- Newest
- Most votes
- Most comments
Yup,
This always flags up this one.. This is because AWS creates these security groups automaticilly with Managed AD. If creating this via Terraform, you can not manage the Security groups either..
Technically you may get away with replacing 0.0.0.0/0 with your VPC CIDR Range/Subnets that need access.. Your Local IP will not work here (If local IP is your remote Computer)
Heres why you could ignore them:-
Creates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers.
You can add these to the config rule here as authorised ports https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html
No udp ['138', '464', '389', '53', '123', '88'] port is authorized to be open, according to the authorizedTcpPorts parameter No tcp ['464', '389', '88', '3268-3269', '636', '53'] port is authorized to be open, according to authorizedTcpPorts v [truncated]
Relevant content
- asked 7 months ago
- asked a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks, this is useful input for both, much appreciated. I'll continue to wait for an official response through our TAM. I'll update here once additional info is given by AWS.