerSideEncryptionType.

      If you choose Amazon S3, Amazon S3 encrypts your data key with a customer managed key that Amazon S3 stores securely. If you choose Amazon KMS, Amazon S3 encrypts your data key with a KMS key that Amazon Key Management Service (Amazon KMS) stores and manages.

    4. If you chose Amazon KMS in the preceding step, optionally specify the ARN of one of your What is Amazon Key Management Service?. If you do, Amazon KMS will use that KMS key to encrypt the data key that Amazon S3 uses to encrypt your media files.

      If you don't specify a key for Amazon KMS, Amazon S3 uses the Amazon managed key in your Amazon account that is used exclusively for Amazon S3.

    5. If you chose Amazon KMS for Encryption key management, grant kms:Encrypt and kms:GenerateDataKey permissions to your AWS Elemental MediaConvert Amazon Identity and Access Management (IAM) role. This allows MediaConvert to encrypt your output files. If you also want to be able to use these outputs as inputs to another MediaConvert job, also grant kms:Decrypt permissions. To learn more, see these topics:

      • For more information about setting up an IAM role for AWS Elemental MediaConvert to assume, see Setting up IAM permissions in the Getting Started chapter of this guide.

      • For more information about granting IAM permissions using an inline policy, see the procedure To embed an inline policy for a user or role in Adding IAM identity permissions (Console) in the IAM User Guide.

      • For examples of IAM policies that grant Amazon KMS permissions, including decrypting encrypted content, see Customer managed policy examples in the Amazon Key Management Service Developer Guide.

  5. Run your AWS Elemental MediaConvert job as usual. If you chose Amazon KMS for Encryption key management, remember to grant kms:Decrypt permissions to any user or role that you want to be able to access your outputs.