AWS for M&E Blog
Building a strong identity foundation: Aligning to the MovieLabs Common Security Architecture for Production (CSAP)
In the previous blog in the series, Aligning AWS security services to MovieLabs Common Security Architecture for Production (CSAP), we discussed MovieLabs, the Common Security Architecture for Production (CSAP), and how customers can begin to implement CSAP using Amazon Web Services (AWS). We focused on the three foundational concepts of CSAP: Zero Trust, Intrinsic vs Extrinsic Security, and Authentication & Authorization. In this blog, we focus on the AWS services that help customers build a secure identity foundation that align with core and supporting components in the CSAP.
Building an identity foundation
Having a strong identity foundation is a design principle of the AWS Well-Architected Security Pillar, which focuses on the principle of least privilege, enforcing separation of duties for interactions with AWS resources, centralizing identity management, and eliminating the reliance on long-term credentials. The emphasis on having a strong identity foundation is present in the MovieLabs 2030 vision as well. For example, one of the ten guiding principles in the vision is “Every individual on a project is identified and verified and their access permissions are efficiently and consistently managed”. This is further supported by the CSAP components that outline identity management, authorization and authentication, policy enforcement, and asset protection.
AWS alignment: CSAP core components
In the CSAP, the core components are the building blocks of a secure environment for production systems. The authentication service ensures that every identity involved in an interaction is authenticated before an action is authorized. Once an identity is authenticated, the authorization service determines what permissions the identity has within the system by interfacing with the identity management supporting component. Permissions are enforced by the policy service at enforcement points within the production system. Finally, the asset protection service uses a combination of encryption and policies to restrict access to assets within the production system. To better illustrate how AWS services map to the CSAP core components, we outline a practical example.
Figure 1: Dailies editing workflow using the MovieLabs visual language
In figure 1, we denote and distinguish each CSAP component with a colored number. In figure 2, these numbers are mapped to the corresponding AWS service or feature that aligns to the CSAP component.
Alice is an editor, an individual who assembles footage into the finished work, who uses digital content creation (DCC) tools running on a cloud virtual workstation. When Alice begins her day, she logs in to her workstation via a connection manager using her company-provided credentials. Behind the scenes, Alice’s credentials are used to authenticate against the corporate Active Directory (AD). Depending on the Identity Provider (IdP), you can perform device health or posture assessments to ensure that Alice authenticates from a trusted device. Alice’s domain user is part of an AD group that allows her to authenticate to the virtual workstation and perform her creative work.
Now that Alice is logged in to the workstation, she can pull dailies footage to start editing. The dailies footage is stored in Amazon Simple Storage Service (S3) and is viewable using an asset management system accessed on the virtual workstation. The workstation uses temporary credentials that allow her to read and write assets to or from the Amazon S3 bucket. Even though the workstation has permissions to perform actions on assets in the bucket, the bucket has security built-in at multiple layers that further restricts who or what can access the assets and under what circumstances.
For example, assets within the bucket are encrypted using AWS Key Management Service (KMS), keys that have their own resource policies to restrict access. In addition, traffic to and from the Amazon S3 bucket is kept private using an Amazon Virtual Private Cloud (VPC) endpoint powered by AWS PrivateLink. Finally, the bucket has a policy that allows requests only if they come through the endpoint using an encrypted channel and the endpoint has a policy that restricts which workstations can send traffic through the endpoint.
The previous steps are abstracted away from Alice so she can focus on her creative work. Now that we have an example, we discuss the AWS services that power each part of the workflow in more depth and the CSAP components they align to.
Figure 2: Dailies editing workflow with AWS services
Authentication and authorization service
Alice’s entry into the workflow is gated by an authentication mechanism backed by the corporate Active Directory domain (1). AWS Directory Service lets you to extend your existing AD domains or create new domains in the cloud that are managed for you. Common AD controls such as group policies, password policies, and multi-factor authentication (MFA) are available when users interact with cloud resources. In addition, you can set account lockout policies that define the number of failed login attempts allowed and specify the lockout period when reaching a threshold. These controls align with the trust inference supporting component of the CSAP that analyzes contextual parameters to inform if, and how, a user should be authenticated.
The workstation that Alice is logged in to has an Amazon Elastic Compute Cloud (EC2) instance profile that provides temporary credentials to the instance (4). The credentials are used by the applications on the workstation to interact with dailies footage stored in Amazon S3 (2/5). To learn more about instance profiles for Amazon EC2, please refer to the documentation.
Extending beyond the previous use case, customers can leverage Amazon Cognito, AWS Identity Center, or an AWS Partner to provide authentication and authorization for their workflow or applications. Amazon Cognito helps customers create and manage user identities or allows users to sign-in from popular social, SAML, or OIDC identity providers for web and mobile applications. You can also track the devices that users sign-in from and limit the devices used. AWS Identity Center provides workforce single sign-on capabilities to your cloud applications and AWS resources.
Policy and asset protection service
In the previous example, Alice and AWS resources are granted permissions by the authorization service and permissions are enforced by the policy service at policy enforcement points. AWS Identity and Access Management (IAM) analyzes requests to AWS services and enforces all applicable policies when determining if an action should be authorized (2/3). The workflow for retrieving and storing assets is protected by four policies: the IAM policy attached to the Amazon EC2 instance profile, the VPC endpoint policy, the Amazon S3 bucket policy, and the KMS key policy (2). This can be extended one level further to the AWS Organization using Service Control Policies (SCPs) that limit what actions can be taken across AWS accounts. These are useful when you want to prevent actions from happening across multiple accounts within an organization. Now, we will take a deeper look at each of the layered policies.
The IAM policy attached to the Amazon EC2 instance profile gives the workstation permissions to interact with assets stored in Amazon S3. This type of policy is referred to as an identity policy. Permissions can be set at a granular level including write permissions to specific prefixes within the Amazon S3 bucket and read permissions at the individual asset level. For high-value assets stored in Amazon S3, we want to restrict who or what can interact with the assets at the bucket level as a centralized policy enforcement point. Permissions applied to resources, like Amazon S3 buckets, are called resource policies and can be combined across resources to create a data perimeter. A data perimeter ensures that only trusted identities can interact with trusted resources from expected networks and aligns with the asset protection service in the CSAP.
The data perimeter in this example starts with the VPC endpoint. The endpoint ensures traffic to and from Amazon S3 is kept private and does not traverse the public internet. You can attach an endpoint policy to your VPC endpoint to restrict access to Amazon S3. The policy defines who or what can perform actions, the actions they can perform, on what resources, and under what conditions. In the Amazon S3 bucket policy, you can set permissions to only allow access from the VPC endpoint using the aws:SourceVpce condition and ensure traffic is encrypted in-transit using the aws:SecureTransport condition. This further enforces the data perimeter and effectively blocks any requests to the bucket that originate somewhere other than the VPC endpoint.
Finally, assets within the Amazon S3 bucket are encrypted using KMS keys. Each key has a policy that defines who or what is allowed to perform encrypt and decrypt operations with the key. This additional security aligns to the asset protection service in the CSAP and works in conjunction with the layered policies described above. For more information about the different encryption options for Amazon S3, please refer to the documentation.
Conclusion
In this blog, we discussed the importance of building a strong identity foundation in AWS and introduced the core and supporting components of the MovieLabs Common Security Architecture for Production (CSAP). To illustrate the mapping between AWS services and the CSAP components, we explored a practical use case commonly found in production workflows. In the example use case, Alice edits dailies content on a cloud virtual workstation where security is applied at every layer. Even with layered security, Alice can edit her content easily and securely because the security enforcement happens behind the scenes. The next blog in this series will extend our example workflow to cover more production use cases and discuss additional security controls related to networking, encryption, and more that align to the CSAP.