AWS Security ChangesHomeSearch

AWS mediapackage medium security documentation change

Service: mediapackage · 2025-11-22 · Security-related medium

File: mediapackage/latest/userguide/manifest-filter-query-parameters.md

Summary

Added documentation for DRM settings parameter to exclude session keys from HLS multivariant playlists

Security assessment

Excluding session keys from the multivariant playlist reduces exposure of encryption keys to unauthorized clients, addressing potential security risks related to key pre-fetching or legacy client compatibility. This directly impacts content access control.

Diff

diff --git a/mediapackage/latest/userguide/manifest-filter-query-parameters.md b/mediapackage/latest/userguide/manifest-filter-query-parameters.md
index 271179f4f..285697e9a 100644
--- a//mediapackage/latest/userguide/manifest-filter-query-parameters.md
+++ b//mediapackage/latest/userguide/manifest-filter-query-parameters.md
@@ -266,0 +267,8 @@ If you're using this parameter with I-frame only trick-play, `trickplay_height`
+DRM | `aws.drmsettings` | 
+
+  * Controls DRM-related settings for HLS manifests. Currently supports excluding session keys from the multivariant playlist.
+  * **Accepted values** : `exclude_session_keys` \- Removes `EXT-X-SESSION-KEY` tags from the multivariant playlist while preserving key information in individual media playlists.
+  * **Use case** : Useful for legacy clients that have issues with session key pre-fetching or when using manifest filtering to control access to specific content variants.
+  * **Scope** : Only applies to HLS manifests. Ignored for DASH manifests.
+
+| `stream.m3u8?aws.drmsettings=exclude_session_keys`