Configure directory security settings
You can configure fine-grained directory settings for your AWS Managed Microsoft AD to meet your compliance and security requirements without any increase in operational workload. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. AWS Managed Microsoft AD then deploys the configuration to all domain controllers in your directory and maintains this configuration as you scale out or deploy additional AWS Regions. For all available settings, see List of directory security settings.
Edit directory security settings
You can configure and edit settings for any of your directories.
To edit directory settings
Sign in to the AWS Management Console and open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/
. On the Directories page, choose your directory ID.
Under Networking & security, find Directory settings, and then choose Edit settings.
In Edit settings, change the Value for the settings that you want to edit. When you edit a setting, its status changes from Default to Ready to Update. If you have edited the setting previously, its status changes from Updated to Ready to Update. Then, choose Review.
In Review and update settings, see Directory settings and make sure that the new values are all correct. If you want to make any other changes to your settings, choose Edit settings. When you’re satisfied with your changes and ready to implement the new values, choose Update settings. Then, you’re taken back to the directory ID page.
Note Under Directory settings, you can view the Status of your updated settings. While settings are implemented, the Status displays Updating. You cannot edit other settings while a setting displays Updating under Status. The Status displays Updated if the setting successfully updates with your edit. The Status displays Failed if the setting fails to update with your edit.
Failed directory security settings
If an error occurs during a settings update, the Status displays as Failed. In a failed status, the settings do not update to the new values, and the original values remain implemented. You can retry updating these settings or revert them to their previous values.
To resolve failed updated settings
Under Directory settings, choose Resolve failed settings. Then, do one of the following:
To revert your settings back to their original value before the failure state, choose Revert failed settings. Then, choose Revert in the pop-up modal.
To retry updating your directory settings, choose Retry failed settings. If you want to make additional changes to your directory settings before retrying the failed updates, choose Continue editing. On Review and retry failed updates, choose Update settings.
List of directory security settings
The following list shows the type, setting name, API name, potential values, and setting description for all available directory security settings.
| Type | Setting name | API name | Potential values | Setting description |
|---|---|---|---|---|
| Secure Channel: Ciphers | AES 128/128 | AES_128_128 | Enable, Disable | Enable or disable the AES 128/128 encryption cipher for secure channel communications between domain controllers in your directory. |
| DES 56/56 | DES_56_56 | Enable, Disable | Enable or disable the DES 56/56 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC2 40/128 | RC2_40_128 | Enable, Disable | Enable or disable the RC2 40/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC2 56/128 | RC2_56_128 | Enable, Disable | Enable or disable the RC2 56/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC2 128/128 | RC2_128_128 | Enable, Disable | Enable or disable the RC2 128/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC4 40/128 | RC4_40_128 | Enable, Disable | Enable or disable the RC4 40/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC4 56/128 | RC4_56_128 | Enable, Disable | Enable or disable the RC4 56/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC4 64/128 | RC4_64_128 | Enable, Disable | Enable or disable the RC4 64/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| RC4 128/128 | RC4_128_128 | Enable, Disable | Enable or disable the RC4 128/128 encryption cipher for secure channel communications between domain controllers in your directory. | |
| Triple DES 168/168 | 3DES_168_168 | Enable, Disable | Enable or disable the Triple DES 168/168 encryption cipher for secure channel communications between domain controllers in your directory. | |
| Secure Channel: Protocols | PCT 1.0 | PCT_1_0 | Enable, Disable | Enable or disable the PCT 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. |
| SSL 2.0 | SSL_2_0 | Enable, Disable | Enable or disable the SSL 2.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
| SSL 3.0 | SSL_3_0 | Enable, Disable | Enable or disable the SSL 3.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
| TLS 1.0 | TLS_1_0 | Enable, Disable | Enable or disable the TLS 1.0 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. | |
| TLS 1.1 | TLS_1_1 | Enable, Disable | Enable or disable the TLS 1.1 protocol for secure channel communications (Server and Client) on the domain controllers in your directory. |
