How to restrict database users for RDS Postgres using AWS Managed AD trusted with customer on-prem AD

RDS Postgres can be configured to connect to an AWS Managed Active Directory for user authentication. The AWS Managed Active Directory can then be connected to an on-premises AD through a forest trust.

This will allow you to authenticate users from either directory.

The following two links explains how to set this up. https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-rds-for-postgresql-supports-user-authentication-with-kerberos-and-microsoft-active-directory/ https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/scenario-2.html

This step is the bulk of the work: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-setting-up.html

The way RDS Postgres manages users is that a local Postgres database user will still need to be created to match the AD account for every user that needs access. I don't believe its possible to do this for an AD group and have all users in the group just work

Therefore, just because the RDS instance is using kerberos to AD, it doesn't automatically give users access.

You will need to run PSQL commands like these: CREATE USER "username@CORP.EXAMPLE.COM" WITH LOGIN; GRANT rds_ad TO "username@CORP.EXAMPLE.COM";

Note that the capitalization of the domain is essential. It must be in CAPITALS. The username is also case sensitive and must match the username in AD (windows ignores the case so you might not be aware of any capitalization in user names)