Enhance your Amazon Managed Microsoft AD network security configuration
The Amazon Security Group that is provisioned for the Amazon Managed Microsoft AD directory is configured with the minimum inbound network ports required to support all known use cases for your Amazon Managed Microsoft AD directory. For more information on the provisioned Amazon Security Group, see What gets created with your Amazon Managed Microsoft AD Active Directory.
To further enhance the network security of your Amazon Managed Microsoft AD directory you can modify the Amazon Security Group based on common scenarios listed below.
Topics
Amazon applications only support
All user accounts are provisioned only in your Amazon Managed Microsoft AD to be used with supported Amazon applications, such as the following:
Amazon Chime
Amazon Connect
Amazon QuickSight
Amazon IAM Identity Center
Amazon WorkDocs
Amazon WorkMail
Amazon Client VPN
Amazon Web Services Management Console
You can use the following Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.
Note
The following are not compatible with this Amazon Security Group configuration:
Amazon EC2 instances
Amazon FSx
Amazon RDS for MySQL
Amazon RDS for Oracle
Amazon RDS for PostgreSQL
Amazon RDS for SQL Server
WorkSpaces
Active Directory trusts
Domain joined clients or servers
Inbound Rules
None.
Outbound Rules
None.
Amazon applications only with trust support
All user accounts are provisioned in your Amazon Managed Microsoft AD or trusted Active Directory to be used with supported Amazon applications, such as the following:
Amazon Chime
Amazon Connect
Amazon QuickSight
Amazon IAM Identity Center
Amazon WorkDocs
Amazon WorkMail
Amazon WorkSpaces
Amazon Client VPN
Amazon Web Services Management Console
You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.
Note
The following are not compatible with this Amazon Security Group configuration:
Amazon EC2 instances
Amazon FSx
Amazon RDS for MySQL
Amazon RDS for Oracle
Amazon RDS for PostgreSQL
Amazon RDS for SQL Server
WorkSpaces
Active Directory trusts
Domain joined clients or servers
-
This configuration requires you to ensure the “On-premises CIDR” network is secure.
-
TCP 445 is used for trust creation only and can be removed after the trust has been established.
-
TCP 636 is only required when LDAP over SSL is in use.
Inbound Rules
| Protocol | Port range | Source | Type of traffic | Active Directory usage |
|---|---|---|---|---|
| TCP & UDP | 53 | On-premises CIDR | DNS | User and computer authentication, name resolution, trusts |
| TCP & UDP | 88 | On-premises CIDR | Kerberos | User and computer authentication, forest level trusts |
| TCP & UDP | 389 | On-premises CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts |
| TCP & UDP | 464 | On-premises CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts |
| TCP | 445 | On-premises CIDR | SMB / CIFS | Replication, user and computer authentication, group policy trusts |
| TCP | 135 | On-premises CIDR | Replication | RPC, EPM |
| TCP | 636 | On-premises CIDR | LDAP SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 49152 - 65535 | On-premises CIDR | RPC | Replication, user and computer authentication, group policy, trusts |
| TCP | 3268 - 3269 | On-premises CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication group policy, trusts |
| UDP | 123 | On-premises CIDR | Windows Time | Windows Time, trusts |
Outbound Rules
| Protocol | Port range | Source | Type of traffic | Active Directory usage |
|---|---|---|---|---|
| All | All | On-premises CIDR | All traffic |
Amazon applications and native Active Directory workload support
User accounts are provisioned only in your Amazon Managed Microsoft AD to be used with supported Amazon applications, such as the following:
Amazon Chime
Amazon Connect
Amazon EC2 instances
Amazon FSx
Amazon QuickSight
Amazon RDS for MySQL
Amazon RDS for Oracle
Amazon RDS for PostgreSQL
Amazon RDS for SQL Server
Amazon IAM Identity Center
Amazon WorkDocs
Amazon WorkMail
WorkSpaces
Amazon Client VPN
Amazon Web Services Management Console
You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.
Note
Active Directory trusts cannot be created and maintained between your Amazon Managed Microsoft AD directory and on-premises domain.
It requires you to ensure the “Client CIDR” network is secure.
TCP 636 is only required when LDAP over SSL is in use.
If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.
Inbound Rules
| Protocol | Port range | Source | Type of traffic | Active Directory usage |
|---|---|---|---|---|
| TCP & UDP | 53 | Client CIDR | DNS | User and computer authentication, name resolution, trusts |
| TCP & UDP | 88 | Client CIDR | Kerberos | User and computer authentication, forest level trusts |
| TCP & UDP | 389 | Client CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts |
| TCP & UDP | 445 | Client CIDR | SMB / CIFS | Replication, user and computer authentication, group policy trusts |
| TCP & UDP | 464 | Client CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts |
| TCP | 135 | Client CIDR | Replication | RPC, EPM |
| TCP | 636 | Client CIDR | LDAP SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 49152 - 65535 | Client CIDR | RPC | Replication, user and computer authentication, group policy, trusts |
| TCP | 3268 - 3269 | Client CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 9389 | Client CIDR | SOAP | AD DS web services |
| UDP | 123 | Client CIDR | Windows Time | Windows Time, trusts |
| UDP | 138 | Client CIDR | DFSN & NetLogon | DFS, group policy |
Outbound Rules
None.
Amazon applications and native Active Directory workload support with trust support
All user accounts are provisioned in your Amazon Managed Microsoft AD or trusted Active Directory to be used with supported Amazon applications, such as the following:
Amazon Chime
Amazon Connect
Amazon EC2 instances
Amazon FSx
Amazon QuickSight
Amazon RDS for MySQL
Amazon RDS for Oracle
Amazon RDS for PostgreSQL
Amazon RDS for SQL Server
Amazon IAM Identity Center
Amazon WorkDocs
Amazon WorkMail
WorkSpaces
Amazon Client VPN
Amazon Web Services Management Console
You can modify the provisioned Amazon Security Group configuration to block all non-essential traffic to your Amazon Managed Microsoft AD domain controllers.
Note
It requires you to ensure the “On-premises CIDR” and “Client CIDR” networks are secure.
TCP 445 with the “On-premises CIDR” is used for trust creation only and can be removed after the trust has been established.
TCP 445 with the “Client CIDR” should be left open as it is required for Group Policy processing.
TCP 636 is only required when LDAP over SSL is in use.
If you want to use an Enterprise CA with this configuration you will need to create an outbound rule “TCP, 443, CA CIDR”.
Inbound Rules
| Protocol | Port range | Source | Type of traffic | Active Directory usage |
|---|---|---|---|---|
| TCP & UDP | 53 | On-premises CIDR | DNS | User and computer authentication, name resolution, trusts |
| TCP & UDP | 88 | On-premises CIDR | Kerberos | User and computer authentication, forest level trusts |
| TCP & UDP | 389 | On-premises CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts |
| TCP & UDP | 464 | On-premises CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts |
| TCP | 445 | On-premises CIDR | SMB / CIFS | Replication, user and computer authentication, group policy trusts |
| TCP | 135 | On-premises CIDR | Replication | RPC, EPM |
| TCP | 636 | On-premises CIDR | LDAP SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 49152 - 65535 | On-premises CIDR | RPC | Replication, user and computer authentication, group policy, trusts |
| TCP | 3268 - 3269 | On-premises CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication group policy, trusts |
| UDP | 123 | On-premises CIDR | Windows Time | Windows Time, trusts |
| TCP & UDP | 53 | Client CIDR | DNS | User and computer authentication, name resolution, trusts |
| TCP & UDP | 88 | Client CIDR | Kerberos | User and computer authentication, forest level trusts |
| TCP & UDP | 389 | Client CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts |
| TCP & UDP | 445 | Client CIDR | SMB / CIFS | Replication, user and computer authentication, group policy trusts |
| TCP & UDP | 464 | Client CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts |
| TCP | 135 | Client CIDR | Replication | RPC, EPM |
| TCP | 636 | Client CIDR | LDAP SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 49152 - 65535 | Client CIDR | RPC | Replication, user and computer authentication, group policy, trusts |
| TCP | 3268 - 3269 | Client CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication group policy, trusts |
| TCP | 9389 | Client CIDR | SOAP | AD DS web services |
| UDP | 123 | Client CIDR | Windows Time | Windows Time, trusts |
| UDP | 138 | Client CIDR | DFSN & NetLogon | DFS, group policy |
Outbound Rules
| Protocol | Port range | Source | Type of traffic | Active Directory usage |
|---|---|---|---|---|
| All | All | On-premises CIDR | All traffic |