AWS Elemental Integration


PallyCon KMS supports SPEKE (Secure Packager and Encoder Key Exchange), which issues the keys required for Multi DRM packaging in AWS Elemental MediaConvert and MediaPackage.

You can easiliy integrate PallyCon Multi-DRM with AWS Elemental Media Services by setting PallyCon KMS URL to DRM encryption setting of MediaConvert or MediaPackage.

MediaConvert integration

MediaConvert Tutorial Video

This video is a tutorial for enabling DRM encryption on VOD content packaging with AWS Elemental MediaConvert.

Create MediaConvert IAM role

Please refer to IAM Settings AWS Guide Document and proceed as follows.

  1. In the AWS Console, select the IAM service.

  2. Click the Roles tab and select create role.

  3. Select MediaConvert and click the Next: permission button.

  4. Confirm the S3 Access and APIGateway access permissions and click Next: Review button.

    IAM role
    IAM role

  5. Set RoleName to MediaConvert-role and click the create role button.

    Create role
    Create role

Create MediaConvert job and set IAM role

  1. In the AWS Console, select the MediaConvert service.
  2. Click the create job button on the Jobs tab to start job creation.
  3. Select the MediaConvert-role created in the previous step in the IAM role setting section of the Job settings screen.
    MediaConvert role
    MediaConvert role

Set MediaConvert Input

  1. In the Input field, enter the content path to be packaged in s3.
    MediaConvert input
    MediaConvert input

Set MediaConvert Output groups

  1. Add the ouptput to the output groups by pressing the Add button. (DASH ISO for PlayReady and Widevine, Apple HLS for FairPlay and NCG-HLS)

    MediaConvert output
    MediaConvert output

  2. In Custom group name, enter a name that is easy for you to identify.

  3. In the Destination field, type the path on s3 that contains the package-completed file.

    MediaConvert output
    MediaConvert output

  4. Select the DRM encryption option, and then enter the Resource ID, System ID, and URL.

    • Resource ID: It is a value corresponding to the content ID (CID) in the integration specification in DRM Token Guide.
    • System ID: The DRM-specific system id value specified in Dash System ID. You need to set PlayReady and Widevine ID for DASH output(as shown below). Refer to the next sections for HLS output configuration.
      • PlayReady: 9a04f079-9840-4286-ab92-e65be0885f95
      • Widevine: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
    • Key Provider URL: Enter the following KMS URL. The KMS Token at the end of the URL is an API authentication token that is generated when you sign up PallyCon service, and can be found on the PallyCon Console site.
      • KMS URL format:
    • Certificate ARN: leave it blank
    • Play device compatibility: CENC v1
      DRM encryption
      DRM encryption
  5. Set the Outputs and click the Create button.

    • In case of widevine, it is mandatory to create the video and audio track separately because there are clients that can not play if you do not divide video and audio tracks into output. (click ‘add output’ button to add track)
      MediaConvert output 1
      MediaConvert output 1
      MediaConvert output 2
      MediaConvert output 2
  6. Make public or set permission on the S3 storage to play the generated file stored on it.

HLS configuration for FairPlay DRM

If you want to support Apple devices as well as others, you need to create both ‘DASH ISO’ and ‘Apple HLS’ output groups for a single input. To apply FairPlay DRM to Apple HLS output group, set the encryption options as below.

  • Encryption method: Sample AES
  • Key provider type: SPEKE
  • Resource ID: the same content ID as DASH output
  • System ID: DRM system ID for FairPlay (94ce86fb-07ff-4f43-adb8-93d2fa968ca2)
  • Key provider URL: same as DASH output (PallyCon KMS URL with enc token)
  • the other items: leave them as default

HLS configuration for NCG-HLS

You can also use the ‘Apple HLS’ output group to package HLS content with our proprietary NCG DRM instead of FairPlay DRM. For the NCG-HLS packaging, create an Apple HLS output group and set the DRM encryption options as shown below.

  • Encryption method: AES128
  • Key provider type: SPEKE
  • Resource ID: Enter the same content ID as the DASH output group
  • System ID: NCG HLS system ID (81376844-f976-481e-a84e-cc25d39b0b33)
  • Key Provider URL: PallyCon KMS URL same as DASH output group
  • Other items: leave them as default
NCG-HLS packaging is a method of additionally encrypting the AES128 key file with NCG DRM to improve the security of the clear key encryption. To play NCG-HLS contents, NCG Client SDK provided for each OS such as Android, iOS, and Windows is required, and NCG HLS contents cannot be played in a web browser.

Notes on CMAF Packaging

In addition to DASH-ISO and Apple HLS, CMAF(Common Media Application Format) type output can also be generated through SPEKE integration.

To ensure that CMAF content is supported in as many client environments as possible, including Apple devices, the encryption method in the DRM encryption setting should be set to AES-CBC subsample. Also, the KMS URL you enter in the Key provider URL field must use the URL below that supports CBCS encryption instead of the default SPEKE v1 URL.

Multi-key Packaging Issue

MediaConvert service supports SPEKE v1 based DRM encryption function. Unlike SPEKE API v2 which supports multi-key packaging, v1 supports single-key packaging only. (all of audio and video output tracks are encrypted with the same key). Therefore, DASH or CMAF content packaged with MediaConvert cannot support hardware DRM, which requires the audio and video tracks to be encrypted with separate keys.

Currently, the SPEKE v2 specification is applied to live DASH/CMAF packaging through MediaPackage service, and will be expanded to the VOD packaging function of MediaPackage in the future. (See MediaPackage integration guide below)

MediaPackage integration

AWS MediaPackage service supports real-time packaging and encryption for live or VOD content.

The tutorial video and guide document below are based on MediaPackage Live v1. If you are integrating with the newer version of the service, Live v2, please refer to the related section.
When packaging live streams via MediaLive and MediaPackage integration, the Encryption setting must be turned off in the Output Group of MediaLive.

MediaPackage Tutorial Video

This video is a tutorial for enabling DRM encryption on live stream packaging with AWS Elemental MediaPackage.

Create MediaPackage IAM role

  1. Create the same as MediaConvert IAM Authorization, and create only Role Name with SPEKEAccess.

  2. On the Roles tab, select SPEKEAccess role and click the Edit trust relationship button on the Trust relationships tab.

    SPEKEAccess role
    SPEKEAccess role

  3. Change the value of Principal.Service to and click the Update button.

    Update role
    Update role

Create MediaPackage Channel

  1. In the AWS Console, select the MediaPackage service.

  2. Create a channel.

    Create channel
    Create channel

  3. At the endpoints, press the Add button to set the endpoint.

  4. Set the endpoint name, packager settings, etc. according to the desired content specification.

  5. Configure Encryption and Outputs in the same way as MediaConvert Output groups setting no. 4.

  6. Enter the SPEKEAccess Role created in Role ARN.

  7. Click the Save button.

    MediaPackage options
    MediaPackage options

For information on various input values used for Encryption setting of MediaPackage Endpoint, refer to the MediaConvert Integration guide(the previous section).

Multi-key Packaging via SPEKE v2

The MediaPackage service supports multi-key packaging based on SPEKE API v2 for live DASH or CMAF output. Multi-key packaging is a function that encrypts the output video and audio tracks with different keys when DRM encryption is applied, and is necessary to apply hardware DRM such as PlayReady SL3000 or Widevine L1.

If you select SPEKE Version 2.0 in the DASH or CMAF Endpoint settings of the MediaPackage live channel, you can apply multi-key packaging through the following options:

SPEKE v2 option
SPEKE v2 option

You need to input the SPEKE v2 KMS URL when you choose the SPEKE v2 integration. You can find your own KMS Token value on PallyCon Console (Multi-DRM > DRM Setting > Multi-DRM Settings).


MediaPackage Live v2

MediaPackage Live v2 is a new version of the AWS MediaPackage service released in May 2023. This version offers improved features and UI over v1, especially support for low-latency HLS (LL-HLS), which is ideal for real-time services such as live sporting events.

For more information about the MediaPackage Live v2 service, please refer to the AWS guide.

Please note the following when integrating AWS MediaPackage Live v2 with PallyCon Multi-DRM service.

Container Types

In the MediaPackage Live v1 channel, you could select a packaging type for the endpoint for output, such as DASH-ISO, Apple HLS, Smooth Streaming, or CMAF.

Instead of a packaging type, endpoints in the MediaPackage Live v2 service channel are required to select the following container types.

  • TS: Applies MPEG-TS container. Supports AES-128 (clear-key encryption) or Sample AES (FairPlay DRM).
  • CMAF: Applies fMP4 container. Support for CENC (PlayReady, Widevine) or CBCS (PlayReady, Widevine, FairPlay).

For streaming protocols that fall under the earlier packaging type option, v2 can only generate output in the form of HLS or LL-HLS protocols. (No support for DASH or Smooth Streaming)

PlayReady and Widevine DRM cannot be applied when selecting TS container, so if you want to apply DRM to various client environments with one endpoint, you must select CMAF container and CBCS encryption.

You can also consider creating two endpoints (CMAF CENC + TS Sample AES, or CMAF CENC + CMAF CBCS) for one input source if you need support for clients that do not support CMAF CBCS.

Key rotation configuration

As with MediaPackage Live v1, when applying DRM encryption to endpoints on a v2 channel, you can set the key rotation period in the Additional configuration section. (Key rotation applies when setting a period greater than 0)

Please note the following when you enable key rotation:

  • You need to add a key rotation parameter to the key server URL.
    • Add key-rotation=true parameter to the PallyCon KMS SPEKE v2 URL that you enter in Key server URL of Encryption option (enter two parameters: enc-token and key-rotation).
    • Example:
The key-rotation parameter defaults to false when omitted. A mismatch between the Key rotation interval setting in MediaPackage Live v2 and the value of the KMS URL parameter may result in errors when playing that stream.
  • Enable key rotation in token policy when requesting DRM licenses
    • When generating a license token for content with key rotation, the key_rotation item in the token JSON specification must be set to true.
  • Enable key rotation for PallyCon Multi-DRM service account
    • In order to issue DRM licenses for content with key rotation, the key rotation right must be activated in the PallyCon service account of the site. (You can check it on the PallyCon Console > Multi DRM > DRM Settings screen.)
    • Please contact Helpdesk or our business team to request key rotation activation and inquire about additional charges.

Due to the nature of the DRM key rotation feature, each rotation cycle requires a new license to be issued for every client that is playing that stream. Therefore, applying key rotation to a stream that is being played by many users simultaneously may cause license issuance delays or errors due to excessive traffic.

Customers considering live key rotation should consult with our Helpdesk or business team beforehand.