Encryption in AWS Direct Connect
AWS Direct Connect does not encrypt your traffic that is in transit by default. To encrypt the data in transit that traverses AWS Direct Connect, you must use the transit encryption options for that service. To learn about EC2 instance traffic encryption, see Encryption in Transit in the Amazon EC2 User Guide.
With AWS Direct Connect and AWS Site-to-Site VPN, you can combine one or more AWS Direct Connect dedicated
network connections with the Amazon VPC VPN. This combination provides an IPsec-encrypted
private connection that also reduces network costs, increases bandwidth throughput, and
provides a more consistent network experience than internet-based VPN connections. For more
information, see Amazon VPC-to-Amazon VPC Connectivity Options
MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. You can use AWS Direct Connect connections that support MACsec to encrypt your data from your corporate data center to the AWS Direct Connect location. For more information, see MAC Security in AWS Direct Connect.