Get started with MACsec on dedicated connections - AWS Direct Connect

Get started with MACsec on dedicated connections

The following tasks help you become familiar with MACsec on AWS Direct Connect dedicated connections. There are no additional charges for using MACsec.

Before configuring MACsec on a dedicated connection, note the following:

  • MACsec is supported on 10 Gbps and 100 Gbps dedicated Direct Connect connections at selected points of presence. For these connections, the following MACsec cipher suites are supported:

    • For 10Gbps connections, GCM-AES-256 and GCM-AES-XPN-256.

    • For 100 Gbps connections, GCM-AES-XPN-256.

  • Only 256-bit MACsec keys are supported.

  • Extended Packet Numbering (XPN) is required for 100Gbps connections. For 10Gbps connections Direct Connect supports both GCM-AES-256 and GCM-AES-XPN-256. High-speed connections, such as 100 Gbps dedicated connections, can quickly exhaust MACsec’s original 32-bit packet numbering space, which would require you to rotate your encryption keys every few minutes to establish a new Connectivity Association. To avoid this situation, the IEEE Std 802.1AEbw-2013 amendment introduced extended packet numbering, increasing the numbering space to 64-bits, easing the timeliness requirement for key rotation.

  • Secure Channel Identifier (SCI) is required and must be turned on. This setting can't be adjusted.

  • IEEE 802.1Q (Dot1q/VLAN) tag offset/dot1q-in-clear is not supported for moving a VLAN tag outside of an encrypted payload.

For additional information about Direct Connect and MACsec, see the MACsec section of the AWS Direct Connect FAQs.

MACsec prerequisites

Complete the following tasks before you configure MACsec on a dedicated connection.

  • Create a CKN/CAK pair for the MACsec secret key.

    You can create the pair using an open standard tool. The pair must meet the requirements specified in Step 4: Configure your on-premises router.

  • Make sure that you have a device on your end of the connection that supports MACsec.

  • Secure Channel Identifier (SCI) must be turned on.

  • Only 256-bit MACsec keys are supported, providing the latest advanced data protection.

Service-Linked roles

AWS Direct Connect uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Direct Connect. Service-linked roles are predefined by AWS Direct Connect and include all of the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up AWS Direct Connect easier because you don’t have to manually add the necessary permissions. AWS Direct Connect defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Direct Connect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. For more information, see Service-linked roles for Direct Connect.

MACsec pre-shared CKN/CAK key considerations

AWS Direct Connect uses AWS managed CMKs for the pre-shared keys that you associate with connections or LAGs. Secrets Manager stores your pre-shared CKN and CAK pairs as a secret that the Secrets Manager’s root key encrypts. For more information, see AWS managed CMKs in the AWS Key Management Service Developer Guide.

The stored key is read-only by design, but you can schedule a seven- to thirty-day deletion using the AWS Secrets Manager console or API. When you schedule a deletion, the CKN cannot be read, and this might affect your network connectivity. We apply the following rules when this happens:

  • If the connection is in a pending state, we disassociate the CKN from the connection.

  • If the connection is in an available state, we notify the connection owner by email. If you do not take any action within 30 days, we disassociate the CKN from your connection.

When we disassociate the last CKN from your connection and the connection encryption mode is set to "must encrypt", we set the mode to "should_encrypt" to prevent sudden packet loss.

Step 1: Create a connection

To start using MACsec, you must turn the feature on when you create a dedicated connection. For more information, see Create a connection using the Connection wizard.

(Optional) Step 2: Create a link aggregation group (LAG)

If you use multiple connections for redundancy, you can create a LAG that supports MACsec. For more information, see MACsec considerations and Create a LAG.

Step 3: Associate the CKN/CAK with the connection or LAG

After you create the connection or LAG that supports MACsec, you need to associate a CKN/CAK with the connection. For more information, see one of the following:

Step 4: Configure your on-premises router

Update your on-premises router with the MACsec secret key. The MACsec secret key on the on-premises router and in the AWS Direct Connect location must match. For more information, see Download the router configuration file.

Step 5: (Optional) Remove the association between the CKN/CAK and the connection or LAG

If you need to remove the association between the MACsec key and the connection or LAG, see one of the following: