Amazon Kinesis Video Streams Privacy and E2E Security Overview

Introduction

In a world increasingly driven by Internet of Things (IoT) devices and real-time video streaming, privacy and security has become more critical than ever. Whether used in smart homes, industrial automation, or healthcare, Amazon Kinesis Video Streams offers a fully managed, scalable, and secure platform for streaming live video from devices to the AWS Cloud. This blog dives into the detailed privacy and end-to-end (E2E) security overview that powers Amazon Kinesis Video Streams, ensuring data protection from source to consumption.

Amazon Kinesis Video Streams Overview

Amazon Kinesis Video Streams enables customers to stream live video and other time-encoded data, such as audio and depth-sensing feeds from devices like security cameras, body cams, and dashboards into the AWS Cloud. Once the video stream is stored, users can either process it in real-time or access it later for analysis. The system ensures that all streamed data remains protected at every stage.

Core Components of the Kinesis Video Streams Security Model

1. Producer Devices

   • Producers are devices, such as cameras that capture and transmit video streams to the AWS Cloud. Kinesis Video Streams provides producer libraries that can be installed on these devices for securing data transmission.
   • These producer libraries support multiple video streaming scenarios, including real-time streaming, buffer-based transmission, or post-event media uploads. They are built to handle interruptions in connectivity and resume streaming once the connection is re-established, ensuring reliability.

2. Consumers

   • Consumers are applications that retrieve video streams for viewing, processing, or analyzing. These can be real-time consumers like live video viewing apps or batch-processing applications used for video analysis after the data has been stored in the cloud.

3. Kinesis Video Streams

   • Streams are the transport layer for video data. These streams store, index, and allow multiple applications to access the video data in parallel, either in real-time or after storage.

4. CloudTrail for Monitoring

   • Kinesis Video Streams integrates with AWS CloudTrail, which logs all API calls made to the service, tracking critical details, such as who accessed the stream, from where, and when. This provides full transparency and accountability for all operations performed on the data.

Privacy and Security Features of Kinesis Video Streams

Kinesis Video Streams is designed with precise privacy and security measures, providing a seamless E2E encryption process, securing data from the point it is captured on a device until it is consumed by an authorized application.

1. Data Encryption in Transit and at Rest

   • Encryption in Transit:
     • All video streams transmitted between producer devices and AWS Cloud are encrypted using TLS (Transport Layer Security). TLS protects data against interception by third parties, securing communication between devices and the cloud. Additionally, TLS prevents man-in-the-middle attacks by encrypting the communication, making it impossible for unauthorized parties to intercept, read, or modify the data as it travels between the devices and the cloud.
     • The Kinesis Video Streams SDK used by producer devices protects all transmitted data (video frames) with TLS encryption by default.
   • Encryption at Rest:
     • Once video streams reach the AWS Cloud, they are stored in an encrypted form. This encryption is managed by AWS Key Management Service (AWS KMS). Customers can choose between using AWS-managed encryption keys or providing their own customer-managed keys (CMKs).
     • Envelope Encryption is employed, wherein each video frame is encrypted using a Data Encryption Key (DEK), and this key itself is encrypted with a master key provided by AWS KMS. This adds a layer of security and protecting against unauthorized access.

2. Secure Device Enrolment and Data Encryption Key Management

   • Device enrolment:
     • When a new camera or device is enrolled, it establishes a secure connection with the cloud using TLS. This process involves a TLS handshake where certificates are exchanged to authenticate both the device and the cloud, ensuring a secure communication channel is established.
   • Encryption:
     • The DEK used to encrypt the video frames is generated and managed by a AWS KMS. During stream creation, the customer configures an AWS KMS Master Key, which is used to encrypt the DEK. The DEK encrypts the video data, ensuring that it remains secure both in transit and at rest.
   • Key Management:
     • The DEK is securely managed within the AWS KMS and is only accessible to authorized entities. The cloud service ensures that only devices and clients with the correct permissions can access and decrypt the video data, preventing unauthorized access.
     • Kinesis Video Streams integrates with AWS KMS to provide robust key management for data encryption at rest. Customers have full control over their encryption keys through AWS KMS, allowing them to create, manage, rotate, and define access policies for their Customer Master Keys (CMKs). AWS KMS centralizes key management with detailed auditing and monitoring of key usage, helping customers meet compliance and regulatory requirements. By using AWS KMS, Kinesis Video Streams ensures that data stored within the service is encrypted using keys that are securely managed and protected, and only authorized users and services with the appropriate permissions can decrypt and access the video streams.
     • With this process data is securely exchanged between the device and the cloud and that only authorized devices can send or receive video data.

3. Access Control and Permissions

   • Kinesis Video Streams operates on the principle of least privilege access. This means that users or applications only receive the permissions necessary to perform their tasks, minimizing the risk of unauthorized actions.
   • AWS Identity and Access Management (IAM) roles are used to securely manage permissions for producer and consumer applications. This prevents sensitive credentials from being embedded in applications or stored insecurely.
   • By default, producers only need permissions such as kinesisvideo:PutMedia, kinesisvideo:GetDataEndpoint, and kinesisvideo:DescribeStream, while consumers will need access to kinesisvideo:GetDataEndpoint and kinesisvideo:GetMedia. By adhering to the principle of least privilege and granting only the necessary permissions, you can greatly reduce the security risks posed by excessive permissions.

4. End-to-End Encryption (E2EE)

   • End-to-End Encryption (E2EE) in Kinesis Video Streams provides an additional layer of privacy, for customers who need additional privacy can also implement encryption on top of the existing Kinesis Video Streams producer and consumer SDKs. By leveraging E2EE, customers can ensure that media data and metadata remain encrypted from the point of capture by the producer, for example camera acting as the producer all the way to the authorized consumer application. Kinesis Video Streams ingestion protocol contains flexible schema hence allows transportation of encrypted media and encrypted keys seamlessly. With E2EE enabled, any device or network component within the data path between the producer and consumer—whether on-premises or in transit through AWS cloud services—cannot decrypt or modify the data. By encrypting data both in transit and at rest, Kinesis Video Streams enables only authorized end-users to decrypt and access the video streams, enhancing data privacy and control.
   • To support E2EE, a secure key exchange between the producer and the consumer application is essential. Custom client applications built with Kinesis Video Streams SDKs can implement secure key exchange protocols, such as Diffie-Hellman exchange (asymmetric encryption) with public/private key pairs. This allows encryption keys to be securely shared directly between endpoints, ensuring they remain confidential and inaccessible to any intermediary devices or services. By handling the key exchange at the application level, customers retain complete control over the encryption process, ensuring that only authorized endpoints can decrypt the video streams.
   • To maintain the integrity of E2EE, customers must also manage key storage and rotation locally. This means public/private key pairs should be stored and maintained on both the producer device and the consumer application, with private keys never uploaded to the cloud. Local key management allows customers to control the encryption process fully, ensuring that only intended recipients can access their video streams and keeping the encryption process secure and self-contained.

Real-Life Application: Smart Home Security Systems

In a typical smart home scenario, Kinesis Video Streams can be used to stream video footage from security cameras installed at a residence. The live video is encrypted and streamed to the AWS Cloud, where it can be securely stored, indexed, and accessed only by authorized users or applications.

By employing TLS encryption for video streams in transit and end-to-end encryption (E2EE) for data at rest, homeowners can rest assured that their footage is safe from unauthorized access. Furthermore, access controls via IAM regulates the rights on who can access and analyze the data. Homeowners can configure these controls to grant access to specific devices or apps, safeguarding their privacy.

Figure 1.0 – Smart home camera video streaming

Best Practices for Kinesis Video Streams Security

To further strengthen Kinesis Video Streams security, AWS recommends the following best practices:

1. Use IAM Roles: Producer and consumer applications should rely on temporary credentials generated by IAM roles instead of hardcoding credentials in the applications. These temporary credentials should be rotated regularly, ensuring that long-term credentials are not exposed and reducing the potential attack surface.
2. Enable CloudTrail Monitoring: Monitor all interactions with Kinesis Video Streams through AWS CloudTrail, supporting a full audit trail of who accessed the video streams and what operations they performed.
3. Implement Least Privilege: Carefully define the permissions for producers and consumers. Avoid granting excessive permissions, such as full admin access, as this increases security risks.
4. Regular Key Rotation: For applications managing their own encryption keys through AWS KMS, it’s advisable to periodically rotate these keys. AWS KMS can manage key rotation automatically if configured, further reducing the risk of key compromise.

Conclusion

Amazon Kinesis Video Streams offers a highly secure and scalable solution for real-time video streaming. Its architecture supports encrypted data flow at all stages from the device to the cloud to the consumer application—keeping it safe from unauthorized access. By leveraging AWS KMS, AWS IAM, AWS CloudTrail, and best security practices, Kinesis Video Streams is able to provide a robust privacy and end-to-end encryption solution for industries ranging from smart homes to healthcare.

With the combination of TLS in transit, Data encryption at rest, and E2E encryption, Kinesis Video Streams enables you to build a privacy-centric video streaming solution that meets the needs of even the most security-sensitive industries.

Related links

To learn more about the technologies or features used in this blog, explore the following pages:

• AWS Key Management Service (developer guide)
• Amazon Kinesis Video Streams (how it works)
• Amazon Kinesis Video Streams examples
• AWS CloudTrail

About the author