Active Directory Domain Services on AWS
Active Directory DS Quick Start

Security

AWS provides a set of building blocks, including the Amazon EC2 and Amazon VPC services, that you can use to provision infrastructure for your applications. In this model, some security capabilities such as physical security are the responsibility of AWS and are highlighted in the AWS security whitepaper. Other capabilities, such as controlling access to applications, are the responsibility of the application developer and the tools provided in the Microsoft platform.

If you have followed the automated deployment options in this guide, the necessary security groups are configured for you by the provided AWS CloudFormation templates and are listed here for your reference.

Security group Associated with Inbound source Port(s)
DomainControllerSG DC1, DC2 VPCCIDR TCP5985, TCP53, UDP53, TCP80, TCP3389
DomainControllerSG IpProtocol-1, FromPort-1, ToPort-1
DomainMemberSG UDP123, TCP135, UDP138, UDP137, TCP139, TCP445, UDP445, TCP464, UDP464, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636, TCP3268, TCP3269, TCP88, UDP88, UDP67, UDP2535, TCP9389, TCP5722, UDP5355, (ICMP -1)
DomainMemberSG RDGW1, RDGW2 ADServer1PrivateIp, ADServer2PrivateIp UDP88, TCP88, TCP445, UDP445, TCP49152-65535, UDP49152-65535, TCP389, UDP389, TCP636
RDGWSecurityGroup RDGW1, RDGW2 RDGWCIDR TCP3389

Important

RDP should never be opened up to the entire internet, not even temporarily or for testing purposes. For more information, see this Amazon security bulletin. Always restrict ports and source traffic to the minimum necessary to support the functionality of the application. For more about securing Remote Desktop Gateway, see the Securing the Microsoft Platform on Amazon Web Services whitepaper.