# DRM and packaging checklist (MediaPackage + CloudFront)

Run before go-live on a subscription OTT catalog. Assumes **SPEKE**-compatible DRM
(Widevine / FairPlay / PlayReady) via MediaPackage.

## Pre-flight

- [ ] **KMS CMK** for SPEKE payload encryption — key policy allows MediaPackage
      service principal in the deployment region
- [ ] **SPEKE endpoint** reachable from MediaPackage VPC endpoints (if private)
- [ ] **MediaPackage packaging group** has separate endpoints for HLS and DASH if
      players require both
- [ ] **CloudFront origin** points to MediaPackage hostname — not raw S3 for
      encrypted manifests
- [ ] **Signed URLs or cookies** configured for clear preview tiers (trailers) —
      separate cache behavior from DRM paths

## Key rotation

- [ ] Document **rotation cadence** (quarterly minimum for premium sports)
- [ ] Run rotation in **staging packaging group** first; validate on iOS + Android
      reference players
- [ ] Confirm **license server** (if third-party) accepts new key IDs before prod cutover

## Multi-CDN caveats

- [ ] **Do not** point two CDNs at the same MediaPackage origin without Origin
      Shield or a single egress contract — duplicate origin pulls inflate cost
- [ ] Cache **manifest TTL** short enough for live; segment TTL long for VOD
- [ ] **Geo restrictions** on CloudFront match content licensing territories

## What could go wrong

| Symptom | Likely cause |
|---------|----------------|
| Playback works on web, fails on iOS | FairPlay certificate / SKD URL mismatch |
| Manifest 403 for all users | CloudFront OAI/OAC not aligned with MediaPackage origin |
| License requests spike cost | Players retrying on expired keys after botched rotation |

## Related

- [Live vs VOD decision matrix](./live-vs-vod-decision-matrix.md)
- [KMS CMK strategy](/blog/aws-kms-encryption-architecture-cmk-strategy-2026/)