Introduction
All Amazon MGM Studios (AS) production staff and crew play an important role in protecting AS content and preventing leaks. In addition to accepting your project NDA (non-disclosure agreement), anyone handling AS digital content is expected to do their part to mitigate the risk of content leaks. The following sections provide an overview of expectations and baseline requirements for handling pre-release content that should be reviewed and followed by every production.
For any questions related to digital security, please contact the Amazon Content Security (CS) team at content-security@amazon.com.
To report leaks or security incidents related to a production — including lost or stolen devices belonging to, accessing, or storing AS content — notify the Amazon MGM Studios Production Security Team (PST) at the earliest possible opportunity. If you see something that could compromise the confidentiality of an AS Original, immediately alert your local production security contact and PST at production-security@amazon.com. Please include a telephone number, and a team member will call as soon as possible.
Standards Overview - Digital Security
Below is a summary of baseline standards for securely handling digital content. See the Content Security Standards Overview for a printable version including a list of “Do’s” and “Do Not’s” for securely handling digital content.
- Principle of Least Privilege
- Follow the principle of least privilege by restricting content access to the fewest people necessary to complete a job or task.
- Disable downloads by default when sharing assets. Downloads should only be enabled when required to complete a job.
- When sharing or transferring digital content, ensure that only the intended recipients are included.
- Proactively manage access permissions on cloud tools used for sharing digital content, ensuring that only authorized individuals are able to access the materials necessary to complete their work.
- Third-Party (3P) Vendors & Tooling
- All 3P vendors and tools used to receive or handle AS content are required to meet CS security standards and receive an assessment prior to receiving content.
- Never upload AS content to unapproved cloud-based tools (e.g. Google Drive, Dropbox, iCloud, non-Amazon Box accounts).
- If you’re unsure whether a vendor or tool is approved, check with your Amazon Production Executive or email content-security@amazon.com.
- See the Digital Security Resources & Support section for more information.
- Watermarks & Image Quality
- All digital content should be visibly watermarked unless the use case requires a clean asset.
- All digital content should be shared/transferred in desaturated, low-res proxy form unless the use case requires otherwise.
- See the Watermarking and Desaturation of Content section for additional information.
- Device Security
- Any devices used on a production should be set up and configured according to the CS workstation and device hardening requirements.
- Never leave any production devices (e.g. laptops, drives, cameras) unattended for any period of time.
- Production Network Security
- See the Local Area Network, Wide Area Network, and Interoffice Connections section for instructions on securely setting up and configuring your production network.
- Once ready, contact content-security@amazon.com to review and validate your network setup.
- Security Incident & Leak Reporting
- In the event of a leak or any other security incident, notify production-security@amazon.com immediately.
- Project Code Names
- Use the designated project code name whenever referring to your production’s title. Never reference both the code name and the actual title in the same communication.
- Never share or announce a project code name without explicit permission and a valid business purpose related to production or creative operations.
- Secure Email Accounts
- Use a secure email account for all production-related emails (e.g. @originalsaccess.com or a vendor email account).
- Never use email to send or receive pre-release assets (i.e. via attachment, in text) or discuss sensitive plot information (e.g. plot, key details, pre-release dates). Emails can be forwarded easily and cannot be traced.
- Secure Production Workflows
- Ensure your production workflow is secure for handling camera-raw content, referencing the Dailies & Editorial Procedure.
- Public Workspaces
- Never view pre-release content or sensitive production documents in public spaces (e.g. cafes, airports, airplanes). Past leaks have originated from photos taken of device screens in public.
- Drive Encryption
- Ensure that any drives used to store digital content conform to the CS approved encrypted drives list and encryption requirements.
Security Emergency Inquiries / Reporting
For emergencies or immediate threats to the safety of the production staff or assets, please notify the local police authorities as appropriate.
As soon as the situation is safe and under control, please immediately report the security incident using the Incident Notification Form. You will need the password below.
Incident Notification Form - Click Here
Password: ASIR2023
In addition to the above, all non-emergency security issues must be reported using the same form. Non-emergency security incidents may include issues associated with the following:
- Secure Production Workflows
- Digital Asset Protection
- Cyber-Attack / Compromise / Breach
- Leaked Content
- Security-Related Vendor Management / Vetting
- Physical Asset Protection and Set Security
- Theft
- Acts of Violence
- Threats of Violence
- Production Facility Access Control
- Visitor Management
- Talent Protection
To report a content or digital asset leak, e-mail production-security@amazon.com, CC’ing content-security@amazon.com and providing the following information:
- The name of the person reporting the incident
- The code name of the production
- Location
- Contact information
- A description of what occurred
Please also include the local Amazon Studios executive in any reports.
Digital Security Management
The Amazon MGM Studios Content Security Team manages Digital Security. For any questions related to digital security, please email content-security@amazon.com.
Network segregation between the content and non-content networks is segmented via Layer 2 and/or Layer 3 segmentation method. All inter-routes must be restricted to mission-critical services, and explicit deny-all rule must be applied to all network segments.
Please reference the diagrams below (Figure 1 - 3) when designing the production network.
Reach out to content-security@amazon.com to validate the secure network setup configuration.
Figure 1: Network segments for a larger environment
Refer to Figure 3 for data I/O setup and content flow.
Figure 2: Network segments and I/O setup leveraging air-gapping
Figure 3: I/O Dataflow and set up
A: WAN connection is restricted (whitelisted) to Amazon Studios approved transfer tools (e.g., Aspera, Flow Capture, etc.), core services (e.g., logging, patch management), Anti-virus (for updates), and e-mail (to receive links).
B: A dedicated I/O network is established with local storage (Inbox and Outbox are set up). A standard (non-admin) account is created with write-only access to the Inbox and read-only access to the Outbox. A designated data I/O personnel downloads content via Amazon Studios approved transfer tool into the Inbox and anti-virus scan. Upload assets via outbox utilizing client approver transfer tools after scanning assets with AV.
C: A unidirectional ACL/Rule is established to allow connection into the I/O zone from production (e.g., FROM Prod TO I/O Service SMB Port 445 & 139). I/O storage is mounted and pull/push assets for downloads/uploads. The connection between I/O and Production is only initiated by a higher security zone (Production) per need basis (unidirectional ACL/Rule). Access to project folders and landing folders is restricted via permission control. Project folders access is restricted to need to have basis. All incoming and outgoing assets are moved to project folders or I/O network and removed immediately.
Firewall Guidelines
- At a minimum, networks/devices having routes to WAN must have a firewall and anti-virus/malware installed.
- A stateful firewall must be in place to inspect all incoming and outgoing traffic. Basic gateway security services (i.e., IDS, IPS, Gateway AV) must be enabled.
- Access to management interfaces on networking devices/appliances should be restricted to dedicated management zones with restricted routes and limited users. Only allow encrypted connection protocol (i.e., HTTPS).
- When setting up the firewall, the following controls should be in place:
- Administrator alerts (for conditions such as anomalous traffic, bandwidth threshold exceeded, etc.)
- All traffic logs enabled
- All protocols are to be denied by default, and only specific, required protocols are to be allowed
Content Filtering
* Email and web filtering software or appliances should be set up to prohibit:
* Phishing emails
* Known domains/sites that are sources of malware and viruses
* Executable attachments (i.e., Visual Basic scripts, .exe files, etc.)
* Unauthorized file sharing sites (e.g., Dropbox, WeTransfer, Hightail/YouSendIt, etc.)
Segregation of Storage
- The storage of content, confidential data, and assets should only reside on the restricted access network, and storage should not span across segregated networks.
- Utilize layer three segmentation to separate storage volume
- Dual-homing is only allowed between properly segmented and secured content/production networks
- Storage devices should, at a minimum, abide by the following guidelines:
- Enable ESP
- Ignore name server requests from unauthorized devices
- Restrict automatic replication
- Restrict "super user" privileges on client computers
- Utilize DES Authentication for RPC
- Follow the manufacturer's best practices
Data Backups
Production projects and content are backed up periodically, and the restorability of the backup is tested. All backups must be encrypted.
Device and Systems Security
Computer rentals and using personal devices must be pre-approved by AS Production Executive and AS Security.
Maximum rental rates based on the computer package inventory value are below:
A | B | C | |
1 |
Max Daily Rate |
Max Weekly Rate |
Cap |
2 | 0.50% | 2.50% | 20% |
All content handling/accessing devices must be secured following AS device security standards.
Device Security Measures:
- Anti-malware/virus solution is in place.
- Local firewall is enabled.
- All guest accounts are disabled.
- Whole disk encryption is enabled.
- Screenlock setting is set to trigger - max 10 min of inactivity.
- MDM or EPP, or group policy solution is in place to manage the endpoint devices.
- Certificate or Mac filtering with static IPs set for content network.
- Security updates are applied upon availability.
- Exception is granted to fully air-gapped workstations.
- Workstations that receive, send, manipulate, or store content in the production network should not have direct access to the internet.
The following patch management practices apply to internet-connected devices, systems, and networks. This includes networks/devices that are dual-homed and/or inter routes made available to and from internet-facing zones.
- Where possible, implement a centralized patch management tool (e.g., WSUS, Shavlik, Altiris) to automatically deploy patches to all systems.
- Subscribe to security and patch notifications from vendors, other third parties, and security advisories.
- Apply critical patches as soon as they become available and within 48 hours on computers on externally accessible networks.
- Apply less critical patches promptly, according to a defined cycle based on risk (e.g., monthly for medium, etc.).
- Test patches prior to deployment and implement a regular (e.g., monthly) process to identify, evaluate and test patches for network infrastructure devices, SAN/NAS, and servers.
- Decommission legacy systems that are no longer supported.
- Implement an exception process and compensating controls for cases with a legitimate business case for not patching systems.
- Effectively air-gapped devices and systems (i.e., internet and inter-routing are completely disallowed) are not required to follow the patch management process (recommended).
- Access is provided only to individuals approved by the Production office to work on Amazon Studios productions, and who have completed all start paperwork, including NDA's.
- Amazon Studios IT systems are for business purposes only.
- These systems and networks are the property of Amazon Studios, and there is no expectation of privacy while using them.
- Data from Amazon Studios systems shall not be transmitted to any personal devices, personal cloud accounts, backup services, or any other external device without the approval of the Amazon Studios Production IT department.
- Local firewalls must be implemented to restrict access to each workstation.
- Workstations must have firewalls implemented to restrict unauthorized access.
- User access must be reviewed periodically by Heads of Departments (HOD) to ensure that all individuals with access to the Restricted area still require that access due to the nature of their duties.
- If the duties no longer require access for that individual, then the HOD must immediately remove the user from the access permissions list.
- Restricted access areas must be limited to the fewest number of Cast or Crew. For assistance, please contact support@amazonstudios.com.
- AS requires all production members handling Tier 1 content to have a production email account (@originalsaccess.com) to use for work rather than allowing members to use personal email.
- Approved tools such as Amazon's instance of Box and Scenechronize are easily accessible with an Originals Access email account through the single sign-on portal. Production Technology can assign email addresses to all current production team members and new starts.
- More details on Originals Access emails are found on the Tech Menu.
Be cautious when discussing projects in public and/or shared facilities such as the canteen or coffee shops within the studio. Refer to characters, sets, and any other information by their code name.
- Beware of phishing attempts via email, social media, text messages, and telephone.
- Report any suspicious online contacts/behavior to AS Production Security.
- Never provide information or materials just because someone asks for it.
- Question all requests for AS content or sensitive information, verify identity and obtain authorization.
- Direct all online requests for information about the production to AS Production Security: content-security@amazon.com
- Passwords are required to access AS systems and content.
- Passwords should never be written down or posted anywhere.
- Never share your password with colleagues or any unauthorized users.
- All cell phones and mobile devices must require a password or biometric (e.g., facial recognition) to access.
Password Requirements:
- Complexity: Passwords should contain three of the following four parameters: upper and lowercase letters, numbers, and special characters.
- Length: Passwords should have a minimum length of 8 characters for any account with 180 days of expiration timeline (or eight characters with multi-factor authentication and 360 days of expiration timeline).
- SSO (single sign-on) must always require multi-factor authentication
- The minimum password age: one day.
- The maximum number of invalid login attempts: Five before locking out indefinitely.
- Password history: Each password should be different from the previous password, with a password history of 10 previous passwords for any account.
- Secure Handling: If content is required to be moved or shared via removable media, utilize an AES 256-bit hardware-encrypted drive. For a list of AS-approved encrypted hard drives, refer to the Approved Encrypted Drives List.
- Passwords/Passcode: Passwords for encrypted drives must NEVER be kept with the drives themselves.
- Physical Media Handling (Non-Hard Drive): Other types of media, such as CDs, DVDs, or SD, are NOT permitted for pre-release content. Please contact the Production IT department to learn how to encrypt your specific storage device, as special considerations apply.
- Hard Drive Storage: When not in use, removable media (even blank media) should be stored in a safe within the production office or workshops, where unauthorized personnel cannot access it. Access to that safe must be limited to key personnel. Details on approved types of safes are available from PST at production-security@amazon.com
- Inventory Tracking: Both Production IT and the specific department will keep an inventory of all removable media assigned to the department to prevent loss and track transfers.
All assets shared for review for any business purpose must have uniquely identifiable watermarking and desaturation.
Note: For any workflows that require unwatermarked content, please contact to production-security@amazon.com
Video watermarking
AS requires that all pre-release video/AV content be watermarked (burned in/embedded) with the following elements, at minimum:
- [Viewer’s Identity]
- [Viewer’s first and last name] and/or [personally identifiable email address]
- [Viewer’s IP address]
- Copyright warnings:
- [“Copyright-Protected and Traceability Enabled”]
- [Date] the content was viewed
- Where applicable: [Viewer’s vendor/employer name] (e.g. Deluxe Burbank)
Note: Watermarks must be clearly visible, with legible font size and color contrast.
See below for a watermark example created in Flow Capture (formerly known as Moxion), Amazon’s preferred tool for viewing pre-release AV assets. This example meets the requirements listed above, in addition to specifying valid transparency, opacity, and element-positioning values. These values can be used to inform watermark creation in other tools, as optionality and level of customizability varies by system.
Document watermarking
- On documents, always include:
- [Recipient’s first and last name]
- If applicable: [Recipient’s company name] on lower-third of the page
- [Recipient’s name or email address] in the center of the page (as close to 100% of page length as possible)
- Note: If someone only has a personal email address (e.g., name@provider.com), use the recipient’s first and last name instead.
- [Document version]
- [Date] on the upper-third of the page
For font size and placement references, see the example screenshot below:
Note: Production documents that are approved for sharing via Box may not be able to meet the specific watermarking requirements described above (e.g. specific text-placement criteria). When sharing documents or assets assets via Box, apply Box’s default watermarking settings and ensure the following elements are visible:
- [User Email Address]
- [Date & Time Accessed by User]
Forensic Watermarking
- In addition to the visible watermark requirements, AV assets must be forensically watermarked when shared digitally.
- Forensic watermarks must uniquely identify their originator(s) and authorized user(s).
- If forensic watermarking is not available, utilize a tiled visible watermark of the viewer’s identity to increase watermark coverage. See the example below.
Desaturation and resolution
- Photo and AV assets must be desaturated unless there is an expressed business need for color.
- Assets must be sent in a low-resolution, compressed capacity unless there is an expressed business need for full resolution.
Additional Controls
- If the recipient’s name or email address is unknown or must remain anonymous (e.g. if for VIP talent), then the watermark must include a unique recipient ID that is personally identifiable/traceable to the recipient. Track and store any unique recipient IDs in case needed for future reference.
- The sender must immediately delete watermarked assets after confirming successful delivery. This ensures the intended recipient is the only person in possession of their uniquely watermarked asset.
Scripts must be handled using approved tooling with downloads disabled and unique, personally identifiable watermarks applied. The following practices apply to all pre-release Amazon MGM Studios (AS) scripts. For questions, concerns, or to verify whether your script handling tool is approved, check with your Amazon Production Executive or contact content-security@amazon.com.
Note: Anyone who receives or handles a pre-release script must first sign a non-disclosure agreement (NDA).
Secure Handling & Sharing
- Always handle scripts using an approved, secure tool such as Scenechronize. Ensure that downloads are disabled and a unique, personally identifiable watermark is applied. For more information on watermark requirements, see the Watermarking and Desaturation of Content section above.
- Limit script access and distribution to the fewest number of individuals with a valid business need. Never share scripts with anyone who has not been approved by the title’s Production Executive.
- Do not send scripts via email attachment, as emails are easily forwarded without traceability.
- Do not view scripts in public settings such as cafes, airports, or airplanes.
- Do not store scripts locally, such as on a laptop or thumb drive.
- Do not print physical scripts unless there is a valid business need and written approval has been provided by the title’s Production Executive. For more information on physical script handling guidelines, see the High-Value Script Handling Requirements section under Physical Security Management.
- If you receive a copy of a script via an unsecure tool, such as email, delete it from the unapproved tool and request that it be shared via an approved tool.
Photography Approval: The requestor's department head or coordinator must send a request for photography approval to AS Production and AS Marketing. The sender must include the crew member's details and the reason for the request. AS will then approve or deny using a production iPod Touch or a specific device if a more proficient camera is required. The Executive Producer's office will maintain a list of all approved crew members, logging their device ID, expiration date, and cloud account details. This will be shared amongst Amazon Studio Security, IT, and Production.
For Tier 1 productions, auditable records are to be in place, and a strict approval process must be followed. iPod Touch devices are used to control who is authorized to capture images in a production environment. Auditable records will be maintained to assist with tracking devices and off-boarding. Utilizing these devices provides a safe and secure method to upload images to a secure cloud storage area. All iPod Touch devices should be color-coded and numbered to assist security in detecting non-authorized devices.
- Issuance of Device: Approved crew will then be instructed to do the following:
- Visit the IT department for the issuing of the device.
- Arrange a meeting with the production’s Digital Asset Manager to discuss their required workflow, device use, and image capture management.
- The crew member will then be issued a separate photography-approved badge with an agreed expiration date.
- The photography device should only be used by the individual it has been assigned to and is in possession of the correct ID credentials.
- Specific Device: The approved photography device only captures department-relevant images and must not be used to capture personal images or images irrelevant to the crew member's job description.
- Content Management: All images are required to be fully uploaded and wiped from the device within agreed and appropriate time frames.
- Appropriate Use: The crew member should not attempt to alter the settings on the device or attempt to remove or share the images inappropriately.
- Device Credentials: Login details for the cloud account or device should never be shared. If the security of the device or cloud credentials is ever compromised, the assigned crew member must immediately contact Production-Security@amazon.com.
- Device Accountability: The photography device should be returned to Production once the assigned crew member's approval period ends or as part of their off-boarding procedure.
- Lost & Stolen Devices: If the photography device is ever lost or stolen, the assigned crew member must contact AS Content Security immediately for the device to be remotely wiped.
Digital Security Resources & Support
Security Resources & Support
Amazon Studios maintains policies, standards, and guidelines and can be available for your reference. Please find below contacts for resources and help with day-to-day tasks:
Please see the Tech Menu for additional resources and support.
Creative 3rd Party Tooling/Vendor Security
Any creative content handling service providers (e.g. ADR facility, VFX facility, etc.) and 3P tools (e.g. Airtable, Box, ShotGrid) must be cleared with AS Content Security.
Reach out to AS Content Security at content-security@amazon.com and provide the following information to find out if your vendor/3P tool/application has already been approved or to request an assessment:
- Title of the email/request (e.g. “Vendor Security Request - [production code name]”)
- Vendor name and location
- Vendor contact, email address, and mobile/cell number
- What assets will this vendor be receiving?
- What type of work will this vendor be conducting?
- What project/title will the vendor be working on?
Please ensure the AS Production/Post/VFX POC is copied in the request.
Security Templates & Exhibits
Tip Sheets
Review these tip sheets for extra security measures