By using AWS re:Post, you agree to the Terms of Use

How to restrict database users for RDS Postgres using AWS Managed AD trusted with customer on-prem AD


A customer would like to restrict db access to their RDS Postgres instances to only specific AD users. Postgres authentication flow is Postgres RDS -> Managed AD -> on-prem AD. Is there a way using either AD domain groups or other method to grant only specific users to RDS instances?

1 Answer
Accepted Answer

RDS Postgres can be configured to connect to an AWS Managed Active Directory for user authentication. The AWS Managed Active Directory can then be connected to an on-premises AD through a forest trust.

This will allow you to authenticate users from either directory.

The following two links explains how to set this up.

This step is the bulk of the work:

The way RDS Postgres manages users is that a local Postgres database user will still need to be created to match the AD account for every user that needs access. I don't believe its possible to do this for an AD group and have all users in the group just work

Therefore, just because the RDS instance is using kerberos to AD, it doesn't automatically give users access.

You will need to run PSQL commands like these: CREATE USER "username@CORP.EXAMPLE.COM" WITH LOGIN; GRANT rds_ad TO "username@CORP.EXAMPLE.COM";

Note that the capitalization of the domain is essential. It must be in CAPITALS. The username is also case sensitive and must match the username in AD (windows ignores the case so you might not be aware of any capitalization in user names)

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions