Establishing digital content authenticity
This Guidance demonstrates how to run the Coalition for Content Provenance and Authenticity (C2PA) standard for tracking provenance with media workloads on AWS. C2PA allows you to create digitally signed manifests that accompany digital assets to document their provenance in a secure, tamper-evident format. This Guidance automates this process by using the C2PA open-source command-line tool wrapped within a Docker container. An AWS CloudFormation template then creates an application using both AWS Fargate and AWS Lambda to accept each digital asset along with input arguments and produce a C2PA sidecar file to document each asset's origin.
Please note: [Disclaimer]
Architecture Diagram
-
AWS Fargate
-
AWS Lambda
-
AWS Fargate
-
This architecture diagram shows how you can generate a C2PA manifest sidecar file for a media workload in your AWS account using AWS Fargate. This also works with AWS Lambda, as shown on the next tab.
Step 1
The certificate and private key are obtained from the certificate authority.Step 2
The media asset management (MAM) system sends an HTTP POST to the internal Application Load Balancer.The request parameters include presigned URLs for a digital asset, a JSON assertions file, and a parent C2PA manifest (if applicable), stored in Amazon Simple Storage Service (Amazon S3). The caller can also provide the JSON assertions in the request body rather than by URL.
Step 3
The Application Load Balancer forwards the POST request to an AWS Fargate task running a FastAPI application.Step 4
The Fargate task uses the presigned URLs to download the digital asset, JSON assertions file, and parent C2PA manifest from Amazon S3 to its attached ephemeral storage.Step 5
Fargate retrieves your digital certificate and private key from AWS Secrets Manager and stores the values in environmental variables.Step 6
Using the open-source C2PA tool, Fargate creates a C2PA manifest and generates the signature block by retrieving the digital certificate and private key values from environmental variables.Step 7
Fargate uploads the generated C2PA manifest sidecar to the Amazon S3 bucket.Step 8
Fargate returns a presigned URL to the MAM system for the C2PA manifest stored in Amazon S3. -
AWS Lambda
-
This architecture diagram shows how you can generate a C2PA manifest sidecar file for a media workload in your AWS account using AWS Lambda.
Step 1
The certificate and private key are obtained from the certificate authority.Step 2
The MAM system assumes an AWS Identity and Access Management (IAM) role to support the invocation of an AWS Lambda function.Step 3
The MAM system sends a POST request to the Lambda function URL.The request parameters include presigned URLs for a digital asset, a JSON assertions file, and a parent C2PA manifest (if applicable), stored in Amazon S3. The caller can also provide the JSON assertions in the request body rather than by URL.
Step 4
Lambda uses the presigned URLs to download the digital asset, JSON assertions file, and parent C2PA manifest from Amazon S3 to its attached ephemeral storage.Step 5
Lambda retrieves your digital certificate and private key from Secrets Manager and stores the values in environmental variables.Step 6
Using the open-source C2PA tool, Lambda creates a C2PA manifest and generates the signature block by retrieving the digital certificate and private key values from environmental variables.Step 7
Lambda uploads the generated C2PA manifest sidecar to the Amazon S3 bucket.Step 8
Lambda returns a presigned URL to the MAM system for the C2PA manifest stored in Amazon S3.
Get Started
Deploy this Guidance
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational Excellence
The AWS Cloud Development Kit (AWS CDK), which enables you to manage infrastructure as code, lets your developers automatically deploy, update, or delete this Guidance for different environments. Additionally, it enables a scalable and structured approach to managing infrastructure. As a result, you can reduce potential manual operational error risk on the console and easily deploy the solution to other parts of your business.
-
Security
IAM roles protect the API that is exposed by Lambda function URLs, so only users with the right permissions can call endpoints. Additionally, users must access the API exposed by Fargate by using an internal Application Load Balancer that is only available to callers within your VPC. You can incorporate Amazon Virtual Private Cloud (Amazon VPC) advanced security features to configure specific access rules. Finally, Secrets Manager securely stores digital certificates and the private keys that are used to sign C2PA manifests, and it also provides auditing and monitoring tools.
-
Reliability
Lambda generates C2PA manifests in a serverless environment that is designed to be highly available and reliable. For example, it automatically scales functions to maintain availability, retries processes in the event of failure, and can be configured to run in multiple Availability Zones (AZs) to provide resilience.
Amazon Elastic Container Service (Amazon ECS), used with Fargate, is an alternative architecture to generate C2PA manifests. This architecture uses a fully managed service to deploy and manage containerized applications, and it supports reliability through health checks and automatic healing to handle unexpected system errors. For example, Fargate continuously monitors and replaces any failed or unhealthy containers and scales based on workload to maintain application reliability and responsiveness. Additionally, if you configure Fargate to run in multiple AZs, Application Load Balancer will automatically route requests to healthy containers, making request handling more resilient.
-
Performance Efficiency
Lambda supports function URLs, simplifying the architecture by exposing a REST API without an API gateway. These functions scale automatically based on demand, so your DevOps teams do not have to provision and manage Amazon Elastic Compute Cloud (Amazon EC2) instances or plan and manage Amazon EC2 Auto Scaling groups. Additionally, Fargate simplifies containerized application deployment by launching tasks in a serverless environment without the need to provision and maintain Amazon EC2 instances. You can also size Fargate tasks to match workload characteristics and configure it to automatically scale the number of running tasks up or down to maximize the use of computing resources.
-
Cost Optimization
Lambda only bills for the time it is processing data and scales based on demand so that you are not billed for idle computational resources. Additionally, you can configure Fargate to use the right CPU and memory sizes to balance performance against cost.
-
Sustainability
Lambda only uses the computational energy required for your workload. Fargate is a managed service, so instead of implementing your own container infrastructure, you can rely on AWS for the high utilization and sustainability optimization of the deployed hardware.
Related Content
Ensuring media authenticity, traceability, and integrity by running C2PA on AWS
AWS Innovation with Sinclair
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.