When creating a trust between AWS Directory Service and an AD forest that I manage, I got an error message saying:

Access denied to create the trust. Either the trust password is incorrect or the remote domain's security settings do not allow a trust to be configured.

The AWS console didn't give me any further information, and after exhausting my options I called AWS support.
To their credit, they got the issue fixed right away, though they admitted that this was missing from their documentation.

They had me edit the default domain controllers policy and add the following setting:

Named pipes that can be accessed anonymously. netlogon, samr, lsarpc
After this I was able to rerun the trust wizard on the AWS console and get a trust set up.