AWS Directory Services provide managed directory capabilities to integrate with on-premises Active Directory, enable single sign-on (SSO), and support Windows-based applications in the cloud.
AWS Directory Services are critical for managing secure, scalable identity in the cloud, essential for integrating on-premises Active Directory, enabling single sign-on (SSO), and supporting Windows-based applications.
The AWS Solutions Architect Associate exam requires knowledge of federating directory services with IAM roles, and AWS Directory Services are listed as “must-know” services.
Active Directory is Microsoft's directory service for managing identity and access in Windows domain networks.
AD is Microsoft’s directory service for managing users, computers, groups, and permissions across an enterprise network.
AD provides a centralized hierarchical database for Microsoft systems. It authenticates and authorizes users and computers in a Windows domain network. It supports protocols like LDAP, Kerberos, and DNS, acting as the backbone of enterprise identity systems. It provides login credentials, group policies, and access controls.
Technical Specs: Supports protocols: LDAP, Kerberos, DNS
SSO allows a user to log in once with a single user ID and password to access multiple applications within the same domain, navigating seamlessly without re-authentication.
AD objects are organized in trees; a group of trees is called a directory forest.
Active Directory provides centralized management for user authentication and resource access, solving scalability challenges in enterprise environments.
Without AD, managing login credentials for multiple devices (e.g., laptops) requires individual configuration for each. This becomes unmanageable in organizations with frequent employee onboarding/offboarding or a large number of devices.
AD enables centralized management of users, groups, and permissions through domain controllers.
Each organization has its own domain controller. Organizations can have geographical domains (e.g., India domain, APAC domain).
Admins can centrally manage resources (users, groups, permissions) connected to a domain controller.
1. User logs in by entering credentials on a device. 2. The device sends an authentication request to Active Directory. 3. AD validates the credentials. 4. Upon successful authentication, AD provides an authentication token. 5. The user uses this token to access requested services. 6. The token establishes a continuous session between the user and the service.
As applications migrate to the cloud, AWS Directory Services provide consistent and secure authentication for cloud and hybrid environments.
As applications move to the cloud, users and applications still require secure and consistent authentication.
AWS Directory Services are used for managing access to EC2 Windows instances, integrating with Amazon RDS for SQL Server, enabling Amazon WorkSpaces or QuickSight with enterprise login credentials, extending on-premises AD to the cloud for hybrid environments, enabling SSO between multiple applications, and supporting cloud-native applications with LDAP or Kerberos integration.
AWS Directory Services provide flexibility and security for user authentication and resource permissions in cloud or hybrid workloads.
An on-premises LDAP server can be replaced with AWS Directory Service, which supports LDAP authentication and integration with on-premises Active Directory.
AWS offers several Directory Service options tailored for different use cases and budget requirements.
AWS provides fully managed, proxy, and simple directory services.
AWS Managed Microsoft AD
A fully managed Microsoft Active Directory hosted across multiple Availability Zones (AZs) for high availability.
management:
AWS handles patching, replication, high availability, and monitoring. Customers manage users, groups, and policies.
editions:
Standard (1 GB storage, up to 30,000 objects), Enterprise (17 GB storage, up to 500,000 objects)
cost_estimate:
~$86/month or $0.12/hour after a 30-day free trial
Use Cases:
- Enterprise-grade AD functionality in AWS.
- Supporting Group Policies.
- LDAP and Kerberos authentication.
- Trust relationships with on-premises AD (one-way or two-way).
- Seamless domain join for EC2 Windows instances.
- User authentication for AWS services (RDS SQL Server, WorkSpaces, QuickSight).
AD Connector
A lightweight proxy that allows AWS services to authenticate against your on-premises Active Directory.
functionality:
Does not store directory data within AWS. Securely proxies authentication requests to on-premises AD via VPN or Direct Connect.
requirements:
Network connectivity (VPN or Direct Connect) between on-premises data center and AWS.
Use Cases:
- When you already have a functional on-premises AD.
- Avoiding directory duplication.
- AWS services (like WorkSpaces) authenticating using enterprise credentials.
Simple AD
A cost-effective Samba-based directory service for small-scale environments.
editions:
Small: Up to 2,000 objects (including 500 users, groups, computers). Large: Up to 20,000 objects (including 5,000 users, groups, computers).
cost_estimate:
~$36/month (lower than Managed Microsoft AD) after a 30-day free trial
Use Cases:
- Development or testing workloads.
- Small businesses where cost is a primary concern and full AD features are not required.
- User and group management.
- Computer/EC2 domain join.
- Basic Group Policies.
- Kerberos-based authentication.
A quick guide to choosing the appropriate AWS Directory Service offering based on specific needs.
Different AWS Directory Services cater to varying requirements, from full-featured Active Directory to cost-effective basic directories or on-premises integration.
| Option |
Primary Use Case / Ideal For |
| For full control and trust relationships. Enterprise-grade AD functionality in AWS. |
| If you have existing on-premises AD and want minimal setup, avoiding directory duplication. For AWS services authenticating using enterprise credentials. |
| When cost is more important than advanced features. For development or testing workloads, or small businesses where full AD features are not required. |
AWS Directory Services support hybrid identity environments through secure trust relationships with on-premises Active Directory.
Integrating on-premises AD with AWS Managed Microsoft AD is achieved via Site-to-Site VPN or Direct Connect.
Technical Specs: Connectivity: Site-to-Site VPN or Direct Connect
A secure connection between two AD domains allowing users in one to access resources in the other.
AWS trusts on-premises AD; enterprise users access AWS using enterprise credentials.
Technical Specs: Access: Users from Domain B can access resources in Domain A. Users from Domain A cannot access resources in Domain B.
Full hybrid access; users from AWS can access on-premises resources, and vice versa.
Technical Specs: Access: Users from both domains can access resources in each other’s domain.
Used for multiple organizations (sister organizations) to share resources between their separate domains.
Trust relationships enable SSO, central policy enforcement, and seamless access across hybrid and on-premises environments.
A conceptual walkthrough of setting up AWS Directory Services in the AWS Management Console, including configuration details and cost considerations.
Navigate to “Directory Services” in the AWS Management Console.
The console offers “AWS Managed Microsoft AD,” “Simple AD,” and “AD Connector” as setup options.
Configuration involves setting the Directory DNS name, NetBIOS name, Admin password, VPC, and Subnets (for high availability).
Technical Specs: Configuration: Directory DNS name, NetBIOS name, Admin password, VPC, Subnets (for high availability).
Configuration involves setting the Directory DNS name, NetBIOS name, Admin password, VPC, and Subnets.
Technical Specs: Configuration: Directory DNS name, NetBIOS name, Admin password, VPC, Subnets.
If you accidentally create a directory, remember to delete it after the demo to avoid charges after the 30-day free trial.
Glossary
Active Directory (AD)
Microsoft’s directory service for managing users, computers, groups, and permissions across an enterprise network.
Single Sign-On (SSO)
Allows a user to log in once with a single user ID and password to access multiple applications within the same domain, navigating seamlessly without re-authentication.
LDAP
A protocol supported by Active Directory for directory services.
Kerberos
A protocol supported by Active Directory for authentication.
DNS
A protocol supported by Active Directory, essential for name resolution.
Domain Controller
A server that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
Directory Forest
A group of Active Directory trees.
Trust Relationship
A secure connection between two AD domains allowing users in one to access resources in the other.
One-way Trust
A trust where one domain allows users from another domain to access its resources, but not vice-versa.
Two-way Trust
A trust where users from both domains can access resources in each other’s domain.
Forest Trust
A trust relationship for multiple organizations to share resources between their separate domains.