Here’s twtech deep dive into AWS Directory Services.
Scope:
- Overview,
- Directory Types,
- Architecture
Components,
- Authentication Flow
Example (Hybrid),
- Integration with AWS
Services,
- Integration with
Azure AD / Identity Center,
- High Availability
& Maintenance,
- Best Practices.
Overview
- AWS Directory Service lets twtech run and integrate Microsoft Active Directory (AD) in AWS environments.
- AWS Directory Service supports both Microsoft-managed and AWS-managed directories.
- AWS Directory Service enables centralized authentication and authorization across AWS services, EC2 instances, and SaaS apps.
Directory
Types
1. AWS Managed Microsoft AD
- Fully managed Microsoft Active Directory (AD DS) built on Windows Server.
- Deployed across multiple Availability Zones (Multi-AZ) for high availability.
- Supports:
- Group Policy Objects (GPOs)
- Trust relationships with on-prem AD
- Kerberos/NTLM authentication
- LDAP and DNS integration
Use
Case: Ideal for hybrid environments that extend on-premises AD into
AWS.
2. AD Connector
- A proxy service that connects AWS to your on-premises AD without data replication.
- Authentications and lookups are forwarded securely to your existing AD.
- No user data stored in AWS.
Use
Case: Best for organizations that want AWS SSO or EC2 domain join
without migrating AD.
3. Simple AD
- Lightweight standalone directory based on Samba 4 (SMB protocol).
- Provides core AD-compatible features like user management and
domain joining.
- Lower cost, but lacks advanced AD features (no trusts or schema
extensions).
Use
Case: Small businesses or dev/test environments.
Architecture
Components
1. Directory Controllers
- Managed instances of Windows Server AD DS in private subnets.
- Deployed redundantly across two Availability Zones.
2. DNS Integration
- Each directory includes a DNS service.
- Automatically registers EC2 instances and directory endpoints.
3. Networking
- Deployed into your Amazon VPC.
- Requires two private subnets in different AZs for fault
tolerance.
4. Trust Relationships
- Establish forest or domain trusts between AWS Managed
Microsoft AD and on-prem AD.
- Enables single sign-on (SSO) and cross-directory
authentication.
Authentication
Flow Example (Hybrid)
- User logs in from an EC2 instance or AWS service.
- The request is routed via AWS Directory Service.
- If using AD Connector, the request goes to on-prem AD.
- If using AWS Managed AD, authentication happens directly in the managed directory.
- Kerberos tickets or NTLM credentials are issued.
- AWS resources (EC2, RDS, WorkSpaces, etc.) use those credentials for access.
Integration
with AWS Services
|
AWS Service |
Integration Purpose |
|
Amazon
WorkSpaces |
User login via AD credentials |
|
Amazon
RDS for SQL Server |
Windows Authentication |
|
Amazon
FSx for Windows File Server |
File shares joined to the domain |
|
AWS
IAM Identity Center (SSO) |
Federates with on-prem AD or AWS Managed AD |
|
EC2
Instances (Windows/Linux) |
Domain-joined for GPOs and centralized auth |
Integration
with Azure AD / Identity Center
- AWS Managed AD can sync users via Azure AD Connect.
- Azure AD or Okta can federate with AWS IAM Identity Center.
- SSO Flow Example:
1.
User signs into Azure AD.
2.
Azure AD issues SAML assertion to AWS IAM Identity Center.
3.
IAM Identity Center grants roles in AWS accounts based on
directory membership.
High
Availability & Maintenance
- Managed by AWS: patching, backups, replication, failover.
- Automated snapshot backups stored in Amazon S3.
- Can restore to a new directory in case of corruption.
Best
Practices
- Use AWS Managed Microsoft AD for hybrid or enterprise workloads.
- Use AD Connector when you want to avoid duplicating your directory.
- Always deploy in two private subnets across different AZs.
- Configure CloudWatch Logs for directory event auditing.
- Use AWS Backup for directory-level disaster recovery.
No comments:
Post a Comment