Media & OTT Streaming on AWS (2026): Live vs VOD Architecture, Egress Math, and When IVS Beats Elemental

AWS discontinued Amazon Elastic Transcoder on November 13, 2025 — new video workloads belong on AWS Elemental MediaConvert (batch VOD) and either Amazon IVS (interactive live) or MediaLive (broadcast live). That deadline matters because many OTT runbooks still describe a single “transcode service” for everything. Live and catalog are different jobs; billing proves it fast.

This post is the video pipeline layer — not e-commerce peak traffic (HTTP cart scaling), not Kinesis vs MSK (event streaming analytics), and not CloudFront vs Cloudflare (CDN vendor comparison). We ship a live vs VOD decision matrix, egress cost model CSV, and DRM packaging checklist.

Benchmark pattern (not a cited client) — Composite mid-market OTT, ~12 TB VOD catalog on S3 Standard, ~180k concurrent live peak on flagship sports Saturdays, ~40 live hours/month, primary Region us-east-1, viewers 70% Americas / 30% EU. Prior architecture sent all live and VOD through MediaConvert Basic tier. After splitting live to IVS and enabling Origin Shield on the catalog origin: MediaConvert spend fell ~$4,200/mo → ~$504/mo (catalog-only output minutes); CloudFront egress remained the largest line (~$1.8k/mo modeled at ~22 TB delivered). p95 live glass-to-glass latency improved ~38s → under 5s for the interactive app.

Four jobs — four mechanisms

Opinionated take: IVS for interactive live; MediaLive for broadcast live; MediaConvert for catalog only. Syndication always terminates at CloudFront — price egress before codecs.

Live path: IVS vs MediaLive

Amazon IVS targets sub-5-second glass-to-glass for interactive experiences (AWS documents under 5 seconds for low-latency channels). Ingest is RTMP, RTMPS, or SRT; playback uses the IVS player SDK or HLS playback URL. Operational surface is small — channels, stream keys, recording configurations — which is why product teams ship faster than on MediaLive.

MediaLive is the broadcast path: multi-input channels, redundant pipelines, SCTE-35 ad markers, and handoff to MediaPackage for live HLS/DASH with DRM. Choose it when your operations team already runs professional encoders and ad insertion — not when you only need a creator webcam and chat.

IVS Real-Time (stages) targets sub-300ms participant latency for co-watch and auctions. It is not a replacement for 24/7 linear — bill participant-hours deliberately.

VOD path: MediaConvert and packaging

MediaConvert bills normalized output minutes with Basic vs Professional tiers (Professional for HEVC, AV1, multi-pass, DRM). Volume discounts apply per Region. Typical catalog flow:

1. Mezzanine uploads land in S3 (or arrive from MAM export).
2. MediaConvert job templates emit HLS/DASH renditions to a published bucket.
3. Optional MediaPackage packaging group for SPEKE DRM and consistent manifests.
4. CloudFront distribution with separate cache behaviors for manifests (short TTL) and segments (long TTL).

Context for a one-off probe — AWS CLI 2.x, us-east-1:

aws mediaconvert describe-endpoints --region us-east-1
aws mediaconvert list-jobs --max-results 5 --endpoint-url <ACCOUNT_ENDPOINT>

Egress math (where OTT budgets actually go)

Once catalog encoding is amortized, data transfer out via CloudFront dominates. The egress CSV models:

• Catalog-only replay factor (~1.3× catalog TB/month as delivered egress)
• Origin Shield incremental cost vs duplicate origin fetches
• Failure row: live misrouted through MediaConvert (output minutes explode)

Pair with data transfer traps when origin and analytics buckets sit in different Regions — video origins are not exempt from cross-Region charges on admin traffic.

What broke — Opening weekend for a licensed sports package. Operations triggered the same MediaConvert queue used for nightly catalog refreshes to process live capture files “until IVS was ready.” Queue depth hit 11 hours at peak; viewers saw 45–90s latency; monthly MediaConvert line ~$17.5k vs ~$700 baseline. Detection: Cost Explorer MediaConvert dimension spike + IVS channel idle in CloudWatch. Fix: IVS ingest for live, MediaConvert reserved for S3-triggered catalog jobs only; added EventBridge rule guard so live S3 prefixes cannot enqueue batch jobs during event windows.

DRM and multi-CDN cautions

Premium catalogs need MediaPackage SPEKE with KMS-backed keys — see the DRM checklist. Multi-CDN contracts fail when two CDNs pull the same MediaPackage origin without Origin Shield — you pay duplicate origin egress and risk cache inconsistency on hot titles.

What to do this week

1. Split live and VOD IAM and queue boundaries — no shared MediaConvert queue.
2. Model CloudFront egress from last month’s top three titles using the CSV artifact.
3. Pilot IVS for one interactive stream; keep MediaConvert for catalog-only.
4. Enable Origin Shield on the catalog origin if global POPs hammer S3 during premieres.
5. Run DRM checklist on staging players (iOS + Android) before subscription launch.

What this post doesn’t cover

• Studio MAM, IMF, and on-prem playout — ingest starts after MAM export.
• Full legal review of content licensing territories — geo blocks on CloudFront are mentioned, not law advice.
• Amazon Kinesis / analytics on viewing events — see Kinesis decision guide.
• Retail e-commerce peak scaling — retail architecture.

Related: CloudFront pricing · Data transfer costs · Architecture review services