14. Security in the Cloud

Identity Providers and Federation

Encryption Primer

AWS Key Management Service

AWS Certificate Manager

AWS Security Hub

AWS Web Application Firewall (WAF)

AWS Shield and Shield Advanced

Explore

AWS Directory Service

AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources. AWS Directory Service provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

Which to choose?

You can choose directory services with the features and scalability that best meets your needs. Use the following table to help you determine which AWS Directory Service directory option works best for your organization.

Directory service options

Directory service options

What do you need to do?

Recommended AWS Directory Service options

I need Active Directory or LDAP for my applications in the cloud

Use AWS Directory Service for Microsoft Active Directory (Standard Edition or Enterprise Edition) if you need an actual Microsoft Active Directory in the AWS Cloud that supports Active Directory–aware workloads, or AWS applications and services such as Amazon WorkSpaces and Amazon QuickSight, or you need LDAP support for Linux applications.

Use AD Connector if you only need to allow your on-premises users to log in to AWS applications and services with their Active Directory credentials. You can also use AD Connector to join Amazon EC2 instances to your existing Active Directory domain.

Use Simple AD if you need a low-scale, low-cost directory with basic Active Directory compatibility that supports Samba 4–compatible applications, or you need LDAP compatibility for LDAP-aware applications.

I develop SaaS applications

Use Amazon Cognito if you develop high-scale SaaS applications and need a scalable directory to manage and authenticate your subscribers and that works with social media identities.

There are no rows in this table

⁠

AWS Managed Microsoft AD

AWS Directory Service lets you run Microsoft Active Directory (AD) as a managed service. AWS Directory Service for Microsoft Active Directory, also referred to as AWS Managed Microsoft AD, is powered by Windows Server 2019. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (Amazon VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you.

With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory, providing users and groups with access to resources in either domain, using AWS IAM Identity Center.

AWS Directory Service makes it easy to set up and run directories in the AWS Cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it for a variety of tasks:

Manage users and groups

Provide single sign-on to applications and services

Create and apply group policy

Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads

You can use AWS Managed Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications

Securely connect to Amazon EC2 Linux and Windows instances

AWS Managed Microsoft AD is available in two editions: Standard and Enterprise.

Standard Edition: AWS Managed Microsoft AD (Standard Edition) is optimized to be a primary directory for small and midsize businesses with up to 5,000 employees. It provides you enough storage capacity to support up to 30,000* directory objects, such as users, groups, and computers.

Enterprise Edition: AWS Managed Microsoft AD (Enterprise Edition) is designed to support enterprise organizations with up to 500,000* directory objects.

AWS Directory Service for Microsoft Active Directory is a feature-rich managed Microsoft Active Directory hosted on the AWS cloud. AWS Managed Microsoft AD is your best choice if you have more than 5,000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories.

⁠

AD Connector

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large.

A small AD Connector is designed for smaller organizations and is intended to handle a low number of operations per second.

A large AD Connector is designed for larger organizations and is intended to handle a moderate to high number of operations per second.

You can spread application loads across multiple AD Connectors to scale to your performance needs. There are no enforced user or connection limits.

AD Connector does not support Active Directory transitive trusts. AD Connectors and your on-premises Active Directory domains have a 1-to-1 relationship. That is, for each on-premises domain, including child domains in an Active Directory forest that you want to authenticate against, you must create a unique AD Connector.

Note

AD Connector cannot be shared with other AWS accounts. If this is a requirement, consider using AWS Managed Microsoft AD to

Share your directory⁠

. AD Connector is also not multi-VPC aware, which means that AWS applications like

WorkSpaces⁠

are required to be provisioned into the same VPC as your AD Connector.

Once set up, AD Connector offers the following benefits:

Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail.

You can manage AWS resources like Amazon EC2 instances or Amazon S3 buckets through IAM role-based access to the AWS Management Console.

You can consistently enforce existing security policies (such as password expiration, password history, and account lockouts) whether users or IT administrators are accessing resources in your on-premises infrastructure or in the AWS Cloud.

You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.

AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.

⁠

Simple AD

Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.

Small - Supports up to 500 users (approximately 2,000 objects including users, groups, and computers).

Large - Supports up to 5,000 users (approximately 20,000 objects including users, groups, and computers).

Simple AD provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO). However, note that Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications.

Simple AD offers many advantages:

Simple AD makes it easier to

manage amazon EC2 instances running Linux and Windows⁠

and deploy Windows applications in the AWS Cloud.

Many of the applications and tools that you use today that require Microsoft Active Directory support can be used with Simple AD.

User accounts in Simple AD allow access to AWS applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail.

You can manage AWS resources through IAM role–based access to the AWS Management Console.

Daily automated snapshots enable point-in-time recovery.

Simple AD does not support any of the following:

Amazon AppStream 2.0

Amazon Chime

Amazon RDS for SQL Server

Amazon RDS for Oracle

AWS IAM Identity Center

Trust relationships with other domains

Active Directory Administrative Center

PowerShell

Active Directory recycle bin

Group managed service accounts

Schema extensions for POSIX and Microsoft applications

Simple AD is a low-scale, low-cost directory with basic Active Directory compatibility. It supports 5,000 or fewer users, Samba 4–compatible applications, and LDAP compatibility for LDAP-aware applications.

⁠

What is AWS Directory Service? - AWS Directory Service AWS Directory Service is a directory as a service that provides the capabilities of an enterprise directory with the accessibility and security of the AWS cloud. docs.aws.amazon.com⁠

⁠

Which to choose?

Directory service options

AWS Managed Microsoft AD

AD Connector

Simple AD

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.