AWS Security ChangesHomeSearch

AWS directoryservice documentation change

Service: directoryservice · 2025-05-01 · Documentation medium

File: directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md

Summary

Updated security group description to clarify default network rules and added note about prefix list usage

Security assessment

Provides clearer documentation about network security configurations and best practices, enhancing security understanding but not fixing a specific vulnerability

Diff

diff --git a/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md b/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
index c1a90aaa8..f27db695d 100644
--- a//directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
+++ b//directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
@@ -21 +21,3 @@ AWS does not allow the installation of monitoring agents on AWS Managed Microsof
-  * Creates an [AWS Security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) `sg-1234567890abcdef0` that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security group. The default inbound rules allows only traffic through ports that are required by Active Directory from your VPC CIDR for your AWS Managed Microsoft AD. These rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. You can change the AWS Security group rules. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see [AWS Managed Microsoft AD best practices](./ms_ad_best_practices.html) and [Enhancing your AWS Managed Microsoft AD network security configuration](./ms_ad_network_security.html).
+  * Creates an [AWS Security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) `sg-1234567890abcdef0` that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic to all IPv4 addresses. The default inbound rules allows only traffic through ports that are required by Active Directory from the primary IPv4 CIDR block associated with the VPC hosting for your AWS Managed Microsoft AD. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore by default, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC. You can change the security group rules to allow additional traffic sources, for example from other peered VPCs or CIDRs reachable via VPN. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see [AWS Managed Microsoft AD best practices](./ms_ad_best_practices.html) and [Enhancing your AWS Managed Microsoft AD network security configuration](./ms_ad_network_security.html).
+
+You can use [prefix lists]() to manage your CIDR blocks within the security group rules. Prefix lists make it easier to manage and configure security groups and route tables. You can consolidate multiple CIDR blocks with the same port and protocols to scale your network traffic.