Setting-up DRM is an important, but sometimes a somewhat complicated job to execute. The complexity often comes from the business requirements, DRM technology is more and more available to everyone. 

In this blog we will talk you through setting up, a Widevine DRM integration between AWS Elemental Media Package and EZDRM (https://www.ezdrm.com/)

Concept

Let’s start with the basic concept of DRM.

For Video On Demand and Live streaming you “chunk” your video feed in “small” segments, let’s say in segments of 2 seconds. A player will reassemble these small segments and display them as a continuous video stream. 

For security, DRM encrypts each video segment using an AES based algorithm (the exact algorithm depends on the settings and is out of scope for this blog). 

The key on how DRM works is how to distribute the encryption key securely, in this first part we will talk about how to get an encryption key securely towards a video packager.

AWS Elemental Media Package

As per the product sheet: “AWS Elemental MediaPackage prepares, protects, and distributes your video content to a broad range of connected devices. The service can take a single video input from an encoder such as AWS Elemental MediaLive, package it in multiple streaming formats, and automatically scale outputs in response to audience demand.” 

The protection comes from DRM, AWS Elemental Media Packages realises this by integrating with a 3rd party DRM provider using the Speke interface. Speke stands for Secure Packager and Encoder Key Exchange and is a well known REST API specification.

Configuration

To integrate AWS Elemental Media Packager with EZDRM via the Speke interface we have to configure an API Gateway in between. The packager will call the API Gateway, the API Gateway injects a security key in the header which is required by EZDRM.
The following picture depicts this overview:

Deployment

The configuration can be created as following using the AWS Serverless Application Model.

First of all we need an API Gateway which acts as proxy between the Packager and EZDRM:

 DrmKeygenAPI:
   Type: AWS::Serverless::Api
   Properties:
     OpenApiVersion: 3.0.1
     StageName: Dev
     Name: EZDRM keygen API
     EndpointConfiguration:
       Type: REGIONAL
     DefinitionBody:
       Fn::Transform:
         Name: AWS::Include
         Parameters:
           Location: "./openapi.yaml"

Where the open api spec is as following:
openapi: 3.0.3
info:
 title: Ezdrm keygen API
 description: "OVP Ezdrm keygen API"
 version: 0.0.1
tags:
 - name: Keygen API
x-amazon-apigateway-request-validators:
 basic:
   validateRequestBody: true
   validateRequestParameters: true
 params-only:
   validateRequestBody: false
   validateRequestParameters: true
x-amazon-apigateway-request-validator: basic
paths:
 /copyProtection:
   post:
     x-amazon-apigateway-integration:
       type: http_proxy
       httpMethod: POST
       uri: "https://cpix.ezdrm.com/speke2/speke2.aspx"
       requestParameters:
         integration.request.header.ezdrmSecureToken: "'${EZDRMSecureToken}'"



Secondly we need to configure the media packager for encryption. We first of all need to create an IAM role which allows the packager to call the API Gateway:

 MediaPackageRole:
   Type: AWS::IAM::Role
   Properties:
     RoleName:
       Fn::Sub: MediaPackageRole
     AssumeRolePolicyDocument:
       Version: '2012-10-17'
       Statement:
       - Effect: Allow
         Principal:
           Service:
           - mediapackage.amazonaws.com
         Action:
         - sts:AssumeRole
     Policies:
     - PolicyName: InvokeEzdrmPolicy
       PolicyDocument:
         Statement:
         - Effect: Allow
           Action:
           - execute-api:Invoke
           Resource:
           - Fn::Join:
             - ''
             - - 'arn:aws:execute-api:'
               - Ref: AWS::Region
               - ':'
               - Ref: AWS::AccountId
               - ':'
               - Ref: DrmKeygenAPI
               - /*/GET/client/*/*
           - Fn::Join:
             - ''
             - - 'arn:aws:execute-api:'
               - Ref: AWS::Region
               - ':'
               - Ref: AWS::AccountId
               - ':'
               - Ref: DrmKeygenAPI
               - ' /*/POST/copyProtection'

Now we can configure the packager with the following variables:

SystemId: “edef8ba9-79d6-4ace-a3c8-27dcd51d21ed” (the Widevine System ID)
Url: https://${DrmKeygenAPI}.execute-api.${AWS::Region}.amazonaws.com/dev/copyProtection
RoleARN: The ARN to the role we have defined above.

Once this is setup, we have a path in place were the AWS Elemental Media Packager can encrypt the video files using keys provided by EZDRM.