AWS license-manager documentation change
Summary
Added detailed security group requirements including TCP port 9389 for ADWS, clarified shared directory support, and updated terminology
Security assessment
Adds explicit firewall configuration guidance (TCP 9389) and security group requirements for Active Directory integration. While not fixing a specific vulnerability, it documents security-critical network configurations to prevent service disruption or insecure setups.
Diff
diff --git a/license-manager/latest/userguide/user-based-subscriptions.md b/license-manager/latest/userguide/user-based-subscriptions.md index ecd937ddf..33b4534ce 100644 --- a//license-manager/latest/userguide/user-based-subscriptions.md +++ b//license-manager/latest/userguide/user-based-subscriptions.md @@ -212 +212 @@ To create user-based subscriptions, your user or role must have the following pe - * **AWS Directory Service** – Administer Active Directories. + * **Directory Service** – Administer Active Directories. @@ -327 +327 @@ AWS managed Active Directories have the following restrictions. - * Directories that are shared with you aren't supported. + * Directories that are shared with you are only supported if the directory is onboarded in the primary account first, then you can onboard it in a shared account. @@ -391 +391,9 @@ License Manager associates this security group to the VPC endpoints it creates o -Ensure that the security group that you use for your AD domain controllers allows outbound traffic to each domain controller's network interface IPv4 address. +Ensure that the security group that you use for your AD domain controllers allows outbound traffic to each domain controller's network interface IPv4 address. In addition, the domain controller security group should allow communication on all Active Directory related ports including TCP 9389. Port 9389 is required for Active Directory Web Services (ADWS), which is used by the Active Directory PowerShell module and other management tools to communicate with domain controllers. + +###### Security group requirements for "Register your Active Directory" step + +During onboarding your Active Directory to License Manager, we create a network interface in your supplied subnets which gets tagged with the default security group of the VPC. Please make sure that this security group is allowed access to your Active Directory domain controllers. This can be replaced with a group of your choice after onboarding is complete but will still require network access to the domain controllers. + +###### Security group requirements for "Configure RDS license server" step + +During license server configuration, License Manager creates two network interfaces in the subnets you provide. These network interfaces are automatically tagged with a newly created security group that includes all required port configurations. Ensure that your Active Directory domain controller security groups allow bidirectional traffic from the subnet CIDRs on all Active Directory related ports, including TCP port 9389. Port 9389 is required for Active Directory Web Services (ADWS), which is used by the Active Directory PowerShell module and other management tools to communicate with domain controllers. @@ -591 +599 @@ RDS SAL Product | Supported | Supported -You can install additional software on your instances that aren't available as user-based subscriptions. Additional software installations aren't tracked by License Manager. These installations must be performed using the administrative account for your Active Directory. If you use an AWS Managed Microsoft AD, the administrative account (Admin) is created by default in your directory. For more information, see [Admin account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html) in the _AWS Directory Service Administration Guide_. +You can install additional software on your instances that aren't available as user-based subscriptions. Additional software installations aren't tracked by License Manager. These installations must be performed using the administrative account for your Active Directory. If you use an AWS Managed Microsoft AD, the administrative account (Admin) is created by default in your directory. For more information, see [Admin account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_admin_account.html) in the _Directory Service Administration Guide_. @@ -612 +620 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Delete seller issued licenses +Delete a host resource group