Using Kerberos authentication for Amazon RDS for Db2

You can use Kerberos authentication to authenticate users when they connect to your Amazon RDS for Db2 DB instance. Your DB instance works with AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) to enable Kerberos authentication. When users authenticate with an RDS for Db2 DB instance joined to the trusting domain, authentication requests are forwarded to the directory that you create with AWS Directory Service. For more information, see What is AWS Directory Service? in the AWS Directory Service Administration Guide.

First, create an AWS Managed Microsoft AD directory to store user credentials. Then, add the domain and other information of your AWS Managed Microsoft AD directory to your RDS for Db2 DB instance. When users authenticate with the RDS for Db2 DB instance, authentication requests are forwarded to the AWS Managed Microsoft AD directory.

Keeping all of your credentials in the same directory can save you time and effort. With this approach, you have a centralized place for storing and managing credentials for multiple DB instances. Using a directory can also improve your overall security profile.

For information about Kerberos authentication, see the following topics.

Topics

• Setting up Kerberos authentication for Amazon RDS for Db2 DB instances

• Connecting to Amazon RDS for Db2 with Kerberos authentication

Region and version availability

Feature availability and support varies across specific versions of each database engine, and across AWS Regions. For more information about version and Region availability of RDS for Db2 with Kerberos authentication, see Supported Regions and DB engines for Kerberos authentication in Amazon RDS.

Note

Kerberos authentication isn't supported for DB instance classes that are deprecated for RDS for Db2 DB instances. For more information, see Amazon RDS for Db2 instance classes.

Overview of Kerberos authentication for RDS for Db2 DB instances

To set up Kerberos authentication for an RDS for Db2 DB instance, complete the following general steps, which are described in more detail later:

1. Use AWS Managed Microsoft AD to create an AWS Managed Microsoft AD directory. You can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or AWS Directory Service to create the directory. For more information, see Create your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.

2. Create an AWS Identity and Access Management (IAM) role that uses the managed IAM policy AmazonRDSDirectoryServiceAccess. The IAM role allows Amazon RDS to make calls to your directory.

   For the IAM role to allow access, the AWS Security Token Service (AWS STS) endpoint must be activated in the correct AWS Region for your AWS account. AWS STS endpoints are active by default in all AWS Regions, and you can use them without any further actions. For more information, see Activating and deactivating AWS STS in an AWS Region in the IAM User Guide.

3. Create or modify an RDS for Db2 DB instance by using the AWS Management Console, the AWS CLI, or the RDS API with one of the following methods:

   • Create a new RDS for Db2 DB instance using the console, the create-db-instance command, or the CreateDBInstance API operation. For instructions, see Creating an Amazon RDS DB instance.

   • Modify an existing RDS for Db2 DB instance using the console, the modify-db-instance command, or the ModifyDBInstance API operation. For instructions, see Modifying an Amazon RDS DB instance.

   • Restore an RDS for Db2 DB instance from a DB snapshot using the console, the restore-db-instance-from-db-snapshot command, or the RestoreDBInstanceFromDBSnapshot API operation. For instructions, see Restoring to a DB instance.

   • Restore an RDS for Db2 DB instance to a point-in-time using the console, the restore-db-instance-to-point-in-time command, or the RestoreDBInstanceToPointInTime API operation. For instructions, see Restoring a DB instance to a specified time for Amazon RDS.

   You can locate the DB instance in the same Amazon Virtual Private Cloud (VPC) as the directory or in a different AWS account or VPC. When you create or modify the RDS for Db2 DB instance, do the following tasks:

   • Provide the domain identifier (d-* identifier) that was generated when you created your directory.

   • Provide the name of the IAM role that you created.

   • Verify that the DB instance security group can receive inbound traffic from the directory security group.

4. Configure your Db2 client, and verify that traffic can flow between the client host and AWS Directory Service for the following ports:

   • TCP/UDP port 53 – DNS

   • TCP 88 – Kerberos authentication

   • TCP 389 – LDAP

   • TCP 464 – Kerberos authentication

Managing a DB instance in a domain

You can use the AWS Management Console, the AWS CLI, or the RDS API to manage your DB instance and its relationship with your Microsoft Active Directory. For example, you can associate an Active Directory to enable Kerberos authentication. You can also remove the association for an Active Directory to disable Kerberos authentication. You can also move a DB instance to be externally authenticated by one Microsoft Active Directory to another.

For example, running the modify-db-instance CLI command, you can perform the following actions:

• Re-attempt enabling Kerberos authentication for a failed membership by specifying the current membership's directory ID for the --domain option.

• Disable Kerberos authentication on a DB instance by specifying none for the --domain option.

• Move a DB instance from one domain to another by specifying the domain identifier of the new domain for the --domain option.

Understanding domain membership

After you create or modify your DB instance, it becomes a member of the domain. You can view the status of the domain membership in the console or by running the describe-db-instances command. The status of the DB instance can be one of the following:

• kerberos-enabled – The DB instance has Kerberos authentication enabled.

• enabling-kerberos – AWS is in the process of enabling Kerberos authentication on this DB instance.

• pending-enable-kerberos – Enabling Kerberos authentication is pending on this DB instance.

• pending-maintenance-enable-kerberos – AWS will attempt to enable Kerberos authentication on the DB instance during the next scheduled maintenance window.

• pending-disable-kerberos – Disabling Kerberos authentication is pending on this DB instance.

• pending-maintenance-disable-kerberos – AWS will attempt to disable Kerberos authentication on the DB instance during the next scheduled maintenance window.

• enable-kerberos-failed – A configuration problem prevented AWS from enabling Kerberos authentication on the DB instance. Correct the configuration problem before re-issuing the command to modify the DB instance.

• disabling-kerberos – AWS is in the process of disabling Kerberos authentication on this DB instance.

A request to enable Kerberos authentication can fail because of a network connectivity issue or an incorrect IAM role. In some cases, the attempt to enable Kerberos authentication might fail when you create or modify a DB instance. If this happens, verify that you are using the correct IAM role, and then modify the DB instance to join the domain.