AWS Security ChangesHomeSearch

AWS directoryservice documentation change

Service: directoryservice · 2026-06-19 · Documentation low

File: directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md

Summary

Added IPv6 support to AWS Managed Microsoft AD security group rules. Updated documentation to reflect that security groups now allow IPv6 CIDR blocks for inbound traffic and ::/0 for outbound traffic.

Security assessment

The changes expand security group rules to include IPv6 traffic, enhancing network security documentation by specifying IPv6 CIDR blocks as allowed sources. This improves security posture documentation but doesn't address a specific vulnerability. The update maintains existing security principles (no Elastic IPs, restricted inbound traffic) while adding IPv6 coverage.

Diff

diff --git a/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md b/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
index 8f5661dfb..d2fadb7bc 100644
--- a//directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
+++ b//directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.md
@@ -23 +23 @@ AWS does not allow the installation of monitoring agents on AWS Managed Microsof
-  * Creates an [AWS Security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) `sg-1234567890abcdef0` that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic to all IPv4 addresses. The default inbound rules allows only traffic through ports that are required by Active Directory from the primary IPv4 CIDR block associated with the VPC hosting for your AWS Managed Microsoft AD. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore by default, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC. You can change the security group rules to allow additional traffic sources, for example from other peered VPCs or CIDRs reachable via VPN. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see [AWS Managed Microsoft AD best practices](./ms_ad_best_practices.html) and [Enhancing your AWS Managed Microsoft AD network security configuration](./ms_ad_network_security.html).
+  * Creates an [AWS Security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) `sg-1234567890abcdef0` that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic to all IPv4 and/or IPv6 addresses. The default inbound rules allows only traffic through ports that are required by Active Directory from the primary IPv4 CIDR block, or IPv6 CIDR block associated with the VPC hosting for your AWS Managed Microsoft AD. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore by default, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC. You can change the security group rules to allow additional traffic sources, for example from other peered VPCs or CIDRs reachable via VPN. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see [AWS Managed Microsoft AD best practices](./ms_ad_best_practices.html) and [Enhancing your AWS Managed Microsoft AD network security configuration](./ms_ad_network_security.html).
@@ -37,12 +37,12 @@ Protocol | Port range | Source | Type of traffic | Active Directory usage
-ICMP | N/A | AWS Managed Microsoft AD VPC IPv4 CIDR | Ping | LDAP Keep Alive, DFS  
-TCP & UDP | 53 | AWS Managed Microsoft AD VPC IPv4 CIDR | DNS | User and computer authentication, name resolution, trusts   
-TCP & UDP | 88 | AWS Managed Microsoft AD VPC IPv4 CIDR | Kerberos | User and computer authentication, forest level trusts  
-TCP & UDP | 389 | AWS Managed Microsoft AD VPC IPv4 CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts  
-TCP & UDP | 445 | AWS Managed Microsoft AD VPC IPv4 CIDR | SMB / CIFS | Replication, user and computer authentication, group policy, trusts  
-TCP & UDP | 464 | AWS Managed Microsoft AD VPC IPv4 CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts  
-TCP | 135 | AWS Managed Microsoft AD VPC IPv4 CIDR | Replication | RPC, EPM  
-TCP | 636 | AWS Managed Microsoft AD VPC IPv4 CIDR | LDAP SSL | Directory, replication, user and computer authentication, group policy, trusts  
-TCP | 1024 - 65535 | AWS Managed Microsoft AD VPC IPv4 CIDR | RPC | Replication, user and computer authentication, group policy, trusts  
-TCP | 3268 - 3269 | AWS Managed Microsoft AD VPC IPv4 CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication, group policy, trusts  
-UDP | 123 | AWS Managed Microsoft AD VPC IPv4 CIDR | Windows Time | Windows Time, trusts  
-UDP | 138 | AWS Managed Microsoft AD VPC IPv4 CIDR | DFSN & NetLogon | DFS, group policy  
+ICMP | N/A | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | Ping | LDAP Keep Alive, DFS  
+TCP & UDP | 53 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | DNS | User and computer authentication, name resolution, trusts   
+TCP & UDP | 88 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | Kerberos | User and computer authentication, forest level trusts  
+TCP & UDP | 389 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | LDAP | Directory, replication, user and computer authentication group policy, trusts  
+TCP & UDP | 445 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | SMB / CIFS | Replication, user and computer authentication, group policy, trusts  
+TCP & UDP | 464 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | Kerberos change / set password | Replication, user and computer authentication, trusts  
+TCP | 135 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | Replication | RPC, EPM  
+TCP | 636 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | LDAP SSL | Directory, replication, user and computer authentication, group policy, trusts  
+TCP | 1024 - 65535 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | RPC | Replication, user and computer authentication, group policy, trusts  
+TCP | 3268 - 3269 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | LDAP GC & LDAP GC SSL | Directory, replication, user and computer authentication, group policy, trusts  
+UDP | 123 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | Windows Time | Windows Time, trusts  
+UDP | 138 | AWS Managed Microsoft AD VPC IPv4 CIDR, or IPv6 CIDR | DFSN & NetLogon | DFS, group policy  
@@ -55 +55 @@ Protocol | Port range | Destination | Type of traffic | Active Directory usage
-All | All | 0.0.0.0/0 | All Traffic |   
+All | All | 0.0.0.0/0 or ::/0 | All Traffic |