Enhancing your AWS Managed Microsoft AD network security configuration - AWS Directory Service

Enhancing your AWS Managed Microsoft AD network security configuration

The AWS Security Group that is provisioned for the AWS Managed Microsoft AD directory is configured with the minimum inbound network ports required to support all known use cases for your AWS Managed Microsoft AD directory. For more information on the provisioned AWS Security Group, see What gets created with your AWS Managed Microsoft AD.

To further enhance the network security of your AWS Managed Microsoft AD directory, you can modify the AWS Security Group based on the following common scenarios.

AWS applications only support

All user accounts are provisioned only in your AWS Managed Microsoft AD to be used with supported AWS applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon QuickSight

  • AWS IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • AWS Client VPN

  • AWS Management Console

You can use the following AWS Security Group configuration to block all non-essential traffic to your AWS Managed Microsoft AD domain controllers.

Note
  • The following are not compatible with this AWS Security Group configuration:

    • Amazon EC2 instances

    • Amazon FSx

    • Amazon RDS for MySQL

    • Amazon RDS for Oracle

    • Amazon RDS for PostgreSQL

    • Amazon RDS for SQL Server

    • WorkSpaces

    • Active Directory trusts

    • Domain joined clients or servers

Inbound Rules

None.

Outbound Rules

None.

AWS applications only with trust support

All user accounts are provisioned in your AWS Managed Microsoft AD or trusted Active Directory to be used with supported AWS applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon QuickSight

  • AWS IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • Amazon WorkSpaces

  • AWS Client VPN

  • AWS Management Console

You can modify the provisioned AWS Security Group configuration to block all non-essential traffic to your AWS Managed Microsoft AD domain controllers.

Note
  • The following are not compatible with this AWS Security Group configuration:

    • Amazon EC2 instances

    • Amazon FSx

    • Amazon RDS for MySQL

    • Amazon RDS for Oracle

    • Amazon RDS for PostgreSQL

    • Amazon RDS for SQL Server

    • WorkSpaces

    • Active Directory trusts

    • Domain joined clients or servers

  • This configuration requires you to ensure the “On-premises CIDR” network is secure.

  • TCP 445 is used for trust creation only and can be removed after the trust has been established.

  • TCP 636 is only required when LDAP over SSL is in use.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 On-premises CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 On-premises CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 On-premises CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 464 On-premises CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 445 On-premises CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP 135 On-premises CIDR Replication RPC, EPM
TCP 636 On-premises CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 On-premises CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 On-premises CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
UDP 123 On-premises CIDR Windows Time Windows Time, trusts

Outbound Rules

Protocol Port range Source Type of traffic Active Directory usage
All All On-premises CIDR All traffic

AWS applications and native Active Directory workload support

User accounts are provisioned only in your AWS Managed Microsoft AD to be used with supported AWS applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon EC2 instances

  • Amazon FSx

  • Amazon QuickSight

  • Amazon RDS for MySQL

  • Amazon RDS for Oracle

  • Amazon RDS for PostgreSQL

  • Amazon RDS for SQL Server

  • AWS IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • WorkSpaces

  • AWS Client VPN

  • AWS Management Console

You can modify the provisioned AWS Security Group configuration to block all non-essential traffic to your AWS Managed Microsoft AD domain controllers.

Note
  • Active Directory trusts cannot be created and maintained between your AWS Managed Microsoft AD directory and on-premises domain.

  • It requires you to ensure the “Client CIDR” network is secure.

  • TCP 636 is only required when LDAP over SSL is in use.

  • If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 Client CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 Client CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 Client CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 445 Client CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP & UDP 464 Client CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 135 Client CIDR Replication RPC, EPM
TCP 636 Client CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 Client CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 Client CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
TCP 9389 Client CIDR SOAP AD DS web services
UDP 123 Client CIDR Windows Time Windows Time, trusts
UDP 138 Client CIDR DFSN & NetLogon DFS, group policy

Outbound Rules

None.

AWS applications and native Active Directory workload support with trust support

All user accounts are provisioned in your AWS Managed Microsoft AD or trusted Active Directory to be used with supported AWS applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon EC2 instances

  • Amazon FSx

  • Amazon QuickSight

  • Amazon RDS for MySQL

  • Amazon RDS for Oracle

  • Amazon RDS for PostgreSQL

  • Amazon RDS for SQL Server

  • AWS IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • WorkSpaces

  • AWS Client VPN

  • AWS Management Console

You can modify the provisioned AWS Security Group configuration to block all non-essential traffic to your AWS Managed Microsoft AD domain controllers.

Note
  • It requires you to ensure the “On-premises CIDR” and “Client CIDR” networks are secure.

  • TCP 445 with the “On-premises CIDR” is used for trust creation only and can be removed after the trust has been established.

  • TCP 445 with the “Client CIDR” should be left open as it is required for Group Policy processing.

  • TCP 636 is only required when LDAP over SSL is in use.

  • If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 On-premises CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 On-premises CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 On-premises CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 464 On-premises CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 445 On-premises CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP 135 On-premises CIDR Replication RPC, EPM
TCP 636 On-premises CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 On-premises CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 On-premises CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
UDP 123 On-premises CIDR Windows Time Windows Time, trusts
TCP & UDP 53 Client CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 Client CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 Client CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 445 Client CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP & UDP 464 Client CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 135 Client CIDR Replication RPC, EPM
TCP 636 Client CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 Client CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 Client CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
TCP 9389 Client CIDR SOAP AD DS web services
UDP 123 Client CIDR Windows Time Windows Time, trusts
UDP 138 Client CIDR DFSN & NetLogon DFS, group policy

Outbound Rules

Protocol Port range Source Type of traffic Active Directory usage
All All On-premises CIDR All traffic