PallyCon > Content Security  > Multi-DRM  > How to Enable DRM Encryption in AWS Media Services
DRM encryption in AWS media services

How to Enable DRM Encryption in AWS Media Services

AWS Media Services and SPEKE API

AWS Media Services are a family of fully managed services that make it easy to build reliable, broadcast-quality video workflows on the cloud. AWS Elemental MediaConvert is a file-based video transcoding service with broadcast-grade features. It allows users to easily create video-on-demand (VOD) content for broadcast and multiscreen delivery at scale. AWS Elemental MediaPackage is a video origination and just-in-time packaging service which allows anyone to securely and reliably deliver streaming content at scale.

In terms of ‘secure content delivery’, it is very common and important to apply Digital Rights Management (DRM) technology to the content. AWS Elemental MediaConvert and MediaPackage support the Secure Packager and Encoder Key Exchange (SPEKE) API to enable DRM encryption of DASH/HLS outputs by a simple configuration.

Watch this video – Package content using AWS Elemental Media Convert

What is the SPEKE API?

The ‘Secure Packager and Encoder Key Exchange (SPEKE)’ specification defines the standard for communication and authentication between encryptors and packagers of media content and DRM key providers.

SPEKE is an open, royalty-free API specification based on the DASH-IF Content Protection Information Exchange Format (CPIX) specificationand adds information to standardize communication and authentication between key servers and encoders, transcoders, and origin servers. For example, Pay TV operators or OTT service providers can easily and quickly apply PallyCon multi-DRM protection to live streams or VOD content generated by AWS Elemental Media Services or AWS Elemental appliance-based solutions with just a simple setup.

SPEKE API Integration between AWS Media Services and PallyCon Multi-DRM

SPEKE API Integration between AWS Media Services & PallyCon Multi-DRM

PallyCon Multi-DRM supports the SPEKE API integration to help our customers enable DRM encryption with AWS Media Services easily.

When you package your VOD or live sources using AWS Elemental MediaConvert or MediaPackage, you can configure the SPEKE API integration on the AWS console. Then the encrypted DASH or HLS stream can be delivered by Amazon CloudFront or any other CDN.

When the client player plays the content, it will request the encryption key to PallyCon key server to decrypt and play the content.

In this DRM license request, you can set various playback policies and security policies. For example, you can enable the download and offline playback, and limit the playback period. You can also set the DRM security levels and output protections, which are required by content owners. (like Hollywood studios)

How-to Guide

In this article, I will show you how to enable DRM encryption in AWS Elemental MediaConvert for a DASH VOD output.

You can also do the same in AWS Elemental MediaPackage for live stream content with similar configuration.

For the detailed steps of the integration, please check the video tutorial below.

Video Tutorial


If you want to follow the tutorial, you need to prepare the items below.

  • An account on PallyCon Multi-DRM service (free trial available)
  • AWS account and basic knowledge of AWS services such as IAM, S3, and Media Services

Step 1 — Create a job with a proper role and input

To create a MediaConvert job, you need to set a ‘MediaConvert role’ to the job. Then you may set the source video file as the input of the packaging job.

Step 2 — Create output groups and set DRM encryption

You need to create output groups as below considering your target platforms.

  • DASH ISO output with Widevine and PlayReady DRM: For Chrome, FireFox, Edge, IE11 browsers and Android mobile and various OTT devices
  • Apple HLS output with FairPlay Streaming DRM: For Safari browser and Apple devices such as iPhone, iPad, AppleTV.

Configure the ‘DRM encryption’ settings as explained in the video tutorial and our online guide.

Step 3 — Create and setup outputs for audio and video

For DASH output, you need to separate the audio and video outputs. It is required to support Widevine DRM clients.

Step 4 — Configure S3 storage and test packaged output

After the packaging job is done, you need to set the output S3 bucket as ‘public’ to test the playback. You also need to allow the ‘Cross Origin Resource Sharing’ (CORS) on the storage.

If you deliver the content to end users via CDN, these configurations should be done on the CDN edge.

Finally, you can try the playback of the DRM-encrypted content on our DevConsole website as shown in the video tutorial.

Need any help?

Thank you for reading this article. If you want more information or need any help, please check our website or contact us at