AWS AmazonRDS medium security documentation change
Summary
Updated documentation for self-managed AD integration with SQL Server, including Kerberos support, terminology changes ('Limitations' to 'Considerations'), and restructured setup instructions
Security assessment
Added Kerberos authentication support (previously only NTLM was supported) which provides stronger security through mutual authentication. This addresses NTLM's known security weaknesses. The change explicitly states 'Kerberos protocols' in the overview and removes previous limitations about Kerberos unsupport.
Diff
diff --git a/AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.md b/AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.md index 3bc80d2f3..e3ae4b2d1 100644 --- a//AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.md +++ b//AmazonRDS/latest/UserGuide/USER_SQLServer_SelfManagedActiveDirectory.md @@ -5 +5 @@ -Region and version availabilityLimitationsOverview of setting up Self Managed Active DirectoryUnderstanding self-managed Active Directory Domain membershipRestoring DB instance and adding it to a self-managed Active Directory domain +Region and version availabilityConsiderationsUnderstanding self-managed Active Directory Domain membershipRestoring DB instance and adding it to a self-managed Active Directory domain @@ -7 +7 @@ Region and version availabilityLimitationsOverview of setting up Self Managed Ac -# Working with Self Managed Active Directory with an Amazon RDS for SQL Server DB instance +# Working with self-managed Active Directory with an Amazon RDS for SQL Server DB instance @@ -9 +9 @@ Region and version availabilityLimitationsOverview of setting up Self Managed Ac -You can join your RDS for SQL Server DB instances directly to your self-managed Active Directory (AD) domain, regardless of where your AD is hosted: in corporate data centers, on AWS EC2, or with other cloud providers. With self-managed AD, you use NTLM authentication to directly control authentication of users and services on your RDS for SQL Server DB instances without using intermediary domains and forest trusts. When users authenticate with an RDS for SQL Server DB instance joined to your self-managed AD domain, authentication requests are forwarded to a self-managed AD domain that you specify. +Amazon RDS for SQL Server seamlessly integrates with your self-managed Active Directory (AD) domain, regardless of where your AD is hosted - whether in your data center, on Amazon EC2, or with other cloud providers. This integration enables direct user authentication through NTLM or Kerberos protocols, eliminating the need for complex intermediary domains or forest trusts. When you connect to your RDS SQL Server DB instance, authentication requests are securely forwarded to your designated AD domain, maintaining your existing identity management structure while leveraging Amazon RDS's managed database capabilities. @@ -17 +17 @@ You can join your RDS for SQL Server DB instances directly to your self-managed - * Limitations + * Considerations @@ -19 +19 @@ You can join your RDS for SQL Server DB instances directly to your self-managed - * Overview of setting up Self Managed Active Directory + * [Setting up self-managed Active Directory](./USER_SQLServer_SelfManagedActiveDirectory.SettingUp.html) @@ -21 +21 @@ You can join your RDS for SQL Server DB instances directly to your self-managed - * [Setting up Self Managed Active Directory](./USER_SQLServer_SelfManagedActiveDirectory.SettingUp.html) + * [Joining your DB instance to self-managed Active Directory](./USER_SQLServer_SelfManagedActiveDirectory.Joining.html) @@ -36 +36 @@ You can join your RDS for SQL Server DB instances directly to your self-managed -Amazon RDS supports Self Managed AD for SQL Server using NTLM in all AWS Regions. +Amazon RDS supports self-managed AD for SQL Server using NTLM and Kerberos in all commercial AWS Regions and AWS GovCloud (US) Regions. @@ -38 +38 @@ Amazon RDS supports Self Managed AD for SQL Server using NTLM in all AWS Regions -## Limitations +## Considerations @@ -40 +40 @@ Amazon RDS supports Self Managed AD for SQL Server using NTLM in all AWS Regions -The following limitations apply for Self Managed AD for SQL Server. +When adding an RDS for SQL Server DB instance to a self-managed AD, keep the consider the following: @@ -42 +42 @@ The following limitations apply for Self Managed AD for SQL Server. - * NTLM is the only supported authentication type. Kerberos authentication is not supported. If you need to use kerberos authentication, you can use AWS Managed AD instead of self-managed AD. + * Your DB instances sync with AWS's NTP service and not the AD domain's time server. For database connections between linked SQL Server instances within your AD domain, you can only SQL authentication and not Windows authentication. @@ -44,33 +44 @@ The following limitations apply for Self Managed AD for SQL Server. - * The Microsoft Distributed Transaction Coordinator (MSDTC) service isn't supported, as it requires Kerberos authentication. - - * Your RDS for SQL Server DB instances do not use the Network Time Protocol (NTP) server of your self-managed AD domain. They use an AWS NTP service instead. - - * SQL Server linked servers must use SQL authentication to connect to other RDS for SQL Server DB instances joined to your self-managed AD domain. - - * Microsoft Group Policy Object (GPO) settings from your self-managed AD domain are not applied to RDS for SQL Server DB instances. - - - - -## Overview of setting up Self Managed Active Directory - -To set up self-managed AD for an RDS for SQL Server DB instance, take the following steps, explained in greater detail in [Setting up Self Managed Active Directory](./USER_SQLServer_SelfManagedActiveDirectory.SettingUp.html): - -In your AD domain: - - * Create an Organizational Unit (OU). - - * Create an AD domain user. - - * Delegate control to the AD domain user. - - - - -From the AWS Management Console or API: - - * Create a AWS KMS key. - - * Create a secret using AWS Secrets Manager. - - * Create or modify an RDS for SQL Server DB instance and join it to your self-managed AD domain. + * Group Policy Object settings from your self-managed AD domain are not be propagated to your RDS for SQL Server instances. @@ -83 +51 @@ From the AWS Management Console or API: -After you create or modify your DB instance, the instance becomes a member of the self-managed AD domain. The AWS console indicates the status of the self-managed Active Directory domain membership for the DB instance. The status of the DB instance can be one of the following: +After you create or modify your DB instance while specifying AD details, the instance becomes a member of the self-managed AD domain. The AWS console indicates the status of the self-managed Active Directory domain membership for the DB instance. The status of the DB instance can be one of the following: @@ -103,0 +72,2 @@ After you create or modify your DB instance, the instance becomes a member of th +###### Important + @@ -108 +78 @@ A request to become a member of a self-managed AD domain can fail because of a n -You can restore a DB snapshot or do point-in-time recovery (PITR) for a SQL Server DB instance and then add it to a self-managed Active Directory domain. Once the DB instance is restored, modify the instance using the process explained in [Step 6: Create or modify a SQL Server DB instance](./USER_SQLServer_SelfManagedActiveDirectory.SettingUp.html#USER_SQLServer_SelfManagedActiveDirectory.SettingUp.CreateModify) to add the DB instance to a self-managed AD domain. +You can restore a DB snapshot or do point-in-time recovery (PITR) for a SQL Server DB instance and then add it to a self-managed Active Directory domain. Once the DB instance is restored, modify the instance using the process explained in [Step 1: Create or modify a SQL Server DB instance](./USER_SQLServer_SelfManagedActiveDirectory.Joining.html#USER_SQLServer_SelfManagedActiveDirectory.SettingUp.CreateModify) to add the DB instance to a self-managed AD domain.