Amazon Relational Database Service
User Guide

Using Kerberos Authentication with Amazon RDS for Oracle

You can use Kerberos authentication to authenticate users when they connect to your Amazon RDS DB instance running Oracle. In this case, your DB instance works with AWS Directory Service for Microsoft Active Directory, also called AWS Managed Microsoft AD, to enable Kerberos authentication. When users authenticate with an Oracle DB instance joined to the trusting domain, authentication requests are forwarded to the directory that you create with AWS Directory Service.

Keeping all of your credentials in the same directory can save you time and effort. You have a centralized place for storing and managing credentials for multiple database instances. Using a directory can also improve your overall security profile.

Amazon RDS supports Kerberos authentication for Oracle DB instances in the following AWS Regions:

  • US East (Ohio)

  • US East (N. Virginia)

  • US West (Oregon)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • EU (Frankfurt)

  • EU (Ireland)

  • EU (London)

Note

Kerberos authentication isn't supported for DB instance classes that are deprecated for Oracle DB instances. For more information, see DB Instance Class Support for Oracle.

To set up Kerberos authentication for an Oracle DB instance, complete the following general steps, described in more detail later:

  1. Use AWS Managed Microsoft AD to create an AWS Managed Microsoft AD directory. You can use the AWS Management Console, the AWS CLI, or the AWS Directory Service API to create the directory.

  2. Create an AWS Identity and Access Management (IAM) role that uses the managed IAM policy AmazonRDSDirectoryServiceAccess. The role allows Amazon RDS to make calls to your directory.

    For the role to allow access, the AWS Security Token Service (AWS STS) endpoint must be activated in the correct AWS Region for your AWS account. AWS STS endpoints are active by default in all AWS Regions, and you can use them without any further actions. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.

  3. Create and configure users in the AWS Managed Microsoft AD directory using the Microsoft Active Directory tools. For more information about creating users in your Microsoft Active Directory, see Manage Users and Groups in AWS Managed Microsoft AD in the AWS Directory Service Administration Guide.

  4. Create or modify an Oracle DB instance either from the console, CLI, or RDS API using one of the following methods:

    When you create or modify the DB instance, provide the domain identifier (d-* identifier) that was generated when you created your directory and the name of the role you created. You can locate the DB instance in the same Amazon Virtual Private Cloud (VPC) as the directory or in a different VPC.

  5. Use the Amazon RDS master user credentials to connect to the Oracle DB instance. Create the user in Oracle to be identified externally. Externally identified users can log in to the Oracle DB instance using Kerberos authentication.

To get Kerberos authentication using an on-premises or self-hosted Microsoft Active Directory, create a two-way forest trust. For more information on setting up forest trusts using AWS Directory Service, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.