AWS directoryservice documentation change
Summary
Simplified setup instructions by replacing detailed PowerShell delegation steps with a link to external guide. Updated section headers and terminology for clarity.
Security assessment
The change removes detailed ACL configuration steps and PowerShell scripts related to service account permissions, which could impact security configurations. However, there's no explicit mention of addressing a vulnerability - it appears to be documentation reorganization. The replacement with a link to official guides suggests improved maintainability rather than patching a security flaw.
Diff
diff --git a/directoryservice/latest/admin-guide/ad_connector_pca_connector.md b/directoryservice/latest/admin-guide/ad_connector_pca_connector.md index 3812d5fed..71fa457c3 100644 --- a//directoryservice/latest/admin-guide/ad_connector_pca_connector.md +++ b//directoryservice/latest/admin-guide/ad_connector_pca_connector.md @@ -5 +5 @@ -PrerequisitesSetting up AWS Private CA Connector for ADViewing AWS Private CA Connector for ADConfirming AWS Private CA issued a certificate +PrerequisitesSetting up AWS Private CA Connector for ADView your AWS Private CA Connector for ADVerify certificate issuance to AD users @@ -7 +7 @@ PrerequisitesSetting up AWS Private CA Connector for ADViewing AWS Private CA Co -# Set up AWS Private CA Connector for AD for AD Connector +# Set up AWS Private CA Connector for AD @@ -9 +9 @@ PrerequisitesSetting up AWS Private CA Connector for ADViewing AWS Private CA Co -You can integrate your self-managed Active Directory (AD) with AWS Private Certificate Authority (CA) with AD Connector to issue and manage certificates for your AD domain joined users, groups and machines. AWS Private CA Connector for AD allows you to use a fully managed AWS Private CA drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers. +You can integrate your self-managed Active Directory with AWS Private Certificate Authority using AD Connector to issue and manage certificates for your AD domain-joined users, groups, and machines. AWS Private CA Connector for AD provides a fully managed AWS Private CA as a drop-in replacement for your self-managed enterprise CAs without requiring you to deploy, patch, or update local agents or proxy servers. @@ -11 +11 @@ You can integrate your self-managed Active Directory (AD) with AWS Private Certi -You can set up AWS Private CA integration with your directory through the Directory Service console, the AWS Private CA Connector for AD console, or by calling the [`CreateTemplate`](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API-CreateTemplate.html) API. To set up the Private CA integration through the AWS Private CA Connector for Active Directory console, see [AWS Private CA Connector for Active Directory](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad.html). See the following steps on how to set up this integration from the AWS Directory Service console. +You can set up this integration through the AWS Directory Service console, the AWS Private CA Connector for AD console, or by calling the [`CreateTemplate`](https://docs.aws.amazon.com/pca-connector-ad/latest/APIReference/API-CreateTemplate.html) API. To use the AWS Private CA Connector for Active Directory console, see [AWS Private CA Connector for Active Directory](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad.html). The following sections describe how to set up this integration from the AWS Directory Service console. @@ -15,66 +15 @@ You can set up AWS Private CA integration with your directory through the Direct -When you use AD Connector, you need to delegate additional permissions to the service account. Set the access-control list (ACL) on your service account to give yourself the ability to do the following. - - * Add and remove a Service Principal Name (SPN) to itself. - - * Create and update certification authorities in the following containers: - - #containers - CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration, - CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration, - CN=Public Key Services,CN=Services,CN=Configuration - - * Create and update a NTAuthCertificates Certification Authority object like the following example. If the NTAuthCertificates Certification Authority object exists, you must delegate permissions for it. If the object does not exist, you must delegate the ability to create child objects on the Public Key Services container. - - #objects - CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration - - - - -###### Note - -If you’re using AWS Managed Microsoft AD, the additional permissions will be delegated automatically when you authorize the AWS Private CA Connector for AD service with your directory. - -You can use the following PowerShell script to delegate the additional permissions and create the NTAuthCertificates certification authority object. Replace `myconnectoraccount` with the service account name. - - - $AccountName = 'myconnectoraccount' - # DO NOT modify anything below this comment. - # Getting Active Directory information. - Import-Module -Name 'ActiveDirectory' - $RootDSE = Get-ADRootDSE - # Getting AD Connector service account Information - $AccountProperties = Get-ADUser -Identity $AccountName - $AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value - [System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID - $AccountAclPath = $AccountProperties.DistinguishedName - # Getting ACL settings for AD Connector service account. - $AccountAcl = Get-ACL -Path "AD:\$AccountAclPath" - # Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself - $AccountAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGuid, 'None' - $AccountAcl.AddAccessRule($AccountAccessRule) - Set-ACL -AclObject $AccountAcl -Path "AD:\$AccountAclPath" - # Add ACLs allowing AD Connector service account the ability to create certification authorities - [System.GUID]$CertificationAuthorityGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'certificationAuthority' } -Properties 'schemaIDGUID').schemaIDGUID - $CAAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty,CreateChild,DeleteChild', 'Allow', $CertificationAuthorityGuid, 'All' - $PKSDN = "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" - $PKSACL = Get-ACL -Path "AD:\$PKSDN" - $PKSACL.AddAccessRule($CAAccessRule) - Set-ACL -AclObject $PKSACL -Path "AD:\$PKSDN" - $AIADN = "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" - $AIAACL = Get-ACL -Path "AD:\$AIADN" - $AIAACL.AddAccessRule($CAAccessRule) - Set-ACL -AclObject $AIAACL -Path "AD:\$AIADN" - $CertificationAuthoritiesDN = "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" - $CertificationAuthoritiesACL = Get-ACL -Path "AD:\$CertificationAuthoritiesDN" - $CertificationAuthoritiesACL.AddAccessRule($CAAccessRule) - Set-ACL -AclObject $CertificationAuthoritiesACL -Path "AD:\$CertificationAuthoritiesDN" - $NTAuthCertificatesDN = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" - If (-Not (Test-Path -Path "AD:\$NTAuthCertificatesDN")) { - New-ADObject -Name 'NTAuthCertificates' -Type 'certificationAuthority' -OtherAttributes @{certificateRevocationList=[byte[]]'00';authorityRevocationList=[byte[]]'00';cACertificate=[byte[]]'00'} -Path "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" - } - $NTAuthCertificatesACL = Get-ACL -Path "AD:\$NTAuthCertificatesDN" - $NullGuid = [System.GUID]'00000000-0000-0000-0000-000000000000' - $NTAuthAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty', 'Allow', $NullGuid, 'None' - $NTAuthCertificatesACL.AddAccessRule($NTAuthAccessRule) - Set-ACL -AclObject $NTAuthCertificatesACL -Path "AD:\$NTAuthCertificatesDN" +For setup instructions, see [Set up Connector for AD](https://docs.aws.amazon.com/privateca/latest/userguide/connector-for-ad-getting-started-prerequisites.html) in the AWS Private CA Connector for AD User Guide. @@ -97 +32 @@ You can use the following PowerShell script to delegate the additional permissio -## Viewing AWS Private CA Connector for AD +## View your AWS Private CA Connector for AD @@ -120 +55 @@ For more information, see [View connector details](https://docs.aws.amazon.com/p -## Confirming AWS Private CA issued a certificate +## Verify certificate issuance to AD users @@ -122 +57 @@ For more information, see [View connector details](https://docs.aws.amazon.com/p -You can complete the following steps to confirm that AWS Private CA is issuing certificates to your self-managed Active Directory. +Complete the following steps to confirm that AWS Private CA is issuing certificates to your self-managed Active Directory: @@ -124 +59 @@ You can complete the following steps to confirm that AWS Private CA is issuing c - * Restart your on-premise domain controllers. + * Restart your on-premises domain controllers.