Agenda:
Welcome – Updates from AWS
Breaking the Live 4K Barrier: Producing the First Live 4K Stream from Space – NASA
Navigating Disruption: Discovery’s Cloud Journey
How AWS + Zype helped 4K Media Streamline direct to consumer video publishing
Securing Hollywood's 'crown jewel' in the AWS Cloud
3. Today’s Agenda
8:00 AM Registration and Breakfast
9:00 AM Welcome- updates from AWS
9:30 AM NASA broadcasting live 4k from space
with AWS Elemental
AWS Elemental
Keith
Wymbs
Chief Marketing Officer
10:00 AM Discovery Communications-Migrating
media workflows to the cloud
Discovery
Communications
Dave Duvall
SVP-Infrastructure &
Support Services
10:30 AM Break
10:45 AM How 4K Media Streamlined Digital
Operations for Yu-Gi-Oh!
4k Media
Mark Kirk,
SVP,
4K Media (Konami
Group)
Zype
Ed
Laczynski,
CEO & Founder, Zype
11:15 AM Securing Hollywood's 'crown jewels' in
the AWS Cloud
AWS
Usman
Shakeel
Principal Technologist
Lunch
4. Production/Post Afternoon Track
1:00 PM
Cost-effective cloud-scale rendering with
Thinkbox and Amazon EC2 Spot
Thinkbox Chris Bond Founder
1:45 PM
Using Artificial Intelligence to Automate and
optimize M&E workloads on AWS
AWS
David
Pearson
Head of Business
Development, AI
Services, Amazon Web
Service
2:15 PM
Sailing the stormy seas to Global Content
Delivery: How Amazon Studios and Levels
Beyond solved an Amazon Originals’ dilemma
Amazon
Studios
Callum
Hughtes
Global Solutions Architect
3:00 PM Break
3:00 PM Creative content storage in the AWS Cloud AWS
Liam
Morrison
Soluitons Architect
4:15 PM Multi-monitor editing the AWS Cloud AWS Bhavik Vyas
Global Segment Leader-
M&E
Bebop
Technologies
John
Conroy
4:45 PM Panel discussion AWS/Thinkbox Chris Bond Founder-Thinkbox
5:00 PM
Networking Reception
5. Broadcast/OTT Afternoon Track
1:00 PM
Migrating Media Workflows to the
Cloud
MLBAM
Brian
Angioletti
Director, Media
Delivery
1:45 PM
Live Linear Playout - PBS Kids'
Channel
PBS Matt Norton
Sr. Director of
Technology
2:30 PM
Understanding Discovery's Cloud-
based Media Supply Chain
SDVI Larry Kaplan Chief Executive Officer
3:00 PM Break
3:30 PM Media Workflows at 35,000 Feet Gogo Ty Bekiares
Distinguished Member
of Technical Staff
4:15 PM
Media Functions for the Cloud –
Building a Serverless OTT Soution
AWS
Liam
Morrison
Solution Architect
5:00 PM Networking Reception
6. AWS Investing in M&E
Video Processing & Delivery Visual Effects & Production
Acquired 11/15 Acquired 3/17
7. Move from risk-laden
up-front expense to
flexible variable
expense
Stop guessing
at capacity planning
Go global
in minutes
Get rid of time-consuming, expensive tasks
Remove complicated
infrastructure
management that adds
little business value
8. And focus on your core mission
Lower the time spent
on infrastructure
Dedicate more
resources to
innovation
Concentrate on
new business
initiatives
“AWS enables us to move faster than ever before—to innovate faster and
drive the innovation that necessary for our survival in the news industry.”
Graham Tackley– Director of Architecture, the Guardian
9.
10. Media Software on AWS Marketplace
• Launch Software on AWS
• with 1-Click
• Pay-by-the-hour, monthly, or annual
• Single invoice for AWS usage and ISV
software
• Free Trials
11. Save the Date-Upcoming AWS Events
• Toronto M&E Symposium- June 29th
– AWS Toronto Office
• NY AWS Summit-August 14th
– Javits Center
• IBC-September 14-19
– RAI, Amsterdam
• AWS re:Invent- November 27-December 1
– Las Vegas, NV
Learn More @ aws.amazon.com
12. June 15, 2017
BREAKING THE LIVE 4K BARRIER
TECHNOLOGIES AND WORKFLOWS BEHIND THE FIRST LIVE 4K STREAM FROM SPACE
15. More space than a six-bedroom house
Measures 357 feet end-to-end
Weighs nearly one million pounds
More internal volume than a Boeing 747
240 feet solar array wingspan
Sixteen+ Consecutive Years of Human Presence
22. 22
Live 4K capture and transmission
onboard the ISS
ISS UHD ENCODING WORKFLOW
RED EPIC
DRAGON
SOURCE 4K HEVC
Transport
Stream
AWS Elemental
LIVE
LIVE VIDEO PROCESSING
Quad
3G SDI
23. Iss to Johnson Space Center
23
ISS
JOHNSON SPACE CENTER
4K Feed
HD Feed
BUILDING 30
18
Mbps
HD Video
with Audio
4K Video
H.265/UDP
LVCC
Audio
4K
Baseband
HDMI
Combined
Audio
BUILDING 8
T21
Decoder
Decode with
Audio Delay
HOUSTON ACR (BUILDING 2)
POTS
HD-SDI
Embedded Audio
with Delay
AWS Elemental LIVE
AWS Elemental LIVE
ENCOMPASS
24. Johnson Space Center to Las Vegas
Convention Center
24
JOHNSON SPACE CENTER LAS VEGAS CONVENTION CENTER
AWS
Elemental
LIVE
ENCOMPASS ATLANTA
SATELLITE ROBERTS COMM TRUCK
Decoder
Decoder
AWS
Elemental
LIVE
AWS
Elemental
LIVE
TV
SWITCHER
4K
Projection
Dedicated
Fiber
HEVC UDP
POTS
Dedicated
Fiber
HEVC UDP
AWS
Elemental
LIVE
25. streamed on live.awsevents.com
25
AMAZON WEB SERVICES CLOUD
Amazon
ROUTE 53
DESCRIPTION
NETWORK
Amazon
CLOUDFRONT
DESCRIPTION
REGIONAL
EDGE CACHES
Amazon
ELASTIC LOAD
BALANCER
OREGON REGION
AWS Elemental
DELTA
Amazon
ELASTIC LOAD
BALANCER
CALIFORNIA REGION
AWS Elemental
DELTA
Amazon
CLOUDFRONT
DESCRIPTION
CDN
26. 26
OVERALL: viable live 4k workflow from
space to earthROBERTS COMMS TRUCK AMAZON WEB SERVICES CLOUD REGIONISS UHD ENCODING
RED EPIC
DRAGON
SOURCE
JOHNSON SPACE
CENTER
AWS Elemental
LIVE
@ Space Center
Houston Theater
LIVE VIDEO
PROCESSING
AWS Elemental
LIVE
Small form
factor system
LIVE VIDEO
PROCESSING MONITOR
LAS VEGAS
CONVENTION CENTER
AWS
Elemental
LIVE
AWS
Elemental
LIVE
ISP
ISP
AWS
Elemental
DELTA
AWS
Elemental
DELTA
Amazon
ROUTE 53
DESCRIPTION
NETWORK
Amazon
CLOUDFRONT
DESCRIPTION
REGIONAL
CLOUDFRONT EDGE
Amazon
CLOUDFRONT
CDN
Amazon
CLOUDWATCH
MONITOR
DEVICES
4K HEVC
UDP
Transport
Stream
4K HEVC
UDP
Transport
Stream
SATELLITE
27. 27
A perfect show!
“This is awesome. The
closest the general
population can get to
something like this is at
planetariums, which show
video with grainy quality.”
– Monica Daniel, film editor (Las Vegas Review-Journal)
28. 28
Tweets during the viewing
“That NASA live 4K
stream was mind
blowing. I finally got
my money's worth
with this damn
Curve TV. That s***
was AWESOME!?
“Best livestream ever”
“There is no mic drop
in space.”
“Watching the
#NASAlive4k
broadcast with about
20 aerospace
technology students”
“Watching #Astronauts Playing ping pong with drop of water from Space #ISS
#Nasalive4K 😂😉😎 from a smartphone in #Sénégal Real broadcast”
34. Financial
Software
Development
Rapid Technology
Disruption
• Cloud based; microservices driven; REST APIs
• “Dockerized” functionality; rapid advances
• “Heavy iron” on premise, relies on
complicated software integrations
• Full platform changeout – time consuming /
risky
• Real time / agile software releases
• Embedded developers within business ops
• More “micro than macro”
• Heavy process analysis
• Engineering vs. Operations teams
• Big bang software releases
• Operating expense aligned w/ business growth
• Scale up / scale down as needed
• Heavily capex driven
• 3 to 5 year (or longer) refresh cycles
State of Media Technology (Our View)
35. Storage and infrastructure
platform resources providing an
architectural platform
Content
Distribution
Data
Mgmt
Media
Mgmt
Business
Systems
Transition Discovery’s supply chain
and business systems to a scalable
and flexible infrastructure to improve
speed to market, increase quality of
services, and reduce costs
36. Tape based, labor intensive
Delivery to air in weeks / months
Traditional File Delivery
37. • Supply chain transformation
• Strict adherence to workflows and
automation (recipes)
• Strong alignment to business systems
from the front door
• Data, data, data!!!!
Enabling Technologies
Amazon
S3
Amazon
EC2
Discovery OnRamp
Amazon
SNS
38. • Transformative agility, flexibility
• Regional diversity
• Build an air chain in minutes
• Alignment with IT InfoSec and
Compliance
Enabling Technologies
Cloud Playout
Amazon
EC2
Amazon
EC2
Availability Zone
US East Region
AWS Direct
Connect
Amazon
EC2
Amazon
EC2
Availability Zone
EU West Region
AWS Direct
Connect
COLO/WAN TRANSIT
Amazon
S3
Amazon
S3
Unicast to Multicast
Conversion
Unicast to Multicast
Conversion
IP To Video
Conversion
IP To Video
Conversion
2X1
Distribution
Encoding
Stat Mux
US Region
EU Region
40. Agility and flexibility are tempting but….
Cloud infrastructure can be transformative
but….
Security is everyone’s mission….
Change and innovation are powerful forces for
good but…
Vendors are awesome but…
41.
42. HOW AWS + ZYPE HELPED 4K
MEDIA
STREAMLINE DIRECT TO
CONSUMER VIDEO PUBLISHING
June 15th, 2017
43. The Zype Team
Co-founder and COO, the cloud video
distribution service for OTT.
Prior to Zype was President of cloud
backup and security product company,
Director of Marketing for LTech, a cloud
systems integrator and worked at
McCann-Erickson Worldwide as a Senior
Web Technologist.
Chris Bassolino
COO, Zype
Presenter Introduction
Oversees distribution and digital platforms
for the popular Yu-Gi-Oh! brand.
Prior to 4K Media, he was SVP of Digital
Media for 4Kids Entertainment managing
the digital components of a Saturday
morning children’s cartoon block which
aired on Fox and The CW.
Mark Kirk
SVP, Director of Digital Operations 4K Media
(a member of Konami Group) Yu-Gi-Oh!
44. Timeline
Launch of 4kidsTV
Video Portal
AWS +
Zype Platform
Launch of Yu-Gi-
Oh! Video and Fan
Destination
+
AGENDA
2008 2013 2014
45. 2008: 4kidsTV Video Portal
4kidsTV was as a web destination for
multiple popular animated and cartoon
series including TMNT, Winx Club ,
Viva Pinata, Chaotic and others.
Streamed over 2 million videos per
month and was one of the fastest
growing video websites in 2008.
OVERVIEW OF 4kidsTV.com
46. 2008: 4kidsTV Video Portal
WHAT WERE THE CHALLENGES
CHALLENGES FOR
4KIDSTV.COM
CDN-MEDIA ASSETS
ANALYTICS
ADVERTISING
INTEGRATION
WEBSITE DEVELOPMENT
OVP
SERVER INFRASTRUCTURE
VIDEO PLAYER
47. 2008: 4kidsTV Video Portal
6Separate vendors
involved in bringing the
site to market
8
Months to plan,
develop and launch
the site
$$$
Large expense for
build and ongoing
management
4kidsTV PROJECT OVERVIEW
48. It’s complicated and expensive to
launch and scale a live or on-
demand video business
49. DISTRIBUTION
Paywall & Ad Management Video Players
Push-button App Builder OTT App Templates
Content & Metadata Management Live Event Management
Feed Management Content Rules Management
Live & VOD Transcoding Consumer Data Management
Storage & Streaming Analytics
ZYPE AUTOMATES THE DISTRIBUTION STACK
50. DISTRIBUTION
Paywall & Ad Management Video Players
Push-button App Builder OTT App Templates
Content & Metadata Management Live Event Management
Feed Management Content Rules Management
Live & VOD Transcoding Consumer Data Management
Storage & Streaming Analytics
Content Creation
Live Stream Capture
Live Studio Management
Post-Production
Transaction Processing
Ad Demand & Ad
Services
App Dev &
Customization
Promotion
CONSUMERCONTENT
ZYPE AUTOMATES THE DISTRIBUTION STACK, AND WE PLUG INTO EVERYTHING ELSE
51. DISTRIBUTION
Paywall & Ad Management Video Players
Push-button App Builder OTT App Templates
Content & Metadata Management Live Event Management
Feed Management Content Rules Management
Live & VOD Transcoding Consumer Data Management
Storage & Streaming Analytics
SUPPORTED BY AMAZON CLOUD SERVICES & INFRASTRUCTURE
S3
RDS CloudWatch CloudFormation CloudFront Route53 ELB EFS API GatewayElastic Transcoder EC2 VPC Beanstalk Lambda ElastiCache
52. AWS + Zype Platform
LIVE STREAM WORKFLOW WITH AMAZON CLOUD
SERVICES
CLIENT
LIVE
STREAMS
ZYPE
CONFIGURES
ZYPE
STORES
COPY
DISTRIBUTES
ANYWHERE
• Live feed from camera(s)
• Encoded
• Sent to Zype
• Transforms into multiple
easily consumed streams
from 1080p to audio-only
• Monetization however
you’d like (AVOD, SVOD,
TVOD, MIX)
• Stores a copy in the
LIVE DVR
• Distributes the live
stream globally
• Customers pay for
access, the revenue is
always yours
• A beautiful adaptive live
stream now available for
their enjoyment
• Any endpoint! Web,
mobile, smart TV, set-top
box
53. Easy to use SaaS for content owners to deliver live and
on demand video to their audience on every device.
AWS + Zype Platform
54. The Yu-Gi-Oh! animated
franchise, with over 800
episodes, has been
translated and broadcast
in 65 countries on leading
networks.
2014: Yu-Gi-Oh! Video Portal
4K Media: Yu-Gi-Oh! BRAND
55. 2014: Yu-Gi-Oh! Video Portal
OVERVIEW OF YUGIOH.COM
OTHER EPISODES
FEATURING THAT
CHARACTER
CARDS THAT
CHARACTER USES
RELATED
MERCHANDISE
FIND OUT
MORE ABOUT
YOUR
FAVORITE
CHARACTER
SPECIFIC
FULL
EPISODE
CATALOG OF
EPISODES
56. All of these relationships
come together to provide
more than just a site that
streams video -- but a
deeper level of interactive
and information that
provides a great
experience to even the
most loyal fans.
2014: Yu-Gi-Oh! Video Portal
OVERVIEW OF YUGIOH.COM
57. 2008
4kids.tv VIDEO PORTAL
2014
Yu-Gi-Oh! VIDEO & FAN DESTINATIONv
s
2014: Yu-Gi-Oh! Video Portal
CDN-MEDIA
ASSETS
ANALYTICS
ADVERTISING
INTEGRATION
WEBSITE DEVELOPMENTOVPSERVER
INFRASTRUCTURE
VIDEO PLAYER
+
58. 2 Separate vendors involved in
bringing the site to market
4 Months to plan, develop
and launch the site
$
Lower upfront cost and
expenses that grow as the
site scales
2008
4kids.tv PROJECT STATS
2014
Yu-Gi-Oh! PROJECT STATS
6 Separate vendors involved in
bringing the site to market
8 Months to plan, develop
and launch the site
$$$
Larger upfront cost and
expenses that grow as the
site scales
v
s
2014: Yu-Gi-Oh! Video Portal
59. Zype enabled the consolidation a plethora
of technology vendors by providing:
● Video CMS + encoding
● Web Player
● Ad Management
● GEO + Device Rules (licensing)
● Global Content Deliver (Video +
Images)
● Analytics
Plus additional features we have the
option to leverage in the future such as
2014: Yu-Gi-Oh! Video Portal
HOW ZYPE & AWS OVERCAME CHALLENGES
+
60. HOW DO YOU PROVIDE THE BEST USER EXPERIENCE TO
VIEWERS ACROSS DEVICE AND INTERNET CONNECTION?
Elastic Encoder
61. HOW DO YOU STORE TERABYTES OF MEZZANINE FILES?
+
S3
62. HOW DO YOU CATEGORIZE AND STORE 8000 IMAGE
ASSETS?
S3
63. HOW DO YOU DELIVER CONTENT GLOBALLY & MAINTAIN
A GREAT USER EXPERIENCE?
S3 CloudFront
64. HOW DO YOU PROTECT AGAINST TRAFFIC SPIKES AND
SAVE ON INFRASTRUCTURE COSTS?
EC2
Elastic Load
Balancer
Auto-
scaling
67. Securely storing your digital content and running media workloads
Usman Shakeel – WW Tech Leader M&E
Amazon Web Services
AWS Cloud Controls for Security
68. MPAA Cloud Security Best Practices
(aka MPAA Cloud Controls) http://www.mpaa.org/content-protection/
• What:
• A set of guidelines based on ISO, OWASP, CSA, PCI,
NIST800-53, SANS and industry best practices
• Consists of Application Security and Cloud Security
guidelines
• How:
• Not an Audit rather an ‘assessment’ or ‘inspection’
• Self Assessment
• Infrastructure and Application assessment
71. MPAA Cloud Security Guidelines
Security of the Cloud
Security on the Cloud
Cloud Security
Organization &
Management
Operations Data Security
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
73. MPAA Guidelines MPAA Alignment
MPAA Best Practice Alignment
SOCISO
27001
PCI DSS Level1
FEDRAMP
}
74. How can AWS help?
Cloud Security
Organization &
Management
Operations Data Security
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
Security of the Cloud
Security on the Cloud
75. What Workloads/AWS Services are
relevant?
(Scope of this Discussion)
Playout & Distribution
Production/Post
Production
Analytics
DAM & Archive
Digital Supply Chain
Publishing
OTT
Acquisition
76. Security ON the Cloud (WRT Content
Pipeline)Content Source Archive, Process, Create Distribution Channels
On-premises
On-Set
On-Venue
Amazon S3, Glacier
Amazon EBS, EFS
Amazon EC2, Lambda
AWS Elemental
Amazon CloudFront
Amazon Route53
AWS Network
AWS Direct Connect
Ingest Distribution
Components
Requirements
Secure Handling
Onsite security
Encryption
Access Control
Logging and monitoring …
Secure transfer channel
Private connectivity?
DRM, Watermarking,
Other…
Across the board
Key Management
Logging and monitoring
Application Deployment
Access Control
Catch it a remediate before it is
too late
Where is my content?
78. Where is my Content?
16 Regions – 42 Availability Zones – 68 Edge Locations
79. Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Launch
Template
CloudFormation
Terminate
Template
Infrastructure Recycling
80. Customer Master
Key(s)
Data Key 1
Amazon S3
Object
Amazon EBS
Volume
Amazon Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Managed services to securely create, control, rotate, and use encryption keys.
Key Management Service in AWS
AWS
CloudHSM
AWS Administrator –
manages the appliance
You – control keys and
crypto operations
Amazon Virtual Private CloudAWS SDK’s
Amazon KMS CloudHSM
82. You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon Cloudwatch
or monitor patterns on Logs
Act Fast or automate based on
realtime notifications and alerts
Amazon
Redshift
Amazon EC2
AWS IAM
Amazon RDS
Amazon
Elastic
Transcoder
Log, Monitor, Act - Proactively
84. Availability Zone A
Private subnet Private subnet
AWS
region
Virtual Private
Gateway
Content Value-add
Service
Content Value-add
Service
Availability Zone B
Amazon
S3
VPC
VPN
connection
VPC Endpoints
No IGW
No NAT
No public IPs
Free
Robust access control
Customer
network
Locking down S3 access with virtual private endpoint (VPCE)
86. Physical Transfer of Content
• AWS Snowball
• 256-bit encryption
• Data is encrypted by the Snowball client before it reaches
the Snowball appliance
• Keys are managed by KMS and are never sent to the
Snowball
• Strong chain of custody
• Tamper-resistant case
• Tamper-resistant electronics (TPM)
• Each Snowball is erased according to NIST 800-88 media
sanitization guidelines between every job
90. • S3 Access Logs (Every single access)
requester, bucket, request time, request action, response status, and error
code, etc.
– No Extra charge
• S3 CloudTrail Logs
– captures Amazon S3 API calls from your AWS account
– delivers the log files to an Amazon S3 bucket that you specify
– captures API calls made from the Amazon S3 console or from the Amazon S3 API.
S3 Logging
91. Amazon Glacier Vault Lock allows you to easily
set compliance controls on
individual vaults and enforce them
via a lockable policy
Time-based retention
MFA authentication
Controls govern all
records in a vault
Immutable policy
Two-step locking
Amazon Glacier Vault Lock
93. VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
• VPC
• Subnets
• Direct Connect
• Security Groups
• Network ACLs
• IAM
• CloudTrail
• Config
Amazon Virtual Private Cloud (VPC)
94. • Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject
VPC Flow Logs
95. Amazon
SNS
CloudWatch
Logs
Private subnet
Value-add Service for
High Valued assets
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network Interface
Metric filter
Filter on all SSH
REJECTFlow Log group
CloudWatch
alarm
Source IP
VPC Flow Logs security application
96. Encryption
• Attach both encrypted and unencrypted
• No volume performance impact
• Any current generation instance
• Supported by all EBS volume types
• Snapshots also encrypted
• No extra cost
• Boot and data volumes can be encrypted
File System Encryption
98. 2) Content Stored in AWS
Object Store encrypted
using KMS (A key per title)
Amazon S3
Amazon Glacier
KMS/HSM
IAM
AWS cloud
Leveraging a 3rd PaaS/SaaS
(Content Access ≠ Content
Transfer)
AWS cloud
Studio’s AWS Resources PaaS/SaaS running on AWS
1) Create a master
key per title (KMS)
VPC peering
S3 VPC
endpoints
Content Processing
Applications
IAM role
Content Processing
Applications
3) IAM Role to access content
from S3 bucket, KMS and cross
account access
KMSKey
4) Processing nodes launched
in Service providers VPC with
the IAM role. Can access the S3
bucket via S3 VPC endpoint
and call KMS to get the
encryption key
5) Applications
across accounts
can communicate
via VPC Peering
6) Allow cross account
access to flow/CloudTrail
logs etc.
99. VFX/Rendering Hybrid Workflow
corporate data center
users
Content
Servers
disk
tape storage
Amazon S3 Amazon Glacier
KMS/
HSMIAM
Direct Connect
AWS cloud
Storage Cache
Render Farm
IAM role
KMSKey
VPN
connection
1) Content lives on-
premises or transferred
securely to S3
2) IAM manage user
roles policies
3) KMS to manage keys
4) AWS DX and VPN
Connection for private
connection
5) Renderfarm runs in VPC with flow
logs, can access content from S3 via
IAM roles or via storage cache from
on-premises storage via DX or VPN
6) Enabled Cloud Trail
CloudTrail
100. Digital Dailies/Review & Approve
WorkflowOn-Set
users
Content
Servers
On-Set
Storage
Amazon S3
KMS/
HSMIAM
AWS cloud
1) Content generated
on-set
6) IAM manage user
roles policies
7) KMS to manage keys
CloudTrail
AWSSnowball
AWS Storage
Gateway
AWS Elemental
AWS DX
Remote Site
Remote
ReviewersAmazon
CloudFront
2) Proxy gen on-site
using AWS Elemental
or live ingestion
3) AWS Snowball to
migrate high res assets
4) AWS DX for private
connectivity
5) AWS Storage gate
optional for ongoing
transfers
8) Enable AWS CloudTrail
and S3 Access Logs
9) No Public Access
10) Processing in VPC
using VPC security best
practices (as earlier)
11) Content reviewed
via CloudFront private
distribution
101. Private subnet Private subnet
AppsValue-add Service
Access Control based on Content Tier
High Valued Assets Everything else
VPCE1 VPCE2
Private subnet
Apps
1. Subnet Route Table gives
connectivity to the VPCE
2. VPCE IAM policy restricts what
buckets the VPCE allows
access to
3. Bucket Policy restricts access
to specific VPCEs (or VPCs)
ONLY
4. Security Groups on instances
further restrict which
resources can access S3
AWS cloud