Step 1: Get on board with a CA provider Step 2: Create a policy for an API Gateway proxy Step 3: Create an IAM role

Setting up SPEKE encryption using AWS Elemental MediaConnect

Before you can grant an entitlement that uses SPEKE encryption, you must perform the following steps:

Step 1. – Get on board with a conditional access (CA) platform key provider who will manage your encryption key. During this process, you create an API in Amazon API Gateway that sends requests on behalf of AWS Elemental MediaConnect to the key provider.

Step 2 – Create an IAM policy that allows the API that you created in step 1 to act as a proxy to make requests to the key provider.

Step 3. – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and access the API Gateway endpoint on your behalf.

Step 1: Get on board with a CA provider

To use SPEKE with AWS Elemental MediaConnect, you must have a CA platform key provider. The following AWS partners provide conditional access (CA) solutions for the MediaConnect customization of SPEKE:

Verimatrix

If you are a content originator, contact your CA platform key provider for assistance with the onboarding process. With the help of your CA platform key provider, you manage who gets access to which content.

During the onboarding process, make a note of the following:

ARN of the POST method request – The Amazon Resource Name (ARN) that AWS assigns to the request that you create in API Gateway.
Constant initialization vector (optional) – A 128-bit, 16-byte hex value represented by a 32-character string, to be used with the key for encrypting content.
Device ID – A unique identifier for each device that you configure with the key provider. Each device represents a different recipient for your content.
Resource ID – A unique identifier that you create for each piece of content that you configure with the key provider.
URL – The URL assigned by AWS for the API that you create in Amazon API Gateway.

You need these values later, when you configure the entitlement in MediaConnect.

Step 2: Create an IAM policy to allow API Gateway to act as your proxy

In step 1, you worked with a CA platform key provider who manages your encryption key. In this step, you create an IAM policy that allows API Gateway to make requests on your behalf. API Gateway acts as a proxy for communication between your account and the key provider.

To create an IAM policy for an API Gateway proxy

In the navigation pane of the IAM console, choose Policies.
Choose Create policy, and then choose the JSON tab.
Enter a policy that uses the following format:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "execute-api:Invoke"
      ],
      "Resource": [
        "arn:aws:execute-api:us-west-2:111122223333:1abcdefghi/*/POST/*"
      ]
    }
  ]
}
```
In the Resource section, replace the sample Amazon Resource Name (ARN) with the ARN of the POST method request that you created in API Gateway with the CA platform key provider.
Choose Review policy.
For Name, enter APIGateway-Proxy-Access.
Choose Create policy.

Step 3: Create an IAM role with a trusted relationship

In step 2, you created an APIGateway-Proxy-Access policy that allows API Gateway to act as a proxy and make requests on your behalf. In this step, you create an IAM role and attach the following permissions:

The APIGateway-Proxy-Access policy allows Amazon API Gateway to act as a proxy on your behalf so that it can make requests between your account and the CA platform key provider. This is the policy you created in step 1.
A trust relationship policy allows AWS Elemental MediaConnect to assume the role on your behalf. You will create this policy as part of the following procedure.

To create an IAM role with a trusted relationship

In the navigation pane of the IAM console, choose Roles.
On the Role page, choose Create role.
On the Create role page, for Select type of trusted entity, choose AWS service (the default).
For Choose the service that will use this role, choose EC2.

You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2.
Choose Next: Permissions.
For Filter policies, choose Customer managed.
Select the check box next to APIGateway-Proxy-Access, and then choose Next: Tags.
Enter tag values (optional), and then choose Next: Review.
For Role name, enter a name such as SpekeAccess.
For Role description, replace the default text with a description that will help you remember the purpose of this role. For example, Allows AWS Elemental MediaConnect to talk to API Gateway on my behalf.
Choose Create role.
In the confirmation message that appears across the top of your page, choose the name of the role that you just created.
Choose Trust relationships, and then choose Edit Trust Relationship.

For Policy Document, change the policy to look like this:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "mediaconnect.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Choose Update Trust Policy.
On the Summary page, make a note of the value for Role ARN. It looks like this: arn:aws:iam::111122223333:role/SpekeAccess.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key management for SPEKE

SRT password encryption