AWS res documentation change
Summary
Updated documentation for Active Directory sync features including new manual start/stop functionality (2025.03), secret tagging requirements, SSSD configuration guidance, and updated screenshots
Security assessment
The changes add security documentation about proper secret tagging requirements (res:EnvironmentName and res:ModuleName tags) for RES to access secrets, and includes warnings about not modifying critical SSSD parameters like id_provider, ldap_uri, ldap_search_base, ldap_default_bind_dn, and ldap_default_authtok which could impact authentication security. However, there's no evidence this addresses a specific security vulnerability or incident.
Diff
diff --git a/res/archive/release-minus-4/ug/active-directory-sync.md b/res/archive/release-minus-4/ug/active-directory-sync.md index 1d92e8396..64b068ba5 100644 --- a//res/archive/release-minus-4/ug/active-directory-sync.md +++ b//res/archive/release-minus-4/ug/active-directory-sync.md @@ -5 +5 @@ -Runtime ConfigurationHow to manually run the sync (release 2024.12 and later)SSO configuration +Runtime ConfigurationHow to manually start or stop the sync (release 2025.03 and later)How to manually run the sync (release 2024.12 and 2024.12.01)SSO configuration @@ -14,0 +15,11 @@ All the CFN parameters related to Active Directory (AD) are optional during inst +For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsSecretArn` or `DomainTLSCertificateSecretArn`), make sure to add the following tags to the secret for RES to get permissions to read the secret value: + + * key: `res:EnvironmentName`, value: ``<your RES environment name>`` + + * key: `res:ModuleName`, value: `directoryservice` + + + + +Any AD configuration updates in the web portal will be picked up automatically during the next scheduled AD sync (hourly). Users may need to re-configure SSO after changing the AD configuration (for example, if they switch to a different AD). + @@ -17 +28 @@ After the initial installation, administrators can view or edit the AD configura - + @@ -21 +32,5 @@ After the initial installation, administrators can view or edit the AD configura -Administrators can filter the users or groups to sync via the new **Users Filter** and **Groups Filter** options. The filters must follow the [LDAP filter syntax](https://ldap.com/ldap-filters/). An example filter is: +### Additional settings + +**Filters** + +Administrators can filter the users or groups to sync using the **Users Filter** and **Groups Filter** options. The filters must follow the [LDAP filter syntax](https://ldap.com/ldap-filters/). An example filter is: @@ -26 +41 @@ Administrators can filter the users or groups to sync via the new **Users Filter -For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsSecretArn` or `DomainTLSCertificateSecretArn`), make sure to add the following tags to the secret for RES to get permissions to read the secret value: +**Custom SSSD parameters** @@ -28 +43 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS - * key: `res:EnvironmentName`, value: ``<your RES environment name>`` +Administrators can provide a dictionary of key-value pairs containing SSSD parameters and values to write to the `[domain_type/DOMAIN_NAME]` section of the SSSD config file on cluster instances. RES applies the SSSD updates automatically– it restarts the SSSD service on cluster instances and triggers the AD sync process. For a full description of the SSSD configuration file, see the Linux man pages for `SSSD`. @@ -30 +45 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS - * key: `res:ModuleName`, value: `directoryservice` + @@ -31,0 +47 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS +The SSSD parameters and values must be compatible with the RES SSSD configuration as described here: @@ -32,0 +49 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS + * `id_provider` is set internally by RES and must not be modified. @@ -33,0 +51 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS + * AD related configs including `ldap_uri`, `ldap_search_base`, `ldap_default_bind_dn` and `ldap_default_authtok` are set based on the other provided AD configurations and must not be modified. @@ -35 +52,0 @@ For any secret ARN provided at runtime (for example, `ServiceAccountCredentialsS -Any AD configuration updates in the web portal will be picked up automatically during the next scheduled AD sync (hourly). Users may need to re-configure SSO after changing the AD configuration (for example, if they switch to a different AD). @@ -37 +54,21 @@ Any AD configuration updates in the web portal will be picked up automatically d -## How to manually run the sync (release 2024.12 and later) + + +The following example enables debug level for SSSD logs: + + + +## How to manually start or stop the sync (release 2025.03 and later) + +Navigate to the **Identity management** page, and choose the **Start AD Synchronization** button in the **Active Directory Domain** container to trigger an AD sync on demand. + + + +To stop an ongoing AD sync, select the **Stop AD Synchronization** button in the **Active Directory Domain** container. + + + +You can also check the AD sync status and the latest sync time in the **Active Directory Domain** container. + + + +## How to manually run the sync (release 2024.12 and 2024.12.01)