AWS Security ChangesHomeSearch

AWS directoryservice documentation change

Service: directoryservice · 2026-06-19 · Documentation low

File: directoryservice/latest/admin-guide/ms_ad_best_practices.md

Summary

Added IPv6 CIDR support references throughout security group documentation

Security assessment

The changes add IPv6 CIDR support to existing security group descriptions but don't address any specific vulnerability. They enhance documentation of existing security controls by including IPv6 coverage.

Diff

diff --git a/directoryservice/latest/admin-guide/ms_ad_best_practices.md b/directoryservice/latest/admin-guide/ms_ad_best_practices.md
index 58677b65c..70662ea33 100644
--- a//directoryservice/latest/admin-guide/ms_ad_best_practices.md
+++ b//directoryservice/latest/admin-guide/ms_ad_best_practices.md
@@ -68 +68 @@ Learn about the various limits for your specific directory type. The available s
-AWS creates a [security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule) and attaches it to your directory's domain controller [elastic network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html). This security group blocks unnecessary traffic to the domain controller and allows traffic that is necessary for Active Directory communications. AWS configures the security group to open only the ports that are required for Active Directory communications. In the default configuration, the security group accepts traffic to these ports from AWS Managed Microsoft AD VPC IPv4 CIDR address. AWS attaches the security group to your domain controller interfaces that are accessible from within your peered or resized [VPCs](https://aws.amazon.com/vpc/). These interfaces are inaccessible from the internet even if you modify routing tables, change the network connections to your VPC, and configure the [NAT Gateway service](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html). As such, only instances and computers that have a network path into the VPC can access the directory. This simplifies setup by eliminating the requirement for you to configure specific address ranges. Instead, you configure routes and security groups into the VPC that permit traffic only from trusted instances and computers.
+AWS creates a [security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule) and attaches it to your directory's domain controller [elastic network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html). This security group blocks unnecessary traffic to the domain controller and allows traffic that is necessary for Active Directory communications. AWS configures the security group to open only the ports that are required for Active Directory communications. In the default configuration, the security group accepts traffic to these ports from AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR address. AWS attaches the security group to your domain controller interfaces that are accessible from within your peered or resized [VPCs](https://aws.amazon.com/vpc/). These interfaces are inaccessible from the internet even if you modify routing tables, change the network connections to your VPC, and configure the [NAT Gateway service](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html). As such, only instances and computers that have a network path into the VPC can access the directory. This simplifies setup by eliminating the requirement for you to configure specific address ranges. Instead, you configure routes and security groups into the VPC that permit traffic only from trusted instances and computers.
@@ -72 +72 @@ AWS creates a [security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGui
-If you want to increase the security of your directory security groups, you can modify them to accept traffic from a more restrictive list of IP addresses. For example, you could change the accepted addresses from your VPC IPv4 CIDR range to a CIDR range that is specific to a single subnet or computer. Similarly, you might choose to restrict the destination addresses to which your domain controllers can communicate. Make such changes only if you fully understand how security group filtering works. For more information, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the _Amazon EC2 User Guide_. Improper changes can result in loss of communications to intended computers and instances. AWS recommends that you do not attempt to open additional ports to the domain controller as this decreases the security of your directory. Please carefully review the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/). 
+If you want to increase the security of your directory security groups, you can modify them to accept traffic from a more restrictive list of IP addresses. For example, you could change the accepted addresses from your VPC IPv4 CIDR or IPv6 CIDR range to a CIDR range that is specific to a single subnet or computer. Similarly, you might choose to restrict the destination addresses to which your domain controllers can communicate. Make such changes only if you fully understand how security group filtering works. For more information, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the _Amazon EC2 User Guide_. Improper changes can result in loss of communications to intended computers and instances. AWS recommends that you do not attempt to open additional ports to the domain controller as this decreases the security of your directory. Please carefully review the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/). 
@@ -76 +76 @@ If you want to increase the security of your directory security groups, you can
-It is technically possible for you to associate the security groups, which your directory uses, with other EC2 instances that you create. However, AWS recommends against this practice. AWS may have reasons to modify the security group without notice to address functional or security needs of the managed directory. Such changes affect any instances with which you associate the directory security group. Furthermore, associating the directory security group with your EC2 instances creates a potential security risk for your EC2 instances. The directory security group accepts traffic on required Active Directory ports from AWS Managed Microsoft AD VPC IPv4 CIDR address. If you associate this Security Group with an EC2 instance that has a public IP address attached to the internet, then any computer on the internet can communicate with your EC2 instance on the opened ports.
+It is technically possible for you to associate the security groups, which your directory uses, with other EC2 instances that you create. However, AWS recommends against this practice. AWS may have reasons to modify the security group without notice to address functional or security needs of the managed directory. Such changes affect any instances with which you associate the directory security group. Furthermore, associating the directory security group with your EC2 instances creates a potential security risk for your EC2 instances. The directory security group accepts traffic on required Active Directory ports from AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR address. If you associate this Security Group with an EC2 instance that has a public IP address attached to the internet, then any computer on the internet can communicate with your EC2 instance on the opened ports.