Enhance your Amazon Managed Microsoft AD network security configuration - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enhance your Amazon Managed Microsoft AD network security configuration

The Amazon Security Group that is provisioned for the Amazon Managed Microsoft AD directory is configured with the minimum inbound network ports required to support all known use cases for your Amazon Managed Microsoft AD directory. For more information on the provisioned Amazon Security Group, see What gets created with your Amazon Managed Microsoft AD Active Directory.

To further enhance the network security of your Amazon Managed Microsoft AD directory you can modify the Amazon Security Group based on common scenarios listed below.

Amazon applications only support

All user accounts are provisioned only in your Amazon Managed Microsoft AD to be used with supported Amazon applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon QuickSight

  • Amazon IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • Amazon Client VPN

  • Amazon Web Services Management Console

You can use the following Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.

Note
  • The following are not compatible with this Amazon Security Group configuration:

    • Amazon EC2 instances

    • Amazon FSx

    • Amazon RDS for MySQL

    • Amazon RDS for Oracle

    • Amazon RDS for PostgreSQL

    • Amazon RDS for SQL Server

    • WorkSpaces

    • Active Directory trusts

    • Domain joined clients or servers

Inbound Rules

None.

Outbound Rules

None.

Amazon applications only with trust support

All user accounts are provisioned in your Amazon Managed Microsoft AD or trusted Active Directory to be used with supported Amazon applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon QuickSight

  • Amazon IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • Amazon WorkSpaces

  • Amazon Client VPN

  • Amazon Web Services Management Console

You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.

Note
  • The following are not compatible with this Amazon Security Group configuration:

    • Amazon EC2 instances

    • Amazon FSx

    • Amazon RDS for MySQL

    • Amazon RDS for Oracle

    • Amazon RDS for PostgreSQL

    • Amazon RDS for SQL Server

    • WorkSpaces

    • Active Directory trusts

    • Domain joined clients or servers

  • This configuration requires you to ensure the “On-premises CIDR” network is secure.

  • TCP 445 is used for trust creation only and can be removed after the trust has been established.

  • TCP 636 is only required when LDAP over SSL is in use.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 On-premises CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 On-premises CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 On-premises CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 464 On-premises CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 445 On-premises CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP 135 On-premises CIDR Replication RPC, EPM
TCP 636 On-premises CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 On-premises CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 On-premises CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
UDP 123 On-premises CIDR Windows Time Windows Time, trusts

Outbound Rules

Protocol Port range Source Type of traffic Active Directory usage
All All On-premises CIDR All traffic

Amazon applications and native Active Directory workload support

User accounts are provisioned only in your Amazon Managed Microsoft AD to be used with supported Amazon applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon EC2 instances

  • Amazon FSx

  • Amazon QuickSight

  • Amazon RDS for MySQL

  • Amazon RDS for Oracle

  • Amazon RDS for PostgreSQL

  • Amazon RDS for SQL Server

  • Amazon IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • WorkSpaces

  • Amazon Client VPN

  • Amazon Web Services Management Console

You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.

Note
  • Active Directory trusts cannot be created and maintained between your Amazon Managed Microsoft AD directory and on-premises domain.

  • It requires you to ensure the “Client CIDR” network is secure.

  • TCP 636 is only required when LDAP over SSL is in use.

  • If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 Client CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 Client CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 Client CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 445 Client CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP & UDP 464 Client CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 135 Client CIDR Replication RPC, EPM
TCP 636 Client CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 Client CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 Client CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
TCP 9389 Client CIDR SOAP AD DS web services
UDP 123 Client CIDR Windows Time Windows Time, trusts
UDP 138 Client CIDR DFSN & NetLogon DFS, group policy

Outbound Rules

None.

Amazon applications and native Active Directory workload support with trust support

All user accounts are provisioned in your Amazon Managed Microsoft AD or trusted Active Directory to be used with supported Amazon applications, such as the following:

  • Amazon Chime

  • Amazon Connect

  • Amazon EC2 instances

  • Amazon FSx

  • Amazon QuickSight

  • Amazon RDS for MySQL

  • Amazon RDS for Oracle

  • Amazon RDS for PostgreSQL

  • Amazon RDS for SQL Server

  • Amazon IAM Identity Center

  • Amazon WorkDocs

  • Amazon WorkMail

  • WorkSpaces

  • Amazon Client VPN

  • Amazon Web Services Management Console

You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.

Note
  • It requires you to ensure the “On-premises CIDR” and “Client CIDR” networks are secure.

  • TCP 445 with the “On-premises CIDR” is used for trust creation only and can be removed after the trust has been established.

  • TCP 445 with the “Client CIDR” should be left open as it is required for Group Policy processing.

  • TCP 636 is only required when LDAP over SSL is in use.

  • If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.

Inbound Rules

Protocol Port range Source Type of traffic Active Directory usage
TCP & UDP 53 On-premises CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 On-premises CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 On-premises CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 464 On-premises CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 445 On-premises CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP 135 On-premises CIDR Replication RPC, EPM
TCP 636 On-premises CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 On-premises CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 On-premises CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
UDP 123 On-premises CIDR Windows Time Windows Time, trusts
TCP & UDP 53 Client CIDR DNS User and computer authentication, name resolution, trusts
TCP & UDP 88 Client CIDR Kerberos User and computer authentication, forest level trusts
TCP & UDP 389 Client CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
TCP & UDP 445 Client CIDR SMB / CIFS Replication, user and computer authentication, group policy trusts
TCP & UDP 464 Client CIDR Kerberos change / set password Replication, user and computer authentication, trusts
TCP 135 Client CIDR Replication RPC, EPM
TCP 636 Client CIDR LDAP SSL Directory, replication, user and computer authentication group policy, trusts
TCP 49152 - 65535 Client CIDR RPC Replication, user and computer authentication, group policy, trusts
TCP 3268 - 3269 Client CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication group policy, trusts
TCP 9389 Client CIDR SOAP AD DS web services
UDP 123 Client CIDR Windows Time Windows Time, trusts
UDP 138 Client CIDR DFSN & NetLogon DFS, group policy

Outbound Rules

Protocol Port range Source Type of traffic Active Directory usage
All All On-premises CIDR All traffic