Working with Amazon Managed Active Directory with RDS for SQL Server - Amazon Relational Database Service
Region and version availabilityOverview of setting up Windows authenticationRestoring DB instance and adding it to a domain
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Amazon Managed Active Directory with RDS for SQL Server

You can use Amazon Managed Microsoft AD to authenticate users with Windows Authentication when they connect to your RDS for SQL Server DB instance. The DB instance works with Amazon Directory Service for Microsoft Active Directory, also called Amazon Managed Microsoft AD, to enable Windows Authentication. When users authenticate with a SQL Server DB instance joined to the trusting domain, authentication requests are forwarded to the domain directory that you create with Amazon Directory Service.

Region and version availability

Amazon RDS supports using only Amazon Managed Microsoft AD for Windows Authentication. RDS doesn't support using AD Connector. For more information, see the following:

For information on version and Region availability, see Kerberos authentication with RDS for SQL Server.

Overview of setting up Windows authentication

Amazon RDS uses mixed mode for Windows Authentication. This approach means that the master user (the name and password used to create your SQL Server DB instance) uses SQL Authentication. Because the master user account is a privileged credential, you should restrict access to this account.

To get Windows Authentication using an on-premises or self-hosted Microsoft Active Directory, create a forest trust. The trust can be one-way or two-way. For more information on setting up forest trusts using Amazon Directory Service, see When to create a trust relationship in the Amazon Directory Service Administration Guide.

To set up Windows authentication for a SQL Server DB instance, do the following steps, explained in greater detail in Setting up Windows Authentication for SQL Server DB instances:

  1. Use Amazon Managed Microsoft AD, either from the Amazon Web Services Management Console or Amazon Directory Service API, to create an Amazon Managed Microsoft AD directory.

  2. If you use the Amazon CLI or Amazon RDS API to create your SQL Server DB instance, create an Amazon Identity and Access Management (IAM) role. This role uses the managed IAM policy AmazonRDSDirectoryServiceAccess and allows Amazon RDS to make calls to your directory. If you use the console to create your SQL Server DB instance, Amazon creates the IAM role for you.

    For the role to allow access, the Amazon Security Token Service (Amazon STS) endpoint must be activated in the Amazon Region for your Amazon account. Amazon STS endpoints are active by default in all Amazon Regions, and you can use them without any further actions. For more information, see Managing Amazon STS in an Amazon Web Services Region in the IAM User Guide.

  3. Create and configure users and groups in the Amazon Managed Microsoft AD directory using the Microsoft Active Directory tools. For more information about creating users and groups in your Active Directory, see Manage users and groups in Amazon Managed Microsoft AD in the Amazon Directory Service Administration Guide.

  4. If you plan to locate the directory and the DB instance in different VPCs, enable cross-VPC traffic.

  5. Use Amazon RDS to create a new SQL Server DB instance either from the console, Amazon CLI, or Amazon RDS API. In the create request, you provide the domain identifier ("d-*" identifier) that was generated when you created your directory and the name of the role you created. You can also modify an existing SQL Server DB instance to use Windows Authentication by setting the domain and IAM role parameters for the DB instance.

  6. Use the Amazon RDS master user credentials to connect to the SQL Server DB instance as you do any other DB instance. Because the DB instance is joined to the Amazon Managed Microsoft AD domain, you can provision SQL Server logins and users from the Active Directory users and groups in their domain. (These are known as SQL Server "Windows" logins.) Database permissions are managed through standard SQL Server permissions granted and revoked to these Windows logins.

Restoring a SQL Server DB instance and then adding it to a domain

You can restore a DB snapshot or do point-in-time recovery (PITR) for a SQL Server DB instance and then add it to a domain. Once the DB instance is restored, modify the instance using the process explained in Step 5: Create or modify a SQL Server DB instance to add the DB instance to a domain.