AWS Security ChangesHomeSearch

AWS directoryservice documentation change

Service: directoryservice · 2025-11-22 · Documentation low

File: directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.md

Summary

Updated references to AWS Directory Service management team and process descriptions

Security assessment

Clarifies that Directory Service (rather than AWS Directory Service) manages temporary accounts and password rotations. No security implications changed - existing security processes remain intact.

Diff

diff --git a/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.md b/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.md
index ab9d27432..38efbe0d1 100644
--- a//directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.md
+++ b//directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.md
@@ -60 +60 @@ AWS has exclusive control of the Domain Administrator and Enterprise Administrat
-AWS automatically rotates the built-in Administrator password to a random password every 90 days. Anytime the built in Administrator password is requested for human use an AWS ticket is created and logged with the AWS Directory Service team. Account credentials are encrypted and handled over secure channels. Also the Administrator account credentials can only be requested by the AWS Directory Service management team.
+AWS automatically rotates the built-in Administrator password to a random password every 90 days. Anytime the built in Administrator password is requested for human use an AWS ticket is created and logged with the Directory Service team. Account credentials are encrypted and handled over secure channels. Also the Administrator account credentials can only be requested by the Directory Service management team.
@@ -70 +70 @@ Security Event IDs 4624, 4672 and 4648 are all logged when someone logs onto a D
-You might occasionally see users created and deleted within the AWS Reserved OU. AWS is responsible for the management and security of all objects in this OU and any other OU or container where we have not delegated permissions for you to access and manage. You may see creations and deletions in that OU. This is because AWS Directory Service uses automation to rotate the Domain Administrator password on a regular basis. When the password is rotated, a backup is created in the event that the rotation fails. Once the rotation is successful, the backup account is automatically deleted. Also in the rare event that interactive access is needed on the DCs for troubleshooting purposes, a temporary user account is created for an AWS Directory Service engineer to use. Once an engineer has completed their work, the temporary user account will be deleted. Note that every time interactive credentials are requested for a directory, the AWS Directory Service management team is notified.
+You might occasionally see users created and deleted within the AWS Reserved OU. AWS is responsible for the management and security of all objects in this OU and any other OU or container where we have not delegated permissions for you to access and manage. You may see creations and deletions in that OU. This is because Directory Service uses automation to rotate the Domain Administrator password on a regular basis. When the password is rotated, a backup is created in the event that the rotation fails. Once the rotation is successful, the backup account is automatically deleted. Also in the rare event that interactive access is needed on the DCs for troubleshooting purposes, a temporary user account is created for an Directory Service engineer to use. Once an engineer has completed their work, the temporary user account will be deleted. Note that every time interactive credentials are requested for a directory, the Directory Service management team is notified.