Overview 

At VIDIZMO, we provide our customers with a secure and reliable content delivery experience. Content security is a top priority, and we have taken proactive steps to mitigate potential security risks. To address concerns about unauthorized access, we have implemented AWS Private Bucket within the VIDIZMO platform.


One of the key features of AWS Private Bucket is the concept of temporary content access. Content URLs are made accessible for a limited time, and their duration is configured within your VIDIZMO portal. This time-limited accessibility serves as an additional layer of security, ensuring that your content is not exposed on the web for extended periods. 


An essential aspect of this security feature is the automatic inaccessibility of content once the defined time interval elapses. The content URL becomes inaccessible, ensuring unauthorized users cannot access it after the designated time. In cases where you require extended access to specific content, the VIDIZMO application seamlessly requests a new access token from the AWS Bucket, ensuring continuous accessibility as needed. 


By incorporating AWS Private Bucket into our platform, VIDIZMO reaffirms its commitment to providing the highest levels of security, performance, and user experience for content delivery. This implementation protects your content and safeguards your user's interaction, creating a secure and reliable platform for your organization's content needs.


Prerequisite 

  • Ensure that you have administrative or manager access to your VIDIZMO Portal. 
  • You should have an Active AWS account with appropriate administrative access to configure IAM roles and permissions. 
  • You must have an active AWS S3 (Simple Storage Service) subscription. This subscription provides the cloud storage infrastructure and services to implement AWS private bucket.


AWS Configuration

Before commencing the Setup Wizard, it is imperative to address crucial steps within the AWS Console for your VIDIZMO portal's configuration.


Getting Required Parameters 

  • Log in to the AWS Management Console using your credentials.
  • Select an existing user or create an AWS user designated for configuring AWS Content, Encoding Provider, and indexing services. For example, User name: IAMUsername 
  •  The ARN will be automatically generated by AWS when you create the user. You cannot modify it. Example: arn:aws:iam::123456789012:user/IAMUsername.The Amazon Resource Name (ARN) is associated with the IAM user. ARNs are unique identifiers within AWS and are essential for referencing resources programmatically.
  • Navigate to the Identity and Access Management (IAM) service.
  • Within the user details, access the Security credentials tab.
  • Verify if the user already has Access Key and Secret Key; note them down if available.
  • If no keys exist, proceed to the "Access keys" section.
  • Create a new set of Access Key and Secret Key.
  • Save the Access Key and Secret Key securely, treating them as sensitive information.
  • For additional guidance, consult the "AWS Identity and Access Management" guide in the AWS documentation.



These keys are essential when configuring an AWS private bucket in VIDIZMO.

AWS Console Considerations

For seamless interaction between your VIDIZMO portal and your AWS storage account, ensure that your IAM user possesses the "AmazonS3FullAccess" permission to interact with Amazon S3 services.

  • To configure permissions for users, navigate to the Users page and then select the Permissions tab. From there, you can add policies by either searching for existing ones or creating an inline policy. If you choose to create an inline policy, you can use the JSON snippet provided below to generate an "AmazonS3FullAccess" policy, which grants full access to Amazon S3 resources. Assign this policy to the relevant user for appropriate access management.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}


  • If you're utilizing the AWS standard encoder instead of the VIDIZMO encoder, grant the user permissions for MediaConvert. This custom policy enables the designated IAM principal to oversee media-related services such as MediaConvert, MediaPackage, and MediaPackage VOD, as well as execute Systems Manager actions.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "mediaconvert:*",
        "mediapackage:*",
        "mediapackage-vod:*",
        "ssm:*"
      ],
      "Resource": "*"
    }
  ]
}


Create a Role

1. You can create an IAM role using the AWS Management Console.

2. In the left navigation pane, click on "Roles" to access the Roles dashboard.  

3. In the Roles dashboard, click on the "Create Role" button to initiate the role creation process.

4. When on the "Create Role" screen, choose the trusted entity type by selecting "Custom Trust Policy."



5. AWS Trust Policy: Establish a trust relationship for the role with the user "IAMUsername," enabling it to assume the necessary permissions for accessing content within a private bucket.


Note: It's recommended that permissions not be granted directly to users. Instead, utilize roles with trust policies to enforce the principle of least privilege.

In the Custom Trust Policy section, edit the policy. The trust policy document is written in JSON format. Here, you'll specify the user(s) or group(s) allowed to assume the role.


AWS Trust Policy

Ensure to use the ARN of the account user whose credentials are being used to run the setup wizard.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Your-Account-ID>:user/<IAM-User-Name>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


6. In the following step, if you plan to utilize the VIDIZMO encoder, select "AmazonS3FullAccess." However, if you prefer the AWS standard encoder, you need to include the "AWSElementalMediaConvertFullAccess" policy. This policy provides complete access to MediaConvert functionalities in addition to the "AmazonS3FullAccess" policy. Remember, these policies are managed by AWS, so you don't need to create them yourself. If you're using the VIDIZMO encoder, you can exclude the AWSElementalMediaConvertFullAccess policy.




You can also create or edit policies for AmazonS3FullAccess. In the left navigation pane, click on "policy" to access the Policies dashboard. Here is the JSON script of AmazonS3FullAccess and AWSElementalMediaConvertFullAccess.


AmazonS3FullAccess 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

AWSElementalMediaConvertFullAccess 


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "mediaconvert:*",
                "s3:ListAllMyBuckets",
                "s3:ListBucket"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "mediaconvert.amazonaws.com"
                    ]
                }
            }
        }
    ]
}


7. Provide a name for the role name and description.

8. Click "Create role" to finalize the role creation. AWS will generate the ARN for the role, which can be used to reference the role in various AWS services. For example, ARNRole: arn:aws:iam::123456789012:role/RoleName.



Creating an Amazon S3 Bucket

To create an Amazon S3 bucket and Access your AWS Management Console with the same account credentials used to obtain your Access Key and Secret Key, follow this step-by-step guide, "Create an Amazon S3 Bucket".


To know more about it, kindly refer to the "Creating a Bucket" guide.


Note: We advise enabling Access Control Lists (ACL) to facilitate data sharing with users outside your account.


Setting Up AWS Private Bucket in VIDIZMO

  1. Log into the Portal and click the Menu icon on the top left-hand corner of the screen to open the left navigation pane.
  2. Expand the Admin section by clicking on the down arrow. 
  3. Click on Control Panel from the navigation panel.


4. On the Control Panel navigation pane.

5. Select the Setup Wizard. 

6. Click the “Run Wizard Again” button on the setup wizard screen.



7. Select AWS to configure it as your VIDIZMO Storage for your system from a list of available options in the drop-down. 

8. Select an Encoder to configure for your system from a list of available options in the drop-down. In this case scenario, we are selecting AWS Standard Encoder.


Note:  When opting for the  Encoder, there is also the flexibility to choose either the AWS Standard Encoder, VIDIZMO On-Premise Encoder, or the VIDIZMO Cloud Encoder, based on your preference. It is important to note that selecting a specific encoder will affect the input fields of the following steps, which are described in the next section of the article.


9. To continue to the next tab, click the Next button. 

  


10. Select Global as the Subscription Type. You may also select the Government or China as per your needs. 

11. Enter the Access Key you got when setting up an AWS account, as described in the above section of this document. Refer to "Getting Required Parameters."

12. Enter the Secret Key.

13. Enter the name you want to set as Bucket Name for your storage in AWS.  

Note: VIDIZMO gives you the functionality of using an already created bucket here. Also, the storage bucket name should be Globally Unique. If your bucket name is not unique, then VIDIZMO will automatically add a timestamp at the end of the bucket name to make it unique. 

14. Select the storage class as per your requirements. VIDIZMO offers connectivity with two storage classes; 

a) S3 Standard  

b) S3 Intelligent Tiering

15. Select the location of your storage bucket from this field. Ensure that you designate the identical location in VIDIZMO as the location of your bucket.

16. Enable AWS Private Bucket. (by default, VIDIMZO enables it).

17. Provide the content URL expiry time. (by default, VIDIZMO sets its value to 15 minutes), but you can manually adjust it as described in the next section of this article. 

18. Provide the ARN (Amazon Resource Name) of the IAM role the system will assume for authenticating private URLs. 

19. Click Next to navigate to the Transcoder section. 



20. Enter the Media Role ARN in the designated field. Ensure the IAM role possesses full access permissions for S3. The MediaConvert service requires the Role ARN to grant authorization for S3 bucket access, facilitating object uploading and downloading.

21. If you want to transcribe video and audio automatically, enable Automatic Processing.

22. Enable the “Migrate Content” option to migrate content to CDN with SAS.  

23. Click Done. 



Encoder Selection and Configuration Variations

Selecting VIDIZMO On-Premise Encoder

If the user opts for the VIDIZMO On-Premise Encoder in conjunction with AWS as the storage, the configuration for the storage tab can follow the guidelines outlined in the preceding section of this document. However, it is noteworthy that the Transcoder tab will exhibit some variations. 


This variation arises because the VIDIZMO On-Premise Encoder does not require any obligatory information from the user. Selecting this encoder automatically activates all encoding profiles associated with it. The Smart Encoding option has been added, ensuring that any video formats not supported by the VIDIZMO player will be automatically sent for transcoding. For more information on this feature, please refer to our article on Smart Encoding.



SAS Token Mechanism for Content Serving

The SAS (Shared Access Signature) Token Mechanism for Content Serving in an AWS S3 private bucket initiates a user's request to access a specific resource, including the resource's URL. VIDIZMO then authenticates and authorizes the user, generating a unique SAS token containing details like the resource URL, permissions, expiration time, and optional constraints.


This token is appended to the resource's URL, creating a temporary access link. Users receive this modified URL, enabling access requests. VIDIZMO validates the attached SAS token, and if permissions align and the token is valid, the resource is served from the private bucket. Once the token's predefined duration elapses, it automatically becomes invalid, revoking access and ensuring controlled and secure content delivery.



Update SAS Expiry


  1. Proceed with the steps outlined in the preceding section of this document and access the storage provider within the control panel pane.
  2. Click on the edit option against the storage provider/record that serves mashup contents (audio, video, image, document, and closed caption). 



3. Click the continue button to proceed.



4. Within the "Content Access Token (Expiry)" field, please provide the token's expiration time in minutes. This duration determines the accessibility period for downloaded content through the SAS token. Note: The token's expiration time should not exceed 60 minutes.

5. Click Update to save changes.