AWS res medium security documentation change
Summary
Added requirements for secret tagging to grant RES permissions, expanded SSSD configuration guidelines, updated manual sync procedures for newer releases, and added visual examples
Security assessment
The change explicitly adds security requirements for secret management (tagging secrets with res:EnvironmentName and res:ModuleName) to enforce proper access control. It also includes security-focused configuration warnings about immutable SSSD parameters like id_provider and LDAP settings.
Diff
diff --git a/res/latest/ug/active-directory-sync.md b/res/latest/ug/active-directory-sync.md index 9af2d8abe..d4dcda2a6 100644 --- a/res/latest/ug/active-directory-sync.md +++ b/res/latest/ug/active-directory-sync.md @@ -5 +5 @@ -Runtime ConfigurationHow to manually run the sync (release 2024.12 and later)SSO configuration +Runtime ConfigurationHow to manually start or stop the sync (release 2025.03 and later)How to manually run the sync (release 2024.12 and 2024.12.01)SSO configuration @@ -14,0 +15,11 @@ All the CFN parameters related to Active Directory (AD) are optional during inst +For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsSecretArn` or `DomainTLSCertificateSecretArn`), make sure to add the following tags to the secret for RES to get permissions to read the secret value: + + * key: `res:EnvironmentName`, value: ``<your RES environment name>`` + + * key: `res:ModuleName`, value: `directoryservice` + + + + +Any AD configuration updates in the web portal will be picked up automatically during the next scheduled AD sync (hourly). Users may need to re-configure SSO after changing the AD configuration (for example, if they switch to a different AD). + @@ -17 +28 @@ After the initial installation, administrators can view or edit the AD configura - + @@ -21 +32,5 @@ After the initial installation, administrators can view or edit the AD configura -Administrators can filter the users or groups to sync via the new **Users Filter** and **Groups Filter** options. The filters must follow the [LDAP filter syntax](https://ldap.com/ldap-filters/). An example filter is: +### Additional settings + +**Filters** + +Administrators can filter the users or groups to sync using the **Users Filter** and **Groups Filter** options. The filters must follow the [LDAP filter syntax](https://ldap.com/ldap-filters/). An example filter is: @@ -26 +41 @@ Administrators can filter the users or groups to sync via the new **Users Filter -For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsSecretArn` or `DomainTLSCertificateSecretArn`), make sure to add the following tags to the secret for RES to get permissions to read the secret value: +**Custom SSSD parameters** @@ -28 +43 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS - * key: `res:EnvironmentName`, value: ``<your RES environment name>`` +Administrators can provide a dictionary of key-value pairs containing SSSD parameters and values to write to the `[domain_type/DOMAIN_NAME]` section of the SSSD config file on cluster instances. RES applies the SSSD updates automatically– it restarts the SSSD service on cluster instances and triggers the AD sync process. For a full description of the SSSD configuration file, see the Linux man pages for `SSSD`. @@ -30 +45 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS - * key: `res:ModuleName`, value: `directoryservice` + @@ -31,0 +47 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS +The SSSD parameters and values must be compatible with the RES SSSD configuration as described here: @@ -32,0 +49 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS + * `id_provider` is set internally by RES and must not be modified. @@ -33,0 +51 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS + * AD related configs including `ldap_uri`, `ldap_search_base`, `ldap_default_bind_dn` and `ldap_default_authtok` are set based on the other provided AD configurations and must not be modified. @@ -35 +52,0 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS -Any AD configuration updates in the web portal will be picked up automatically during the next scheduled AD sync (hourly). Users may need to re-configure SSO after changing the AD configuration (for example, if they switch to a different AD). @@ -37 +54,21 @@ Any AD configuration updates in the web portal will be picked up automatically d -## How to manually run the sync (release 2024.12 and later) + + +The following example enables debug level for SSSD logs: + + + +## How to manually start or stop the sync (release 2025.03 and later) + +Navigate to the **Identity management** page, and choose the **Start AD Synchronization** button in the **Active Directory Domain** container to trigger an AD sync on demand. + + + +To stop an ongoing AD sync, select the **Stop AD Synchronization** button in the **Active Directory Domain** container. + + + +You can also check the AD sync status and the latest sync time in the **Active Directory Domain** container. + + + +## How to manually run the sync (release 2024.12 and 2024.12.01)