Amazon RDS for Db2 makes it easy to set up, operate, and scale Db2 deployments in the cloud and automate database administration tasks.
Enterprise customers can enable single sign-on (SSO) and centralized Kerberos authentication of database users using Microsoft Active Directory (AD).
This post demonstrates extending your existing AD infrastructure and Kerberos authentication to Amazon RDS for Db2.
Amazon RDS supports Kerberos authentication for various database engines and AWS Regions for centralized database management.
The solution involves using AWS Managed Microsoft AD to establish a forest-level outgoing trust to an on-premises AD.
The solution architecture includes deploying Amazon RDS for Db2 instance, creating local permissions for the Admin user in RDS for Db2 database and optionally, creating local permissions for the DBADMIN group.
Users can log in to RDS for Db2 instances using Kerberos enabled SSO capabilities and on-prem AD can be used to centrally manage database authentication and authorization for RDS DB instances.
The solution can be extended for other Amazon RDS database engines that support Kerberos including PostgreSQL, MySQL, Oracle, and SQL Server.
This solution was tested using Terraform and the code is available in the accompanying GitHub repo.
To conclude, this post has demonstrated how to extend your existing Microsoft AD infrastructure to Amazon RDS for Db2 and enable Kerberos authentication, allowing users to log in to RDS for Db2 instances using existing SSO capabilities.