MAC Security - AWS Direct Connect

MAC Security

MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. You can use AWS Direct Connect connections that support MACsec to encrypt your data from your corporate data center to the AWS Direct Connect location.

In the following diagram, both the dedicated connection and your on-premises resources must support MACsec. Layer 2 traffic that travels over the dedicated connection to or from the data center is encrypted.


			MACsec overview

MACsec concepts

The following are the key concepts for MACsec:

  • MAC Security (MACsec) — An IEEE 802.1 Layer 2 standard that provides data confidentiality, data integrity, and data origin authenticity. For more information about the protocol, see 802.1AE: MAC Security (MACsec).

  • MACsec secret key — A pre-shared key that establishes the MACsec connectivity between the customer on-premises router and the connection port at the AWS Direct Connect location. The key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS and have also provisioned on your device.

  • Connection Key Name (CKN) and Connectivity Association Key (CAK) — The values in this pair are used to generate the MACsec secret key. You generate the pair values, associate them with an AWS Direct Connect connection, and provision them on your edge device at your end of the AWS Direct Connect connection.

Supported connections

MACsec is available on dedicated connections. For information about how to order connections that support MACsec, see AWS Direct Connect.