How to protect data with Server side AES-Encryption

Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). There are primarily two ways to protect data via Server Side encryption on AWS, namely, Amazon S3-Managed Keys (SSE-S3) and AWS KMS-Managed Keys (SSE-KMS).

Which method to use?

With Amazon S3-Managed Keys (SSE-S3) you request Amazon S3 to encrypt any of your file types before saving it on disks in its data centers and decrypt it when you download the objects. A 256bit algorithm makes sure that while you upload and download objects, they can't be interfered with.
You can encrypt video and audio with Elastic Transcoder, manually or via a bucket script.
This service is free on AWS and it doesn't need special requirements regarding Footprint Player. However, this method does not prevent download apps from downloading videos or audios. It only protects video/audio in transit or at rest, not when it is played back via a player.

With AWS KMS-Managed Keys (SSE-KMS), the enhanced encryption method, you create a Custom Management Key (CMS) in the IAM console to protect video and audio files. This option presumes to give better protection against some download apps, but there is the AWS service costs $1/month per key you create. You only need one key for all files. Then, there are additional charges for the key requests (see https://aws.amazon.com/kms/pricing/). This isn't too expensive, and this measure may protect you against certain download apps.
Important Note: Video download helper, an add-on for Chrome and Firefox cracked this method of protection a few weeks after we tested AES-encryption. You may expect that other download apps will find a way around this protection too.
With Video.js, AWS KMS keys can be used without restriction.  S3Media Stream shipping with JW Player requires an Enterprise JW Player license with a minimum fee of $800/year.

Note: You can't use two encryption types at the same time. Choose one or the other.

Amazon S3-Managed Keys (SSE-S3)
AWS KMS-Managed Keys (SSE-KMS) - enhanced encryption

Encrypting file(s) with Amazon S3-Managed Keys (SSE-S3)

Go to the AWS console and log into https://s3.console.aws.amazon.com/s3. There are different ways to encrypt files Server side in an S3 bucket:

  1. Encrypt individual files
  2. Encrypt folder with all its content
  3. Create bucket policy

With a bucket policy, all uploaded files will be encrypted automatically from the moment the policy is activated.  When you followed the Preparations upfront for Footprint Player tutorial, you learned already how to set the 256bit encryption for the bucket. Files uploaded before the policy was activated need to be encrypted by hand.

1. Encrypt individual files

To encrypt an individual file, choose the bucket and select the file you want to encrypt:

Then go to More and select Change Encryption:

A box opens, with several options:

Select AES-256 encryption. Click the Save button. This opens a confirmation box with some basic info about the file:

Click the Change button to encrypt the file.

2. Encrypt folder with all content

Select this time a folder in the bucket of your choice and follow the same procedure as in option 1. The difference in the last step is that you also get information about how many files will be affected in the folder:

Click Change to encrypt them all. When you have a lot of files in a folder, this may take a while.  A progress bar shows up at the bottom of the page:

Don't navigate away until it is done. Watch whether there are errors, and if they are, repeat the process again.

AWS KMS-Managed Keys (SSE-KMS) - enhanced encryption

Important: don't use this method for protected download links. Your first bucket is probably encrypted with the simple 256bit encryption method. So, if you plan to set the enhanced version of encryption, create a separate bucket with a web distribution.

Create a new Custom Master Key in the AWS console

Sign in to the AWS Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/. In the left navigation pane, choose Encryption keys. AWS KMS

When you used Elastic Transcoder before, there probably is already a Custom Management key(CMK), but you need to create a new one. But before that, you select the appropriate AWS Region (which must be the same as the one selected for the bucket):

Select Region

Then click the blue Create key.button. This gives the following screen:

Create a Custom Management Key

As you can see on the left, there are 5 steps we to create a key.

Type an Alias for the CMK, which is the display name that you can use to identify the CMK. We recommend that you choose an alias that indicates the type of data you plan to protect with the CMK, for instance: hls-adaptive-key.
An alias cannot begin with aws, it is reserved  by Amazon Web Services to represent AWS-managed CMKs in your account.

Description is optional, but we recommend that you choose a description that explains the type of data you plan to protect. For instance: Videos on mydomain.com

Advanced Options you can leave as is, that is to say; default KMS is selected:

Advanced options

You select External only if you want to create your own custom key. As there isn't really an advantage in that and more complex, we suggest you don't select this. In any case, this tutorial doesn't take it into consideration.
Then, at the right bottom, click the blue button Next Step. We proceed automatically to step 2:

Adda Tag

Add Tags is optional. Type a tag key and an optional tag value if you like.  For more info on Tags see https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
To add more than one tag to the CMK, choose Add tag.
Choose Next Step at the bottom right to proceed to step 3. In this step, you may see a range of users or just a few. Here you can select the IAM users and roles that can administer the CMK:

Select IAM user

The AWS account (root user) has full permissions by default but in some cases, you may select other IAM users with the appropriate permissions to use the CMK.
Important: To prevent the IAM users and roles that you chose from deleting this CMK, clear the box at the bottom of the page for Allow key administrators to delete this key:

Disallow Delete keys

When done, click the Next Step button at the bottom right to go to step 4.
There you get again the list of IAM users in your AWS account. There are two possibilities here:

  1. If you used Elastic Transcoder before, there should be an IAM user called Elastic_Transcoder_Default_Role or something similarMake sure you select that one because to protect HLS segments using this key, you can instruct ET to encrypt them automatically:Select IAM user for ET
  2. If you never used Elastic Transcoder before, you don't have an IAM user called Elastic_Transcoder_Default_Role or something similar. If you want to use HLS adaptive streaming or MPEG-DASH, you need to create a Pipeline in Elastic Transcoder before you can proceed, so that this particular user is created for you. See the tutorial Embed an HLS adaptive streaming video and follow the part that shows how to create a Pipeline. Once that done, return to this tutorial.

Click Next step on the bottom right to get to step 5, which is a Preview of the Key policy. (It's the last change to cancel the creation of the CMK, if needed.):

Scroll down in that policy window to verify whether the Elastic Transcoder default user has the correct permissions.  The red parts should look similar like this:

 {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::5xxxxxxxx8:role/Elastic_Transcoder_Default_Role"
        ]
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::5xxxxxxxx8:role/Elastic_Transcoder_Default_Role"
        ]
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": true
        }
      }
    }

If not, click the Previous button at the bottom right to select the Elastic Transcoder Default user.
Click Cancel to break off the creation of the CMK (in which case nothing is charged. Or click Finish to create the CMK, which will be charged $1 a month until you delete it.

Now you can use the CMK in Elastic Transcoder to encrypt files while converting a master video or audio to HLS and MPEG-DASH.
Note: m3u8 and mpd playlists themselves are not encrypted, only the video/audio segments. When you download a video ts segment, you will notice that it won't play on your computer because there is no key available to decrypt .the video.
A master video used for HLS transcoding is not encrypted, although you can do this manually in the S3 Bucket.  However, if you ever delete the key, the files can't be decrypted.  So make sure you have an unencrypted backup somewhere.

That's it.