AWS alignment with Motion Picture of America Association (MPAA) Content Security Best

Practices – Application in the Cloud

The Motion Picture of America Association (MPAA) has established a set of best practices for Application and Cloud/Distributed Environment
Security Guidelines. For additional information on MPAA content security best practices refer to: http://www.fightfilmtheft.org/best-
practice.html.
Media Companies can utilize these best practices as a way to assess risk and audit security of the content management.
The table below documents AWS alignment with Motion Picture of America Association (MPAA) Content Security Model Guidelines released
March 17, 2015. For additional information a reference to AWS third-party audited certifications and reports is provided.
In alignment with the MPAA Best Content Security Best Practices, AWS has mapped the ISO 27002 and NIST 800-53 controls.
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Development AS-1.0 Build security into the AWS applies a systematic SOC1 6.1 12.5 6.1 SA-3
Lifecycle entire Systems/Software approach to managing SOC1 6.3 14.1 6.2 SA-4
Development Lifecycle changes to ensure changes SOC1 6.4 6.3 SA-8
(SDLC). to customer-impacting SOC1 6.5 6.4 SA-11
Development AS-1.1 Test security across the aspects of a service are SOC1 6.6 6.5 SA-12
Lifecycle entire application and reviewed, tested and 6.6
infrastructure. approved.
Development AS-1.2 Perform fuzz testing and
Lifecycle defect remediation to AWS's change management
discover security procedures have been
loopholes in software, developed in alignment with
operating systems or ISO 27001 standard. The
networks by massive AWS SOC 1 Type 2 report
inputting of random data provides details on the
to the system in an specific control activities
attempt to make it crash executed by AWS.
(e.g., buffer overflow,
cross-site scripting, denial
of service attacks, format
bugs, SQL injection).
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Development AS-1.3 Perform bug tracking and
Lifecycle defect remediation in
conjunction with extensive
black box testing, beta
testing, and other proven
debugging methods.
Development AS-1.4 Provide training and user
Lifecycle guides on additions and
changes to the application.
Authentication & AS-2.0 Implement secure Unique user identifiers are SOC1 2.1 9.1 7.1 AC-2
Access authentication. created as part of the SOC1 2.2 9.2 8.1 AC-3
Authentication & AS-2.1 Register user devices. onboarding workflow SOC1 2.3 9.3 8.2 AC-6
Access process in the AWS human SOC1 2.4 9.4 AC-7
Authentication & AS-2.2 Implement secure resources management SOC1 2.5 AC-8
Access password recovery. system. The device SOC1 4.3 AC-14
Authentication & AS-2.3 Follow the principle of provisioning process helps SOC1 4.4 IA-5
Access least privilege. ensure unique identifiers for SOC1 4.5 IA-6
Authentication & AS-2.4 Implement controls to devices. Both processes SOC1 4.6 IA-8
Access prevent brute force include manager approval to SOC1 4.7
attacks. establish the user account or SOC1 4.8
Authentication & AS-2.5 Implement and document device. Initial authenticators
Access a process to secure key / are delivered to user’s in-
cryptographic storage and person and to devices as
ensure ongoing secure part of the provisioning
management. process. Internal users can
Authentication & AS-2.6 Enable an auto-expiration associate SSH public keys
Access setting to expire all with their account. System
external links to content account authenticators are
after a user-defined time. provided to the requestor as
Authentication & AS-2.7 Use human verification part of the account creation
Access tools such as CAPTCHA or process after the identity of
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
reCAPTCHA with web the requestor is verified.
applications. Minimum strength of
Authentication & AS-2.8 Provide clients with the authenticators is defined by
Access ability to limit the number AWS including password
of times an asset may be length, requires complex
downloaded or streamed passwords and password age
by a particular user. requirements and content
Authentication & AS-2.9 Confirm the upload and along with SSH key minimum
Access download of all content bit length.
and critical assets.
Authentication & AS-2.10 Include a brief message on AWS Password policy and
Access mobile applications to implementation is reviewed
remind users to enable by independent third party
device passwords and to auditors for our continued
enable remote wipe and compliance with SOC, PCI
device location software. DSS, ISO 27001 and
FedRAMP.
Secure Coding and AS-3.0 Perform penetration AWS provides customers the SOC1 3.4 8.1 1.2 AC-18
Systems testing / web application ability to use their own SOC1 3.6 8.2 1.3 AU-5
security testing prior to encryption mechanism for SOC1 10.4 8.3 1.4 CA-3
production deployment, nearly all services including 10.1 5.1 CA-9
and at least quarterly S3, EBS and EC2. VPC 12.2 5.2 SC-15
thereafter. Validate sessions are also encrypted. 12.6 5.3 SC-18
vulnerabilities were 13.1 10.6 SC-19
remediated with a retest. Internally, Boundary 13.2 11.1 SC-32
Secure Coding and AS-3.1 Perform vulnerability protection devices that 11.2 SC-7
Systems testing at least quarterly. employ rule sets, access 11.3 SI-10
Secure Coding and AS-3.2 Utilize cookies in a secure control lists (ACL), and SI-11
Systems manner, if they need to be configurations enforce the SI-2
used flow of information between SI-3
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Secure Coding and AS-3.3 Validate user input and network fabrics. Several SI-4
Systems implement secure error network fabrics exist at SI-8
handling. Amazon, each separated by
Secure Coding and AS-3.4 Implement secure logging devices that control the flow
Systems procedures. of information between
Secure Coding and AS-3.5 Implement an SIEM fabrics. The flow of
Systems (Security Information information between fabrics
Event Management is established by approved
System) to aggregate and authorizations, which exist
analyze the disparate logs. as access control lists (ACL)
Secure Coding and AS-3.6 Encrypt all content and which reside on these
Systems client data at rest. devices. These devices
Secure Coding and AS-3.7 Encrypt all content and control the flow of
Systems client data in transit. information between fabrics
Secure Coding and AS-3.8 Implement controls for as mandated by these ACLs.
Systems secure session ACLs are defined, approved
management. by appropriate personnel,
Secure Coding and AS-3.9 Implement controls to managed and deployed
Systems prevent SQL injection. using AWS ACL-manage tool.
Secure Coding and AS-3.10 Implement controls to Amazon’s Information
Systems prevent unvalidated URL Security team approves
redirects and forwards. these ACLs. Approved
Secure Coding and AS-3.11 Implement controls to firewall rule sets and access
Systems prevent connections from control lists between
anonymity networks (e.g., network fabrics restrict the
Tor, Freenet, Netshade), if flow of information to
possible. specific information system
Secure Coding and AS-3.12 Implement controls to services. Access control lists
Systems prevent IP address and rule sets are reviewed
leakage. and approved, and are
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Secure Coding and AS-3.13 Implement controls to automatically pushed to
Systems prevent XSS (Cross-site boundary protection devices
scripting). on a periodic basis (at least
Secure Coding and AS-3.14 Allow senders the option every 24 hours) to ensure
Systems to include session-based rule-sets and access control
forensic (invisible) lists are up-to-date.
watermarking for content.
Secure Coding and AS-3.15 Implement a formal, AWS Network Management
Systems documented content / is regularly reviewed by
asset lifecycle. independent third party
auditors as a part of AWS
ongoing compliance with
SOC, PCI DSS, ISO 27001 and
FedRAMP.

AWS implements least

privilege throughout its
infrastructure components.
AWS prohibits all ports and
protocols that do not have a
specific business purpose.
AWS follows a rigorous
approach to minimal
implementation of only
those features and functions
that are essential to use of
the device. Network
scanning is performed and
any unnecessary ports or
protocols in use are
corrected.
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Regular internal and external
vulnerability scans are
performed on the host
operating system, web
application and databases in
the AWS environment
utilizing a variety of tools.
Vulnerability scanning and
remediation practices are
regularly reviewed as a part
of AWS continued
compliance with PCI DSS and
FedRAMP.
Organization & CS-1.0 Compliance with the AWS has an established SOC1 1.1 5.1 1.1 AC-1
Management MPAA Content Best information security SOC1 1.2 6.1 1.5 AC-18
Practices Common organization managed by the SOC2 9.3 2.5 AC-19
Guidelines is required. AWS Security team and is led SOC2 9.4 3.1 AT-1
Where stronger controls by the AWS Chief SOC2 9.8 3.7 AU-1
exist within the Information Security Officer SOC2 10.1 4.3 CA-1
Application Security and (CISO). AWS maintains and SOC2 10.3 5.4 CM-1
Cloud/Distributed provides security awareness SOC2 10.4 6.7 CP-1
Environment Guidelines, training to all information 7.3 IA-1
the stronger policy will system users supporting 8.1 IR-1
prevail. AWS. This annual security 8.4 MA-1
Organization & CS-1.1 Perform a third party awareness training includes 8.8 MP-1
Management security audit at least once the following topics; The 9.10 PE-1
per year (e.g., SSAE 16 purpose for security and 10.8 PL-1
Type 2, SOC 1, ISO awareness training, The 11.6 PS-1
27000/27001, MPAA). location of all AWS policies, 12.1 RA-1
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Organization & CS-1.2 Document and implement AWS incident response 12.3 SC-1
Management security and privacy procedures (including 12.4 SI-1
policies that are aligned instructions on how to
with security industry report internal and external
frameworks for security incidents).
Information Security
Management (e.g., ISO- Systems within AWS are
27001, ISO-22307, CoBIT). extensively instrumented to
Organization & CS-1.3 Document and implement monitor key operational and
Management information security security metrics. Alarms are
baselines for every configured to automatically
component of the notify operations and
infrastructure (e.g., management personnel
Hypervisors, operating when early warning
systems, routers, DNS thresholds are crossed on
servers, etc.). key metrics. When a
Organization & CS-1.4 Document and implement threshold is crossed, the
Management personnel security AWS incident response
procedures that align with process is initiated. The
the organization’s current Amazon Incident Response
information security team employs industry-
procedures. standard diagnostic
Organization & CS-1.5 Require all employees, procedures to drive
Management contractors, and third resolution during business-
parties to sign impacting events. Staff
confidentiality / non- operates 24x7x365 coverage
disclosure agreements to detect incidents and
when going through the manage the impact to
onboarding process. resolution.
Organization & CS-1.6 Document and implement
Management procedures for conducting AWS roles & Responsibilities
security due diligence are reviewed by
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
when offloading independent external
functionality or services to auditors during audits for
a third party. our SOC, PCI DSS, ISO 27001
Organization & CS-1.7 Document and implement and FedRAMP compliance
Management segregation of duties for
business critical tasks.
Organization & CS-1.8 Provide clients with
Management information regarding
locations for their content
and data.
Organization & CS-1.9 Develop a documented
Management procedure for responding
to requests for client data
from governments or third
parties.
Organization & CS-1.10 Establish policies and
Management procedures for labeling,
handling, and securing
containers that contain
data and other containers.
Organization & CS-1.11 Establish procedures for
Management the secure deletion of
content/data, including
archived and backed-up
content/data.
Organization & CS-1.12 Establish, document and
Management implement scenarios to
clients in which client
content/data may be
moved from one physical
location to another.
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
Organization & CS-1.13 Establish, document and
Management implement additional key
management features,
controls, policies and
procedures.
Organization & CS-1.14 Train personnel regarding
Management all policies and
procedures.
Organization & CS-1.15 Establish a process to
Management notify clients when
material changes are made
to security/privacy
policies.
Organization & CS-1.16 Plan, prepare and measure
Management the required system
performance to ensure
acceptable service levels.
Organization & CS-1.17 Develop and maintain
Management additional requirements
for incident response and
immediate notification to
the client in the event of
any unauthorized access
to systems or content.
Operations CS-2.0 Secure datacenter utilities Physical access is controlled SOC1 5.1 11.1 1.1 PE-1
services and both at the perimeter and at SOC1 5.3 11.2 1.5 PE-18
environmental conditions. building ingress points by SOC1 5.4 11.5 2.5 PE-2
Operations CS-2.1 Ensure the data center has professional security staff SOC1 5.5 3.1 PE-3
appropriate perimeter and utilizing video surveillance, SOC1 5.6 3.7 PE-4
physical security controls. intrusion detection systems SOC1 5.7 4.3 PE-5
Operations CS-2.2 Develop, document and and other electronic means. SOC1 5.8 5.4 PE-6
maintain additional All entrances to AWS data SOC1 5.9 6.7 PE-8
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
requirements for business centers, including the main SOC1 5.10 7.3 PE-9
continuity planning. entrance, the loading dock, SOC1 5.11 8.1 PL-8
Operations CS-2.3 Develop, document and and any roof doors/hatches, SOC1 5.12 8.4 PS-1
maintain additional are secured with intrusion SOC1 10.4 8.8
change and configuration detection devices that sound 9.2
controls. alarms and create an alarm 9.4
Operations CS-2.4 Maintain a complete in AWS centralized physical 9.10
inventory of all critical security monitoring too if a 10.8
assets, including door is forced open or held 11.6
ownership of the asset. open. 12.1
Operations CS-2.5 Maintain an inventory of 12.3
all critical supplier In addition to electronic
relationships. mechanisms, AWS data
Operations CS-2.6 Develop and maintain centers utilize trained
service level agreements security guards 24x7, who
(SLA’s) with clients, are stationed in and around
partners, and service the building. All alarms are
providers. investigated by a security
guard with root cause
documented for all
incidents. All alarms are set
to auto-escalate if response
does not occur within SLA
time.

Physical access points to

server locations are
recorded by closed circuit
television camera (CCTV) as
defined in the AWS Data
Center Physical Security
Policy. Images are retained
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
for 90 days, unless limited to
30 days by legal or
contractual obligations.
AWS Physical Security
Mechanisms are reviewed by
independent external
auditors during audits for
our SOC, PCI DSS, ISO 27001
and FedRAMP compliance.
Data Security CS-3.0 Implement a process to Boundary protection devices SOC1 3.1 11.2 1.1 AC-3
provide all relevant logs are configured in a deny-all SOC1 3.2 12.1 1.2 AC-4
requested for good cause mode. Boundary protection SOC1 3.3 1.3 AC-5
to clients in a format that devices that employ rule SOC1 3.5 1.4 AU-8
can be easily exported sets, access control lists SOC1 3.6 6.4 CA-3
from the platform for (ACL), and configurations SOC1 3.9 10.4 CA-9
analysis in the event of a enforce the flow of SOC1 3.10 12.5 CM-6
security incident. information between SOC1 3.11 CM-7
Data Security CS-3.1 Consider providing the network fabrics. These SOC1 3.12 SC-19
capability to use system devices are configured in SOC1 3.13 SC-5
geographic location as an deny-all mode, requiring an SOC1 3.14 SC-7
additional authentication approved firewall set to SOC1 3.15 SI-4
factor. allow for connectivity. Refer SOC1 3.16
Data Security CS-3.2 Provide the capability to to DS-2.0 for additional SOC1 7.1
control the physical information on Management SOC1 7.2
location/geography of of AWS Network Firewalls. SOC1 7.3
storage of a client’s There is no inherent e-mail SOC1 7.4
content/data, if requested. capability on AWS Assets SOC1 7.5
Data Security CS-3.3 Establish procedures to and port 25 is not utilized. A SOC1 7.6
ensure that non- Customer (e.g. studio, SOC1 7.7
production data must not processing facility etc.) can SOC1 7.8
be replicated to utilize a system to host e- SOC1 10.4
production environments. mail capabilities, however in
Security Topic No. Best Practice
Data Security CS-3.4 Establish, document and
implement a published
procedure for exiting the
service arrangement with
a client, including
assurance to sanitize all
computing systems of
client content/data once
the client contract has
terminated.
Data Security CS-3.5 Establish and document
policies and procedures
for secure disposal of
equipment, categorized by
asset type, used outside
the organization’s
premises.
Data Security CS-3.6 Implement a synchronized
time service protocol (e.g.,
NTP) to ensure all systems
have a common time
reference.
Data Security CS-3.7 Design and configure
network and virtual
environments to restrict
and monitor traffic
between trusted and
untrusted connections.
Data Security CS-3.8 Design, develop and
deploy multi-tenant
applications, systems, and
components such that
AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
that case it is the Customer's
responsibility to employ the
appropriate levels of spam
and malware protection at
e-mail entry and exit points
and update spam and
malware definitions when
new releases are made
available.
Amazon assets (e.g. laptops)
are configured with anti-
virus software that includes
e-mail filtering and malware
detection.
AWS Network Firewall
management and Amazon's
anti-virus program are
reviewed by independent
third party auditors as a part
of AWS ongoing compliance
with SOC, PCI DSS, ISO 27001
and FedRAMP.
Security Topic No. Best Practice AWS Implementation AWS SOC ISO 27002 AWS PCI NIST 800-53
v.3.1 Rev4
client content and data is
appropriately segmented.

Data Security CS-3.9 Use secure and encrypted

communication channels
when migrating physical
servers, applications, and
content data to/from
virtual servers.
Data Security CS-3.10 Implement technical
measures and apply
defense-in-depth
techniques (e.g., deep-
packet analysis, traffic
throttling, black-holing) for
detection and timely
response to network-
based attacks associated
with unusual
ingress/egress traffic
patterns (e.g., NAC
spoofing and ARP
poisoning attacks and/or
DDOS attacks).
Data Security CS-3.11 Establish and document
controls to secure
virtualized environments.