MAC Security

MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. MACSec provides Layer 2 point-to-point encryption over the cross-connect to AWS. MACSec operates at Layer 2 between two Layer 3 routers and provides encryption on the Layer 2 domain. All data flowing across the AWS global network that interconnects with datacenters and Regions is automatically encrypted at the physical layer before it leaves the data center.

In the following diagram, both the dedicated connection and your on-premises resources must support MACsec. Layer 2 traffic that travels over the dedicated connection to or from the data center is encrypted.

MACsec concepts

The following are the key concepts for MACsec:

• MAC Security (MACsec) — An IEEE 802.1 Layer 2 standard that provides data confidentiality, data integrity, and data origin authenticity. For more information about the protocol, see 802.1AE: MAC Security (MACsec).

• MACsec secret key — A pre-shared key that establishes the MACsec connectivity between the customer on-premises router and the connection port at the AWS Direct Connect location. The key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS and have also provisioned on your device.

• Connection Key Name (CKN) and Connectivity Association Key (CAK) — The values in this pair are used to generate the MACsec secret key. You generate the pair values, associate them with an AWS Direct Connect connection, and provision them on your edge device at your end of the AWS Direct Connect connection.

Supported connections

MACsec is available on dedicated connections. For information about how to order connections that support MACsec, see AWS Direct Connect.