MAC Security in AWS Direct Connect - AWS Direct Connect
MACsec conceptsMACsec key rotationSupported connectionsMACsec on dedicated connections

MAC Security in AWS Direct Connect

MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. MACSec provides Layer 2 point-to-point encryption over the cross-connect to AWS. MACSec operates at Layer 2 between two Layer 3 routers and provides encryption on the Layer 2 domain. All data flowing across the AWS global network that interconnects with datacenters and Regions is automatically encrypted at the physical layer before it leaves the data center.

In the following diagram, both the dedicated connection and your on-premises resources must support MACsec. Layer 2 traffic that travels over the dedicated connection to or from the data center is encrypted.

MACsec overview

MACsec concepts

The following are the key concepts for MACsec:

  • MAC Security (MACsec) — An IEEE 802.1 Layer 2 standard that provides data confidentiality, data integrity, and data origin authenticity. For more information about the protocol, see 802.1AE: MAC Security (MACsec).

  • MACsec secret key — A pre-shared key that establishes the MACsec connectivity between the customer on-premises router and the connection port at the AWS Direct Connect location. The key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS and have also provisioned on your device.

  • Connection Key Name (CKN) and Connectivity Association Key (CAK) — The values in this pair are used to generate the MACsec secret key. You generate the pair values, associate them with an AWS Direct Connect connection, and provision them on your edge device at your end of the AWS Direct Connect connection.

MACsec key rotation

When rotating keys, key rollover is supported with MACsec keychains. Direct Connect MACsec supports MACsec keychains with capacity for storing up to three CKN/CAK pairs. You use the associate-mac-sec-key command to associate the CKN/CAK pair with the existing MACsec enabled connection. You then configure the same CKN/CAK pair on the device on your end of the AWS Direct Connect connection. The Direct Connect device will attempt to use the last stored key for the connection. If that key does not coincide with the key on your device, Direct Connect continues to use the previous working key.

For information on using associate-mac-sec-key, see associate-mac-sec-key.

Supported connections

MACsec is available on dedicated connections. For information about how to order connections that support MACsec, see AWS Direct Connect.

MACsec on dedicated connections

The following helps you become familiar with MACsec on AWS Direct Connect dedicated connections. There are no additional charges for using MACsec.

The steps to configure MACsec on a dedicated connection can be found in Get started with MACsec on a dedicated connection. Before configuring MACsec on a dedicated connection, note the following:

  • MACsec is supported on 10 Gbps , 100 Gbps, and 400 Gbps dedicated Direct Connect connections at selected points of presence. For these connections, the following MACsec cipher suites are supported:

    • For 10Gbps connections, GCM-AES-256 and GCM-AES-XPN-256.

    • For 100 Gbps and 400 Gbps connections, GCM-AES-XPN-256.

  • Only 256-bit MACsec keys are supported.

  • Extended Packet Numbering (XPN) is required for 100Gbps and 400 Gbps connections. For 10Gbps connections Direct Connect supports both GCM-AES-256 and GCM-AES-XPN-256. High-speed connections, such as 100 Gbps and 400 Gbps dedicated connections, can quickly exhaust MACsec’s original 32-bit packet numbering space, which would require you to rotate your encryption keys every few minutes to establish a new Connectivity Association. To avoid this situation, the IEEE Std 802.1AEbw-2013 amendment introduced extended packet numbering, increasing the numbering space to 64-bits, easing the timeliness requirement for key rotation.

  • Secure Channel Identifier (SCI) is required and must be turned on. This setting can't be adjusted.

  • IEEE 802.1Q (Dot1q/VLAN) tag offset/dot1q-in-clear is not supported for moving a VLAN tag outside of an encrypted payload.

For additional information about Direct Connect and MACsec, see the MACsec section of the AWS Direct Connect FAQs.

MACsec prerequisites for dedicated connections

Complete the following tasks before you configure MACsec on a dedicated connection.

  • Create a CKN/CAK pair for the MACsec secret key.

    You can create the pair using an open standard tool. The pair must meet the requirements specified in Step 4: Configure your on-premises router.

  • Make sure that you have a device on your end of the connection that supports MACsec.

  • Secure Channel Identifier (SCI) must be turned on.

  • Only 256-bit MACsec keys are supported, providing the latest advanced data protection.

Service-Linked roles

AWS Direct Connect uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to AWS Direct Connect. Service-linked roles are predefined by AWS Direct Connect and include all of the permissions that the service requires to call other AWS services on your behalf. A service-linked role makes setting up AWS Direct Connect easier because you don’t have to manually add the necessary permissions. AWS Direct Connect defines the permissions of its service-linked roles, and unless defined otherwise, only AWS Direct Connect can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. For more information, see Service-linked roles for Direct Connect.

MACsec pre-shared CKN/CAK key considerations

AWS Direct Connect uses AWS managed CMKs for the pre-shared keys that you associate with connections or LAGs. Secrets Manager stores your pre-shared CKN and CAK pairs as a secret that the Secrets Manager’s root key encrypts. For more information, see AWS managed CMKs in the AWS Key Management Service Developer Guide.

The stored key is read-only by design, but you can schedule a seven- to thirty-day deletion using the AWS Secrets Manager console or API. When you schedule a deletion, the CKN cannot be read, and this might affect your network connectivity. We apply the following rules when this happens:

  • If the connection is in a pending state, we disassociate the CKN from the connection.

  • If the connection is in an available state, we notify the connection owner by email. If you do not take any action within 30 days, we disassociate the CKN from your connection.

When we disassociate the last CKN from your connection and the connection encryption mode is set to "must encrypt", we set the mode to "should_encrypt" to prevent sudden packet loss.