Get started with MACsec on dedicated connections

The following tasks help you become familiar with MACsec on AWS Direct Connect dedicated connections.

Follow these steps to create a connection with MACsec support, and then associate a CKN/CAK pair with the connection.

MACsec prerequisites

Complete the following tasks before you configure MACsec on a dedicated connection.

• Create a CKN/CAK pair for the MACsec secret key.

  You can create the pair using an open standard tool. The pair must meet the requirements specified in Step 4: Configure your on-premises router.

• MACsec is supported on 10 Gbps and 100 Gbps dedicated Direct Connect connections at selected points of presence.

• Make sure that you have a device on your end of the connection that supports MACsec.

Service-Linked roles

AWS Direct Connect uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Direct Connect. Service-linked roles are predefined by AWS Direct Connect and include all of the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up AWS Direct Connect easier because you don’t have to manually add the necessary permissions. AWS Direct Connect defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Direct Connect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. For more information, see Service-linked roles for Direct Connect.

MACsec pre-shared CKN/CAK key considerations

AWS Direct Connect uses AWS managed CMKs for the pre-shared keys that you associate with connections or LAGs. Secrets Manager stores your pre-shared CKN and CAK pairs as a secret that the Secrets Manager’s root key encrypts. For more information, see AWS managed CMKs in the AWS Key Management Service Developer Guide.

The stored key is read-only by design, but you can schedule a seven- to thirty-day deletion using the AWS Secrets Manager console or API. When you schedule a deletion, the CKN cannot be read, and this might affect your network connectivity. We apply the following rules when this happens:

• If the connection is in a pending state, we disassociate the CKN from the connection.

• If the connection is in an available state, we notify the connection owner by email. If you do not take any action within 30 days, we disassociate the CKN from your connection.

When we disassociate the last CKN from your connection and the connection encryption mode is set to "must encrypt", we set the mode to "should_encrypt" to prevent sudden packet loss.

Step 1: Create a connection

To start using MACsec, you must turn the feature on when you create a dedicated connection. For more information, see Create a connection using the Connection wizard.

(Optional) Step 2: Create a link aggregation group (LAG)

If you use multiple connections for redundancy, you can create a LAG that supports MACsec. For more information, see MACsec considerations and Create a LAG.

Step 3: Associate the CKN/CAK with the connection or LAG

After you create the connection or LAG that supports MACsec, you need to associate a CKN/CAK with the connection. For more information, see one of the following:

• Associate a MACsec CKN/CAK with a connection

• Associate a MACsec CKN/CAK with a LAG

Step 4: Configure your on-premises router

Update your on-premises router with the MACsec secret key. The MACsec secret key on the on-premises router and in the AWS Direct Connect location must match. For more information, see Download the router configuration file.

Step 5: (Optional) Remove the association between the CKN/CAK and the connection or LAG

If you need to remove the association between the MACsec key and the connection or LAG, see one of the following:

• Remove the association between a MACsec secret key and a connection

• Remove the association between a MACsec secret key and a LAG