AWS Security ChangesHomeSearch

AWS res high security documentation change

Service: res · 2025-07-19 · Security-related high

File: res/latest/ug/prerequisites.md

Summary

Multiple changes including renaming 'custom domain' to 'public domain', removing Microsoft AD service account setup instructions, modifying LDAPS secret requirements, updating VPC proxy configurations, and adding S3 bucket owner validation.

Security assessment

The removal of the 'Set up a Service Account for Microsoft Active Directory' section deletes critical security guidance for configuring AD permissions, increasing misconfiguration risks (high severity). The addition of 'expectedBucketOwner' validation for S3 dependencies enhances security by preventing bucket hijacking (adds security documentation). The LDAPS secret change reduces stored credentials but lacks context on compensating controls. The shortened no_proxy list may expose internal traffic if misconfigured (medium severity).

Diff

diff --git a/res/latest/ug/prerequisites.md b/res/latest/ug/prerequisites.md
similarity index 69%
rename from /root/aws-docs-changes/docs/2025-07-18_11-39-58/res/latest/ug/prerequisites.md
rename to /root/aws-docs-changes/docs/2025-07-19_00-00-04/res/archive/release-minus-4/ug/prerequisites.md
index 2f6ac7bb0..19239b132 100644
--- a//res/latest/ug/prerequisites.md
+++ b//res/archive/release-minus-4/ug/prerequisites.md
@@ -1 +1 @@
-[](/pdfs/res/latest/ug/res-ug.pdf#prerequisites "Open PDF")
+[](/pdfs/res/archive/release-minus-4/ug/res-ug.pdf#prerequisites "Open PDF")
@@ -5 +5 @@
-Create an AWS account with an administrative userCreate an Amazon EC2 SSH key pairIncrease service quotasCreate a custom domain (optional)Create domain (GovCloud only)Provide external resourcesConfigure LDAPS in your environment (optional)Service Account for Microsoft Active DirectoryConfigure a private VPC (optional)
+Create an AWS account with an administrative userCreate an Amazon EC2 SSH key pairIncrease service quotasCreate a public domain (optional)Create domain (GovCloud only)Provide external resourcesConfigure LDAPS in your environment (optional)Configure a private VPC (optional)
@@ -17 +17 @@ Create an AWS account with an administrative userCreate an Amazon EC2 SSH key pa
-  * Create a custom domain (optional)
+  * Create a public domain (optional)
@@ -25,2 +24,0 @@ Create an AWS account with an administrative userCreate an Amazon EC2 SSH key pa
-  * Set up a Service Account for Microsoft Active Directory
-
@@ -57 +55 @@ We recommend [increasing the service quotas](https://docs.aws.amazon.com/service
-    * Increase the Elastic IP address quota per NAT gateway from five to eight.
+    * Increase the Elastic IP address quota per NAT gateway from five to eight
@@ -59 +57 @@ We recommend [increasing the service quotas](https://docs.aws.amazon.com/service
-    * Increase the NAT gateways per Availability Zone from five to ten.
+    * Increase the NAT gateways per Availability Zone from five to ten
@@ -70,3 +68 @@ Your AWS account has default quotas, formerly referred to as limits, for each AW
-## Create a custom domain (optional)
-
-We recommend using a custom domain for the product in order to have a user-friendly URL. You may provide a custom domain and _optionally_ provide a certificate for it. 
+## Create a public domain (optional)
@@ -74,3 +70 @@ We recommend using a custom domain for the product in order to have a user-frien
-There is a process in the External Resources stack to create a certificate for a custom domain which you provide. You can skip the steps here if you have a domain and want to use the certificate generation capabilities of the External Resources stack.
-
-Or, follow these steps to register a domain using Amazon Route 53 and import a certificate for the domain using AWS Certificate Manager.
+We recommend using a custom domain for the product in order to have a user-friendly URL. You will need to register a domain using Amazon Route 53 or another provider and import a certificate for the domain using AWS Certificate Manager. If you already have a public domain and certificate, you may skip this step. 
@@ -103 +97 @@ Or, follow these steps to register a domain using Amazon Route 53 and import a c
-If you are deploying in an AWS GovCloud Region and you are using a custom domain for Research and Engineering Studio, you will need to complete these prerequisite steps.
+If you are deploying in the AWS GovCloud (US-West) Region, you will need to complete these prerequisite steps.
@@ -140 +134 @@ The directory service authenticates users to the RES environment.
-  * **A secret that contains the Active Directory service account username and password formatted as a key-value pair (username, password)**
+  * **A secret that contains the service account password**
@@ -147,4 +140,0 @@ Research and Engineering Studio accesses [secrets](./secrets-management.html) th
-###### Warning
-
-You must provide a valid email address for all Active Directory (AD) users whom you want to sync.
-
@@ -155 +145 @@ If you are deploying a demo environment and do not have these external resources
-For demo deployments in the an AWS GovCloud Region, you will need to complete the prerequisite steps in Create domain (GovCloud only).
+For demo deployments in the AWS GovCloud (US-West) Region, you will need to complete the prerequisite steps in Create domain (GovCloud only).
@@ -175 +165 @@ If you plan to use LDAPS communication in your environment, you must complete th
-    6. Select **Base-64 encoded X.509 (.CER)** and choose **Next**.
+    6. Choose **Base-64 encoded X.509 (.CER)** and choose **Next**.
@@ -188,30 +177,0 @@ When creating your Secret in the Secrets Manager, choose **Other type of secrets
-## Set up a Service Account for Microsoft Active Directory
-
-If you choose Microsoft Active Directory (AD) as the identity source for RES, you have a Service Account in your AD that allows for programmatic access. You must pass a secret with the Service Account's credentials as part of your RES installation. The secret must have the format shown here.
-
-![Example username and password format](/images/res/latest/ug/images/res-secret-value-example.png)
-
-Also note that the `username` field doesn't support NT-style logon names of the format `DOMAIN\username`.
-
-The Service Account is responsible for the following functions:
-
-  * Sync users from the AD: RES must sync users from the AD to allow them to log in to the web portal. The syncing process uses the service account to query the AD using LDAP(s) to determine which users and groups are available.
-
-  * Join the AD domain: this is an optional operation for Linux virtual desktops and infrastructure hosts where the instance joins the AD domain. In RES, this is controlled with the `DisableADJoin` parameter. This parameter is set to False by default, which means that Linux virtual desktops will attempt to join the AD domain in the default configuration.
-
-  * Connect to the AD: Linux virtual desktops and infrastructure hosts will connect to the AD domain if they do not join it (`DisableADJoin` = True). For this functionality to work, the Service Account also needs read access for users and groups in the `UsersOU` and `GroupsOU`.
-
-
-
-
-The service account requires the following permissions:
-
-  * To sync users and connect to AD → Read access for users and groups in the `UsersOU` and `GroupsOU`.
-
-  * To join the AD domain → create `Computer` objects in the `ComputersOU`.
-
-
-
-
-The script at [ https://github.com/aws-samples/aws-hpc-recipes/blob/main/recipes/res/res_demo_env/assets/service_account.ps1](https://github.com/aws-samples/aws-hpc-recipes/blob/main/recipes/res/res_demo_env/assets/service_account.ps1) provides an example of how to grant proper Service Account permissions. You can modify it based on your own AD.
-
@@ -237 +197 @@ Deploying Research and Engineering Studio in an isolated VPC offers enhanced sec
-  1. Download [ dependencies](https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/res-installation-scripts.tar.gz). To deploy in an isolated VPC, the RES infrastructure requires the availability of dependencies without having public internet access.
+  1. Download [ dependencies](https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/latest/res-infra-dependencies.tar.gz). To deploy in an isolated VPC, the RES infrastructure requires the availability of dependencies without having public internet access.
@@ -249 +209 @@ Deploying Research and Engineering Studio in an isolated VPC offers enhanced sec
-       * For **Use case** under **Service or use case** , choose **EC2** and choose **Next**. 
+       * For **Use case** under **Service or use case** , select **EC2** and choose **Next**. 
@@ -276,2 +236,2 @@ Image operating system (OS) | Linux
-Compatible OS Versions | Amazon Linux 2, Amazon Linux 2023, RHEL8, RHEL 9, or Windows 10 and 11  
-Component name | Enter a name such as: `<research-and-engineering-studio-infrastructure>`  
+Compatible OS Versions | Amazon Linux 2  
+Component name | Choose a name such as: `<research-and-engineering-studio-infrastructure>`  
@@ -307,0 +268,3 @@ If you are setting up `http_proxy` and `https_proxy` environment variables, the
+              - AWSAccountID:
+                  type: string
+                  description: RES Environment AWS Account ID
@@ -320 +283,2 @@ If you are setting up `http_proxy` and `https_proxy` environment variables, the
-                          destination: '/root/bootstrap/res-installation-scripts/res-installation-scripts.tar.gz'
+                          destination: '/root/bootstrap/res_dependencies/res_dependencies.tar.gz'
+                          expectedBucketOwner: '{{ AWSAccountID }}'
@@ -327,3 +291,3 @@ If you are setting up `http_proxy` and `https_proxy` environment variables, the
-                            - 'cd /root/bootstrap/res-installation-scripts'
-                            - 'tar -xf res-installation-scripts.tar.gz'
-                            - 'cd scripts/infrastructure-host'
+                            - 'cd /root/bootstrap/res_dependencies'
+                            - 'tar -xf res_dependencies.tar.gz'
+                            - 'cd all_dependencies'
@@ -341 +305 @@ If you are setting up `http_proxy` and `https_proxy` environment variables, the
-                              no_proxy=127.0.0.1,169.254.169.254,169.254.170.2,localhost,{{ AWSRegion }}.res,{{ AWSRegion }}.vpce.amazonaws.com,{{ AWSRegion }}.elb.amazonaws.com,s3.{{ AWSRegion }}.amazonaws.com,s3.dualstack.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.api.aws,ec2messages.{{ AWSRegion }}.amazonaws.com,ssm.{{ AWSRegion }}.amazonaws.com,ssmmessages.{{ AWSRegion }}.amazonaws.com,kms.{{ AWSRegion }}.amazonaws.com,secretsmanager.{{ AWSRegion }}.amazonaws.com,sqs.{{ AWSRegion }}.amazonaws.com,elasticloadbalancing.{{ AWSRegion }}.amazonaws.com,sns.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.api.aws,elasticfilesystem.{{ AWSRegion }}.amazonaws.com,fsx.{{ AWSRegion }}.amazonaws.com,dynamodb.{{ AWSRegion }}.amazonaws.com,api.ecr.{{ AWSRegion }}.amazonaws.com,.dkr.ecr.{{ AWSRegion }}.amazonaws.com,kinesis.{{ AWSRegion }}.amazonaws.com,.data-kinesis.{{ AWSRegion }}.amazonaws.com,.control-kinesis.{{ AWSRegion }}.amazonaws.com,events.{{ AWSRegion }}.amazonaws.com,cloudformation.{{ AWSRegion }}.amazonaws.com,sts.{{ AWSRegion }}.amazonaws.com,application-autoscaling.{{ AWSRegion }}.amazonaws.com,monitoring.{{ AWSRegion }}.amazonaws.com,ecs.{{ AWSRegion }}.amazonaws.com,.execute-api.{{ AWSRegion }}.amazonaws.com
+                              no_proxy=127.0.0.1,169.254.169.254,169.254.170.2,localhost,{{ AWSRegion }}.res,{{ AWSRegion }}.vpce.amazonaws.com,{{ AWSRegion }}.elb.amazonaws.com,s3.{{ AWSRegion }}.amazonaws.com,s3.dualstack.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.amazonaws.com,ec2.{{ AWSRegion }}.api.aws,ec2messages.{{ AWSRegion }}.amazonaws.com,ssm.{{ AWSRegion }}.amazonaws.com,ssmmessages.{{ AWSRegion }}.amazonaws.com,kms.{{ AWSRegion }}.amazonaws.com,secretsmanager.{{ AWSRegion }}.amazonaws.com,sqs.{{ AWSRegion }}.amazonaws.com,elasticloadbalancing.{{ AWSRegion }}.amazonaws.com,sns.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.amazonaws.com,logs.{{ AWSRegion }}.api.aws,elasticfilesystem.{{ AWSRegion }}.amazonaws.com,fsx.{{ AWSRegion }}.amazonaws.com,dynamodb.{{ AWSRegion }}.amazonaws.com,api.ecr.{{ AWSRegion }}.amazonaws.com,.dkr.ecr.{{ AWSRegion }}.amazonaws.com,kinesis.{{ AWSRegion }}.amazonaws.com,.data-kinesis.{{ AWSRegion }}.amazonaws.com,.control-kinesis.{{ AWSRegion }}.amazonaws.com,events.{{ AWSRegion }}.amazonaws.com,cloudformation.{{ AWSRegion }}.amazonaws.com,sts.{{ AWSRegion }}.amazonaws.com,application-autoscaling.{{ AWSRegion }}.amazonaws.com,monitoring.{{ AWSRegion }}.amazonaws.com
@@ -356 +322 @@ Section | Parameter | User entry
-| **OS** | Amazon Linux or Red Hat Enterprise Linux (RHEL)  
+| **OS** | Amazon Linux  
@@ -358 +324 @@ Section | Parameter | User entry
-| **Image name** | Amazon Linux 2 x86, Amazon Linux 2023 x86, Red Hat Enterprise Linux 8 x86, or Red Hat Enterprise Linux 9 x86  
+| **Image name** | Amazon Linux 2 x86  
@@ -360,2 +326,2 @@ Section | Parameter | User entry
-**Instance configuration** | **–** | Keep everything in the default settings, and make sure **Remove SSM agent after pipeline execution** is not selected.  
-**Working directory** | **Working directory path** | /root/bootstrap/res-installation-scripts  
+**Instance configuration** | **–** | Keep everything in the default settings, and make sure Remove SSM agent after pipeline execution is not selected.  
+**Working directory** |  **Working directory path** |  /root/bootstrap/res_dependencies  
@@ -365 +331 @@ Section | Parameter | User entry
-       * Owned by you: Amazon EC2 component created previously. Put your current AWS Region in the field.   
+       * Owned by you: Amazon EC2 component created previously. Put your AWS account ID and current AWS Region in the fields.   
@@ -422 +388 @@ Section | Parameter | User entry
-    2. Choose **Actions** , and select **Run pipeline**.
+    2. Choose **Actions** , and choose **Run pipeline**.
@@ -458,2 +424 @@ Amazon FSx | com.amazonaws.`region`.fsx
-[AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html) | com.amazonaws.`region`.lambda  
-[Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html) |  com.amazonaws.`region`.s3 (Requires a gateway endpoint that is created by default in RES.) Additional Amazon S3 interface endpoints are required for cross-mounting buckets in an isolated environment. See [ Accessing Amazon Simple Storage Service interface endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#accessing-s3-interface-endpoints).  
+[Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html) | com.amazonaws.`region`.s3 (Requires a gateway endpoint that is created by default in RES.)  
@@ -461 +425,0 @@ Amazon FSx | com.amazonaws.`region`.fsx
-[ Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) | com.amazonaws.`region`.ecs  
@@ -531,6 +494,0 @@ ClientIP | You can choose your VPC CIDR to allow access for all VPC IP addresses
-HttpProxy | Example: `http://10.1.2.3:123`  
-HttpsProxy | Example: `http://10.1.2.3:123`  
-NoProxy | Example:
-    
-    
-    127.0.0.1,169.254.169.254,169.254.170.2,localhost,us-east-1.res,us-east-1.vpce.amazonaws.com,us-east-1.elb.amazonaws.com,s3.us-east-1.amazonaws.com,s3.dualstack.us-east-1.amazonaws.com,ec2.us-east-1.amazonaws.com,ec2.us-east-1.api.aws,ec2messages.us-east-1.amazonaws.com,ssm.us-east-1.amazonaws.com,ssmmessages.us-east-1.amazonaws.com,kms.us-east-1.amazonaws.com,secretsmanager.us-east-1.amazonaws.com,sqs.us-east-1.amazonaws.com,elasticloadbalancing.us-east-1.amazonaws.com,sns.us-east-1.amazonaws.com,logs.us-east-1.amazonaws.com,logs.us-east-1.api.aws,elasticfilesystem.us-east-1.amazonaws.com,fsx.us-east-1.amazonaws.com,dynamodb.us-east-1.amazonaws.com,api.ecr.us-east-1.amazonaws.com,.dkr.ecr.us-east-1.amazonaws.com,kinesis.us-east-1.amazonaws.com,.data-kinesis.us-east-1.amazonaws.com,.control-kinesis.us-east-1.amazonaws.com,events.us-east-1.amazonaws.com,cloudformation.us-east-1.amazonaws.com,sts.us-east-1.amazonaws.com,application-autoscaling.us-east-1.amazonaws.com,monitoring.us-east-1.amazonaws.com,ecs.us-east-1.amazonaws.com,.execute-api.us-east-1.amazonaws.com