# Data protection for AWS Elemental MediaConnect
<a name="data-protection"></a>

You can protect your data using tools that are provided by AWS. AWS Elemental MediaConnect can decrypt your incoming video (flow source or router input) and encrypt your outgoing video (flow outputs, router outputs and entitlements). 

 You have three options for encrypting content in transit: 
+ **Static key encryption:** You can use this option to encrypt flow sources, flow outputs, router I/O and entitlements. You store your encryption key in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption key from Secrets Manager. 

  Advantages: You have full control over storage of the encryption key for your account. The key is stored in AWS Secrets Manager, where you can access it any time.

  Challenges: All parties (the owners of the flow or router input source, the flow, any flow or router outputs, and any entitlements) need the encryption key. If the content is shared using an entitlement, both the originator and the subscriber must store the encryption key in AWS Secrets Manager. If the encryption key changes, you must notify all parties of the new key.
+ **Secure Packager and Encoder Key Exchange (SPEKE):** You can use this option to encrypt content that is sent through an entitlement. You partner with a conditional access (CA) platform key provider who manages and provides encryption keys. Then you give Amazon API Gateway permission to act as a proxy between the CA platform key provider and your AWS account.

  Advantages: The content originator has full control over access to the encryption key. As the content originator, you partner with your CA platform key provider who manages the encryption key, but you don't handle the key itself and you don't share it with any other parties. Depending on the capabilities of your key provider, this option allows you to assign time limitations to an encryption key or revoke the key entirely. The subscriber doesn't need to set up encryption. This information is automatically provided through the entitlement.

  Challenges: You must work with a third party (the key provider).
+  **Secure Reliable Transport (SRT) password encryption:** You can use this option to encrypt flow sources, flow outputs and router I/O when using SRT protocols. SRT protocols are highly available, low-latency protocols that are suitable for long-distance applications. You store your encryption password in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption password from Secrets Manager. 

  Advantages: Uses AES with key lengths of 128, 192 or 256 bits. You have full control over the storage of the encryption password. The password is stored in AWS Secrets Manager, where you can access it any time. 

  Challenges: Only usable with SRT protocols. 

**Note**  
Encryption is supported for entitlements, flow sources and outputs that use the Zixi or SRT protocols, and for router I/O that use the SRT protocol. 

**Topics**
+ [Static key encryption in AWS Elemental MediaConnect](encryption-static-key.md)
+ [SPEKE encryption in AWS Elemental MediaConnect](encryption-speke.md)
+ [SRT password encryption in AWS Elemental MediaConnect](encryption-srt-password.md)
+ [Internetwork traffic privacy](internetwork-traffic-privacy.md)

# Static key encryption in AWS Elemental MediaConnect
<a name="encryption-static-key"></a>

You can use static key encryption to protect your sources, outputs, entitlements and router I/O. You store your encryption key in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption key from Secrets Manager. 

**Topics**
+ [Key management for static key encryption](encryption-static-key-key-management.md)
+ [Setting up static key encryption using AWS Elemental MediaConnect](encryption-static-key-set-up.md)

# Key management for static key encryption
<a name="encryption-static-key-key-management"></a>

In AWS Elemental MediaConnect, you can use static key encryption to secure content in sources, outputs, entitlements and router I/O. To use this method, you store an encryption key as a *secret* in AWS Secrets Manager, and you give AWS Elemental MediaConnect permission to access the secret. Secrets Manager keeps your encryption key secure, allowing it be accessed only by entities that you specify in an AWS Identity and Access Management (IAM) policy.

With static key encryption, all participants (the owner of the flow source, the flow, and any flow outputs, entitlements and router I/O) need the encryption key. If the content is shared using an entitlement, both AWS account owners must store the encryption key in AWS Secrets Manager.

For more information, see [Setting up static key encryption](encryption-static-key-set-up.md).

# Setting up static key encryption using AWS Elemental MediaConnect
<a name="encryption-static-key-set-up"></a>

Before you can create a flow or a router I/O with an encrypted source or an output, or an entitlement that uses static key encryption, you must perform the following steps: 

**[ Step 1](#encryption-static-key-set-up-store-key)** – Store your encryption key as a secret in AWS Secrets Manager. 

**[ Step 2](#encryption-static-key-set-up-create-iam-policy)** – Create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored in AWS Secrets Manager. 

**[ Step 3](#encryption-static-key-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and make requests on behalf of your account. 

**Note**  
MediaConnect supports encryption only for entitlements, flow sources and outputs that use the Zixi or SRT protocols, and for router I/O that use the SRT protocol. Your stored key in Secrets Manager for the Zixi protocol is a static key in a hexadecimal format. SRT uses a passkey for encryption.

## Step 1: Store your encryption key in AWS Secrets Manager
<a name="encryption-static-key-set-up-store-key"></a>

To use static key encryption to encrypt your AWS Elemental MediaConnect content, you must use AWS Secrets Manager to create a secret that stores the encryption key. You must create the secret, and the resource (source, output, entitlement or router I/O) that uses the secret in the same AWS account. You can’t share secrets across accounts.

**Note**  
 If you use MediaConnect to distribute video from one AWS Region to another, you must create two secrets (one secret in each Region). 

**To store an encryption key in Secrets Manager**

1. Obtain the encryption key from the entity that manages the source.

1. Sign in to the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).

1. On the **Store a new secret** page, for **Select secret type**, choose **Other type of secrets**.

1. For **Key/value pairs**, choose **Plaintext**. 

1. Clear any text in the box and replace it with only the **value** of the encryption key. For hexadecimal keys, check the length of the key to ensure that it matches the length specified for the encryption type. For example, an AES-256 encryption key must have 64 digits, because each digit is 4 bits in size. 

1. For **Select the encryption key**, keep the default set to **DefaultEncryptionKey**.

1. Choose **Next**.

1. For **Secret name**, specify a name for your secret that will help you identify it later. For example, **2018-12-01\$1baseball-game-source**.

1. Choose **Next**.

1. For **Configure automatic rotation** section, choose **Disable automatic rotation**. 

1. Choose **Next**, and then choose **Store**.

   The details page for your new secret appears, showing information such as the secret ARN.

1. Make a note of the secret ARN from Secrets Manager. You will need this information in the next procedure.

## Step 2: Create an IAM policy to allow AWS Elemental MediaConnect to access your secret
<a name="encryption-static-key-set-up-create-iam-policy"></a>

In [step 1](#encryption-static-key-set-up-store-key), you created a secret and stored it in AWS Secrets Manager. In this step, you create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored.

**To create an IAM policy that allows MediaConnect to access your secret**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the IAM console, choose **Policies**.

1. Choose **Create policy**, and then choose the **JSON** tab.

1. Enter a policy that uses the following format:

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "secretsmanager:GetResourcePolicy",
           "secretsmanager:GetSecretValue",
           "secretsmanager:DescribeSecret",
           "secretsmanager:ListSecretVersionIds"
         ],
         "Resource": [
           "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i"
         ]
       }
     ]
   }
   ```

------

   In the `Resource` section, each line represents the ARN of a different secret that you created. For more examples, see [Policy examples for accessing MediaConnect encryption keys in Secrets Manager](iam-policy-examples-asm-secrets.md).

1. Choose **Review policy**.

1. For **Name**, enter a name for your policy such as **SecretsManagerForMediaConnect**.

1. Choose **Create policy**.

## Step 3: Create an IAM role with a trusted relationship
<a name="encryption-static-key-set-up-create-iam-role"></a>

In [step 2](#encryption-static-key-set-up-create-iam-policy), you created an IAM policy that allows read access to the secret that you stored in AWS Secrets Manager. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. This allows MediaConnect to have read access to your secret.

**To create a role with a trusted relationship**

1. In the navigation pane of the IAM console, choose **Roles**.

1. On the **Role** page, choose **Create role**. 

1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default).

1. For **Choose the service that will use this role**, choose **EC2**. 

   You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2.

1. Choose **Next: Permissions**.

1. For **Attach permissions policies**, enter the name of the policy that you created in [step 2](#encryption-static-key-set-up-create-iam-policy), such as **SecretsManagerForMediaConnect**. 

1. For **SecretsManagerReadWrite**, select the check box, and then choose **Next: Review**.

1. For **Role name**, enter a name. We highly recommend that you don't use the name `MediaConnectAccessRole` because it is reserved. Instead, use a name that includes `MediaConnect` and describes this role's purpose, such as **MediaConnect-ASM**.

1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows MediaConnect to view secrets stored in AWS Secrets Manager.**

1. Choose **Create role**.

1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created.

1. Choose **Trust relationships**, and then choose **Edit trust policy**.

1. in the **Edit trust policy** window, make the following changes to the JSON: 
   + For **Service**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com`
   + For added security, define specific conditions for the trust policy. This will limit MediaConnect to only using resources in your account. You do this by using a global condition such as the **Account ID**, the **flow ARN**, or both. See the following example of the conditional trust policy. For more information about the security benefits of the global conditions, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md).
**Note**  
The following example uses both the **Account ID** and **flow ARN** conditions. Your policy will look different if you do not use both conditions. If you don't know the full ARN of the flow or if you are specifying multiple flows, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:mediaconnect:*:111122223333:*`.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "mediaconnect.amazonaws.com"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringEquals": {
                       "aws:SourceAccount": "111122223333"
                   },
                   "ArnLike": {
                       "aws:SourceArn": "arn:aws:mediaconnect:us-west-2:111122223333:flow:*:flow-name"
                   }
               }
           }
       ]
   }
   ```

------

1. Choose **Update Trust Policy**.

1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`.

# SPEKE encryption in AWS Elemental MediaConnect
<a name="encryption-speke"></a>

You can use Secure Packager and Encoder Key Exchange (SPEKE) with AWS Elemental MediaConnect to encrypt an [entitlement](entitlements.md). This gives you, as the content originator, full control of permissions for this content. This usage is a customization of the SPEKE cloud-based architecture described in the [SPEKE documentation](https://docs.aws.amazon.com/speke/latest/documentation/what-is.html#services-architecture). 

**Topics**
+ [Key management for SPEKE](encryption-speke-key-management.md)
+ [Setting up SPEKE encryption using AWS Elemental MediaConnect](encryption-speke-set-up.md)

# Key management for SPEKE
<a name="encryption-speke-key-management"></a>

With a SPEKE implementation, a conditional access (CA) system provides keys to AWS Elemental MediaConnect for content encryption and decryption. API Gateway acts as a proxy for the communication between the service and the CA platform key provider. Each AWS Elemental MediaConnect flow must reside in the same AWS Region as its API Gateway proxy.

The following illustration shows how AWS Elemental MediaConnect obtains the encryption or decryption key using SPEKE. In the originator's flow, the service obtains the encryption key and uses it to encrypt the content before sending it through the entitlement. In the subscriber's flow, the service obtains the decryption key when the content is received from the entitlement.

![\[The figure shows an AWS account with an AWS Elemental MediaConnect flow and an instance of API Gateway in the same AWS Region. An arrow shows that AWS Elemental MediaConnect sends a request for the encryption key. The request is sent to the CA platform key provider through API Gateway. A second arrow shows that the key provider returns the encryption key through API Gateway.\]](http://docs.aws.amazon.com/mediaconnect/latest/ug/images/speke-encryption.png)


These are the main services and components:
+ **AWS Elemental MediaConnect** – Provides and controls the encryption setup for the flow. AWS Elemental MediaConnect obtains the encryption keys from the CA platform key provider through Amazon API Gateway. Using the encryption keys, AWS Elemental MediaConnect encrypts the content (for the originator's flow) or decrypts the content (for the subscriber's flow). 
+ **API Gateway** – Manages customer-trusted roles and proxy communication between the encryptor and the key provider. API Gateway provides logging capabilities and lets customers control their relationships with the encryptor and with the CA platform. The API Gateway must reside in the same AWS Region as the encryptor.
+ **CA platform key provider** – Provides encryption and decryption keys to AWS Elemental MediaConnect through a SPEKE-compliant API.

For more information, see [Setting up SPEKE encryption](encryption-speke-set-up.md).

# Setting up SPEKE encryption using AWS Elemental MediaConnect
<a name="encryption-speke-set-up"></a>

Before you can grant an entitlement that uses SPEKE encryption, you must perform the following steps:

**[Step 1.](#encryption-speke-set-up-on-board-key-provider)** – Get on board with a conditional access (CA) platform key provider who will manage your encryption key. During this process, you create an API in Amazon API Gateway that sends requests on behalf of AWS Elemental MediaConnect to the key provider. 

**[Step 2](#encryption-speke-set-up-create-iam-policy)** – Create an IAM policy that allows the API that you created in step 1 to act as a proxy to make requests to the key provider.

**[Step 3.](#encryption-speke-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and access the API Gateway endpoint on your behalf.

## Step 1: Get on board with a CA provider
<a name="encryption-speke-set-up-on-board-key-provider"></a>

To use SPEKE with AWS Elemental MediaConnect, you must have a CA platform key provider. The following AWS partners provide conditional access (CA) solutions for the MediaConnect customization of SPEKE:
+ [Verimatrix](https://aws.amazon.com/partners/find/partnerdetails/?n=Verimatrix&id=001E000000be2SEIAY)

If you are a content originator, contact your CA platform key provider for assistance with the onboarding process. With the help of your CA platform key provider, you manage who gets access to which content. 

During the onboarding process, make a note of the following:
+ **ARN of the `POST` method request** – The Amazon Resource Name (ARN) that AWS assigns to the request that you create in API Gateway.
+ **Constant initialization vector (optional)** – A 128-bit, 16-byte hex value represented by a 32-character string, to be used with the key for encrypting content.
+ **Device ID** – A unique identifier for each device that you configure with the key provider. Each device represents a different recipient for your content.
+ **Resource ID** – A unique identifier that you create for each piece of content that you configure with the key provider.
+ **URL** – The URL assigned by AWS for the API that you create in Amazon API Gateway.

You need these values later, when you configure the [entitlement](entitlements-grant.md) in MediaConnect. 

## Step 2: Create an IAM policy to allow API Gateway to act as your proxy
<a name="encryption-speke-set-up-create-iam-policy"></a>

In [step 1](#encryption-speke-set-up-on-board-key-provider), you worked with a CA platform key provider who manages your encryption key. In this step, you create an IAM policy that allows API Gateway to make requests on your behalf. API Gateway acts as a proxy for communication between your account and the key provider. 

**To create an IAM policy for an API Gateway proxy**

1. In the navigation pane of the IAM console, choose **Policies**.

1. Choose **Create policy**, and then choose the **JSON** tab.

1. Enter a policy that uses the following format:

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "execute-api:Invoke"
         ],
         "Resource": [
           "arn:aws:execute-api:us-west-2:111122223333:1abcdefghi/*/POST/*"
         ]
       }
     ]
   }
   ```

------

   In the `Resource` section, replace the sample Amazon Resource Name (ARN) with the ARN of the `POST` method request that you created in API Gateway with the CA platform key provider.

1. Choose **Review policy**.

1. For **Name**, enter **APIGateway-Proxy-Access**.

1. Choose **Create policy**.

## Step 3: Create an IAM role with a trusted relationship
<a name="encryption-speke-set-up-create-iam-role"></a>

In [step 2](#encryption-speke-set-up-create-iam-policy), you created an **APIGateway-Proxy-Access** policy that allows API Gateway to act as a proxy and make requests on your behalf. In this step, you create an IAM role and attach the following permissions: 
+ The **APIGateway-Proxy-Access** policy allows Amazon API Gateway to act as a proxy on your behalf so that it can make requests between your account and the CA platform key provider. This is the policy you created in step 1.
+ A **trust relationship** policy allows AWS Elemental MediaConnect to assume the role on your behalf. You will create this policy as part of the following procedure.

**To create an IAM role with a trusted relationship**

1. In the navigation pane of the IAM console, choose **Roles**.

1. On the **Role** page, choose **Create role**. 

1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default).

1. For **Choose the service that will use this role**, choose **EC2**. 

   You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2.

1. Choose **Next: Permissions**.

1. For **Filter policies**, choose **Customer managed**.

1. Select the check box next to **APIGateway-Proxy-Access**, and then choose **Next: Tags**.

1. Enter tag values (optional), and then choose **Next: Review**.

1. For **Role name**, enter a name such as **SpekeAccess**.

1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows AWS Elemental MediaConnect to talk to API Gateway on my behalf.**

1. Choose **Create role**.

1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created.

1. Choose **Trust relationships**, and then choose **Edit Trust Relationship**.

1. For **Policy Document**, change the policy to look like this: 

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "mediaconnect.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```

------

1. Choose **Update Trust Policy**.

1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/SpekeAccess`.

# SRT password encryption in AWS Elemental MediaConnect
<a name="encryption-srt-password"></a>

You can use the Secure Reliable Transport (SRT) password encryption option to encrypt sources, outputs and router I/O when using the SRT protocols. SRT protocols are a highly available, low-latency protocol suitable for long-distance applications. You store your encryption password in AWS Secrets Manager, and then you give MediaConnect permission to obtain the encryption password from Secrets Manager. 

**Topics**
+ [Password management for SRT password encryption](encryption-srt-password-password-management.md)
+ [Setting up SRT password encryption using AWS Elemental MediaConnect](encryption-srt-password-set-up.md)

# Password management for SRT password encryption
<a name="encryption-srt-password-password-management"></a>

In AWS Elemental MediaConnect, you can use SRT password encryption to secure content in sources, outputs and router I/O. To use this method, you store an SRT password as a *secret* in AWS Secrets Manager, and you give AWS Elemental MediaConnect permission to access the secret. Secrets Manager keeps your password secure, allowing it be accessed only by entities that you specify in an AWS Identity and Access Management (IAM) policy. 

With SRT password encryption, all participants (the owner of the source, the flow, the outputs and the router I/O) need the SRT password. 

For more information, see [Setting up SRT password encryption](encryption-srt-password-set-up.md). 

# Setting up SRT password encryption using AWS Elemental MediaConnect
<a name="encryption-srt-password-set-up"></a>

Before you can create a flow or a router I/O that uses SRT password encryption, you must perform the following steps: 

**[ Step 1](encryption-static-key-set-up.md#encryption-static-key-set-up-store-key)** – Store your SRT password as a secret in AWS Secrets Manager. 

**[ Step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy)** – Create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored in AWS Secrets Manager. 

**[ Step 3](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-role)** – Create an IAM role and attach the policy that you created in step 2. Next, set up AWS Elemental MediaConnect as a trusted entity that is allowed to assume this role and make requests on behalf of your account. 

## Step 1: Store your encryption password in AWS Secrets Manager
<a name="encryption-srt-password-set-up-password"></a>

To use SRT password encryption to encrypt your AWS Elemental MediaConnect content, you must use AWS Secrets Manager to create a secret that stores the password. You must create the secret, and the resource (source, output or router I/O) that uses the secret in the same AWS account. You can’t share secrets across accounts.

**Note**  
 If you distribute video from one AWS Region to another, you must create two secrets (one secret in each Region).

If you are creating a new SRT password to encrypt a flow or a router output, we recommend the following password policy:
+ Minimum password length of 10 characters and a maximum length of 80 characters
+ Minimum of three of the following mix of character types: uppercase, lowercase, numbers, and **\$1 @ \$1 \$1 % ^ & \$1 ( ) \$1 \$1 - = [ ] \$1 \$1 \$1 '** symbols
+ Not be identical to your AWS account name or email address

**To store a password in Secrets Manager**

1. Sign in to the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).

1. On the **Store a new secret** page, for **Select secret type**, choose **Other type of secrets**.

1. For **Key/value pairs**, choose **Plaintext**. 

1. Clear any text in the box and replace it with only the **value** of the SRT password.

1. For **Encryption key**, keep the default set to **aws/secretsmanager**.

1. Choose **Next**.

1. For **Secret name**, specify a name for your secret that will help you identify it later. For example, **2018-12-01\$1baseball-game-source**.

1. Choose **Next**.

1. For the **Configure automatic rotation** section, leave **Automatic rotation** off. 

1. Choose **Next**, and then choose **Store**. On the next screen, select the name of the secret you created.

   The details page for your new secret appears, showing information such as the secret ARN.

1. Make a note of the secret ARN from Secrets Manager. You will need this information in the next procedure.

## Step 2: Create an IAM policy to allow AWS Elemental MediaConnect to access your secret
<a name="encryption-srt-password-set-up-create-iam-policy"></a>

In [step 1](encryption-static-key-set-up.md#encryption-static-key-set-up-store-key), you created a secret and stored it in AWS Secrets Manager. In this step, you create an IAM policy that allows AWS Elemental MediaConnect to read the secret that you stored.

**To create an IAM policy that allows MediaConnect to access your secret**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the IAM console, choose **Policies**.

1. Choose **Create policy**, and then choose the **JSON** tab.

1. Enter a policy that uses the following format:

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "secretsmanager:GetResourcePolicy",
           "secretsmanager:GetSecretValue",
           "secretsmanager:DescribeSecret",
           "secretsmanager:ListSecretVersionIds"
         ],
         "Resource": [
           "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i"
         ]
       }
     ]
   }
   ```

------

   In the `Resource` section, each line represents the ARN of a different secret that you created. Enter the secret ARN from the previous procedure. Choose **Next: Tags**.

1. Choose **Next: Review**.

1. For **Name**, enter a name for your policy such as **SecretsManagerForMediaConnect**.

1. Choose **Create policy**.

## Step 3: Create an IAM role with a trusted relationship
<a name="encryption-srt-password-set-up-create-iam-role"></a>

In [step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy), you created an IAM policy that allows read access to the secret that you stored in AWS Secrets Manager. In this step, you create an IAM role and assign the policy to that role. Then you define AWS Elemental MediaConnect as a trusted entity that can assume the role. This allows MediaConnect to have read access to your secret.

**To create a role with a trusted relationship**

1. In the navigation pane of the IAM console, choose **Roles**.

1. On the **Role** page, choose **Create role**. 

1. On the **Create role** page, for **Select type of trusted entity**, choose **AWS service** (the default).

1. For **Choose the service that will use this role**, choose **EC2**. 

   You choose EC2 because AWS Elemental MediaConnect is not currently included in this list. Choosing EC2 lets you create a role. In a later step, you change this role to include MediaConnect instead of EC2.

1. Choose **Next: Permissions**.

1. For **Attach permissions policies**, enter the name of the policy that you created in [step 2](encryption-static-key-set-up.md#encryption-static-key-set-up-create-iam-policy), such as **SecretsManagerForMediaConnect**. 

1. For **SecretsManagerForMediaConnect**, select the check box, and then choose **Next**.

1. For **Role name**, enter a name. We highly recommend that you don't use the name `MediaConnectAccessRole` because it is reserved. Instead, use a name that includes `MediaConnect` and describes this role's purpose, such as **MediaConnect-ASM**.

1. For **Role description**, replace the default text with a description that will help you remember the purpose of this role. For example, **Allows MediaConnect to view secrets stored in AWS Secrets Manager.**

1. Choose **Create role**.

1. In the confirmation message that appears across the top of your page, choose the name of the role that you just created.

1. Choose **Trust relationships**, and then choose **Edit trust policy**.

1. For **Edit trust policy**, change `ec2.amazonaws.com` to `mediaconnect.amazonaws.com`. 

   The policy document should now look like this: 

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "Service": "mediaconnect.amazonaws.com"
         },
         "Action": "sts:AssumeRole"
       }
     ]
   }
   ```

------

1. Choose **Update policy**.

1. On the **Summary** page, make a note of the value for **Role ARN**. It looks like this: `arn:aws:iam::111122223333:role/MediaConnectASM`.

# Internetwork traffic privacy
<a name="internetwork-traffic-privacy"></a>

To set up a private connection between your Amazon VPC and your corporate network, you can choose to set up either an IPsec VPN connection over the internet or a private physical connection using Direct Connect connection. Direct Connect enables you to establish a private virtual interface from your on-premises network directly to your Amazon VPC, providing you with a private, high-bandwidth network connection between your network and your VPC. With multiple virtual interfaces, you can establish private connectivity to multiple VPCs while maintaining network isolation. For more information, see [What is AWS Site-to-Site VPN?](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) and [What is Direct Connect?](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)

**To route traffic directly between MediaConnect and your corporate network via a virtual private cloud (VPC)**

1. Set up a private connection between your Amazon VPC and your corporate network. You can choose between an IPsec VPN connection over the internet or a private physical connection using Direct Connect connection.

1. [Create a flow that uses a VPC *source*](flows-create-vpc-source.md). During this process, you add a VPC *interface* to your flow to establish the initial connection between your VPC and your flow. You also specify that same VPC interface as the source for the new flow.
**Note**  
If your flow already exists, you can update the flow to [add a VPC interface](vpc-interface-add.md) and then [add another source that uses that VPC interface](source-adding-vpc.md).