Using Kerberos authentication for Amazon RDS for Db2 - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Kerberos authentication for Amazon RDS for Db2

You can use Kerberos authentication to authenticate users when they connect to your Amazon RDS for Db2 DB instance. Your DB instance works with Amazon Directory Service for Microsoft Active Directory (Amazon Managed Microsoft AD) to enable Kerberos authentication. When users authenticate with an RDS for Db2 DB instance joined to the trusting domain, authentication requests are forwarded to the directory that you create with Amazon Directory Service. For more information, see What is Amazon Directory Service? in the Amazon Directory Service Administration Guide.

First, create an Amazon Managed Microsoft AD directory to store user credentials. Then, add the domain and other information of your Amazon Managed Microsoft AD directory to your RDS for Db2 DB instance. When users authenticate with the RDS for Db2 DB instance, authentication requests are forwarded to the Amazon Managed Microsoft AD directory.

Keeping all of your credentials in the same directory can save you time and effort. With this approach, you have a centralized place for storing and managing credentials for multiple DB instances. Using a directory can also improve your overall security profile.

For information about Kerberos authentication, see the following topics.

Region and version availability

Feature availability and support varies across specific versions of each database engine, and across Amazon Web Services Regions. For more information about version and Region availability of RDS for Db2 with Kerberos authentication, see Supported Regions and DB engines for Kerberos authentication in Amazon RDS.

Note

Kerberos authentication isn't supported for DB instance classes that are deprecated for RDS for Db2 DB instances. For more information, see Amazon RDS for Db2 instance classes.

Overview of Kerberos authentication for RDS for Db2 DB instances

To set up Kerberos authentication for an RDS for Db2 DB instance, complete the following general steps, which are described in more detail later:

  1. Use Amazon Managed Microsoft AD to create an Amazon Managed Microsoft AD directory. You can use the Amazon Web Services Management Console, the Amazon Command Line Interface (Amazon CLI), or Amazon Directory Service to create the directory. For more information, see Create your Amazon Managed Microsoft AD directory in the Amazon Directory Service Administration Guide.

  2. Create an Amazon Identity and Access Management (IAM) role that uses the managed IAM policy AmazonRDSDirectoryServiceAccess. The IAM role allows Amazon RDS to make calls to your directory.

    For the IAM role to allow access, the Amazon Security Token Service (Amazon STS) endpoint must be activated in the correct Amazon Web Services Region for your Amazon Web Services account. Amazon STS endpoints are active by default in all Amazon Web Services Regions, and you can use them without any further actions. For more information, see Activating and deactivating Amazon STS in an Amazon Web Services Region in the IAM User Guide.

  3. Create or modify an RDS for Db2 DB instance by using the Amazon Web Services Management Console, the Amazon CLI, or the RDS API with one of the following methods:

    You can locate the DB instance in the same Amazon Virtual Private Cloud (VPC) as the directory or in a different Amazon Web Services account or VPC. When you create or modify the RDS for Db2 DB instance, do the following tasks:

    • Provide the domain identifier (d-* identifier) that was generated when you created your directory.

    • Provide the name of the IAM role that you created.

    • Verify that the DB instance security group can receive inbound traffic from the directory security group.

  4. Configure your Db2 client, and verify that traffic can flow between the client host and Amazon Directory Service for the following ports:

    • TCP/UDP port 53 – DNS

    • TCP 88 – Kerberos authentication

    • TCP 389 – LDAP

    • TCP 464 – Kerberos authentication

Managing a DB instance in a domain

You can use the Amazon Web Services Management Console, the Amazon CLI, or the RDS API to manage your DB instance and its relationship with your Microsoft Active Directory. For example, you can associate an Active Directory to enable Kerberos authentication. You can also remove the association for an Active Directory to disable Kerberos authentication. You can also move a DB instance to be externally authenticated by one Microsoft Active Directory to another.

For example, running the modify-db-instance CLI command, you can perform the following actions:

  • Re-attempt enabling Kerberos authentication for a failed membership by specifying the current membership's directory ID for the --domain option.

  • Disable Kerberos authentication on a DB instance by specifying none for the --domain option.

  • Move a DB instance from one domain to another by specifying the domain identifier of the new domain for the --domain option.

Understanding domain membership

After you create or modify your DB instance, it becomes a member of the domain. You can view the status of the domain membership in the console or by running the describe-db-instances command. The status of the DB instance can be one of the following:

  • kerberos-enabled – The DB instance has Kerberos authentication enabled.

  • enabling-kerberos – Amazon is in the process of enabling Kerberos authentication on this DB instance.

  • pending-enable-kerberos – Enabling Kerberos authentication is pending on this DB instance.

  • pending-maintenance-enable-kerberos – Amazon will attempt to enable Kerberos authentication on the DB instance during the next scheduled maintenance window.

  • pending-disable-kerberos – Disabling Kerberos authentication is pending on this DB instance.

  • pending-maintenance-disable-kerberos – Amazon will attempt to disable Kerberos authentication on the DB instance during the next scheduled maintenance window.

  • enable-kerberos-failed – A configuration problem prevented Amazon from enabling Kerberos authentication on the DB instance. Correct the configuration problem before re-issuing the command to modify the DB instance.

  • disabling-kerberos – Amazon is in the process of disabling Kerberos authentication on this DB instance.

A request to enable Kerberos authentication can fail because of a network connectivity issue or an incorrect IAM role. In some cases, the attempt to enable Kerberos authentication might fail when you create or modify a DB instance. If this happens, verify that you are using the correct IAM role, and then modify the DB instance to join the domain.