Integrating aws IAM Identity Center (IC) with Micrsoft Active Directory (AD) | Overview.

Integrating aws IAM Identity Center (IC) with Micrsoft Active Directory (AD) - Overview.

Scope:

• Intro,
• Choosing the Connection Method,
• Changing the Identity Source,
• Synchronize Users and Groups,
• Assigning Access,
• Integration Deep Dive,
• Two main integration models, Description & Use Cases,
• Architecture & Components,
• Step-by-Step Setup,
• Scenario 1: Using AWS Managed Microsoft AD,
• Sample domain,
• Scenario 2: Using On-Prem AD with AD Connector,
• User-Login-Flow,
• Security Considerations Table,
• Hybrid Sample for On-Prem AD + AWS Managed AD + IAM Identity Center,
• Best Practices.

 Intro:

• Integrating AWS IAM Identity Center (IC) with Microsoft Active Directory (AD) allows users to sign in to the AWS access portal using their existing AD credentials. 

 twtech Chooses the Connection Method

• twtech must first have a directory set up in AWS Directory Service within its AWS Organizations management account. 
• AWS Managed Microsoft AD: Best if twtech wants a managed AD in the cloud or need to support multiple domains/forests through trust relationships.
• AD Connector: A gateway that redirects directory requests to twtech on-premises AD without caching data. 
• AD Connector is Best for single-domain setups where twtech wants to keep all data on-premises. 

 Changing the Identity Source

Once twtech directory is ready in AWS Directory Service:

1. Open the IAM Identity Center console.
2. twtech Ensures they are in the same AWS Region where its directory is located.
3. Navigate to Settings and choose the Identity source tab.
4. Select Actions > Change identity source.
5. Choose Active Directory and select your specific directory from the list.
6. Review the changes, type ACCEPT, and confirm. 

 Synchronize Users and Groups 

After connecting, twtech must specify which AD identities should be visible in AWS: 

• Manual/Configurable Sync: Use the Manage sync option in the Identity source settings to add specific users or groups to the sync scope.
• Automatic Provisioning: IAM Identity Center uses the connection to periodically pull user and group information. 
• Note that passwords are never synchronized; authentication remains a pass-through to AD. 

 Assigning Access

Synchronized users do not have permissions until you assign them: 

• Permission Sets: Create Permission Sets (e.g., AdministratorAccess or ReadOnlyAccess) to define what users can do.
• Account Assignment: Go to AWS accounts, select the target accounts, and assign twtech AD groups to the appropriate permission sets. 
• Official Guide: Connect AWS Managed Microsoft AD to IAM Identity Center
• Troubleshooting: Common AD Connectivity Issues

Integration Deep Dive

• AWS IAM Identity Center (IC) integrates with Microsoft Active Directory (AD) to allow users to sign in using their AD credentials, then gain access to AWS accounts and applications via Single Sign-On (SSO).

Two main integration models, Description & Use Cases:

Model	Description	Use Case
AWS Managed Microsoft AD (Direct Integration)	IAM Identity Center connects directly to a managed AD instance in AWS Directory Service.	For enterprises that host or extend AD to AWS.
AD Connector (Proxy Integration)	IAM Identity Center connects to on-premises AD through an AD Connector (acts as a proxy, no replication).	For organizations that want to use on-prem AD credentials without storing them in AWS.

 Architecture & Components

1.     IAM Identity Center (SSO Service)

•    Central identity service for AWS accounts and apps.
•    Manages permission sets, assignments, and federation.

2.     AWS Directory Service

o   Provides AD integration options:

•   AWS Managed Microsoft AD – fully managed AD.
•   AD Connector – proxy to on-prem AD.
•   Simple AD – lightweight directory (less common now).

3.     Microsoft Active Directory

•    User accounts, groups, and OU structure.
•    On-prem or hosted in AWS.
•    Handles Kerberos / LDAP authentication.

4.     AWS IAM / STS

•    IAM Identity Center maps permission sets → IAM roles in accounts.
•    STS issues temporary credentials after SSO login.

5.     Optional Integrations

•    Azure AD, Okta, or others as external IdPs (federated with AD).
•    AWS IAM Identity Center applications for SaaS and custom apps.

Step-by-Step Setup

Scenario 1: Using AWS Managed Microsoft AD

Step 1: Deploy AWS Managed Microsoft AD

1.     Go to AWS Directory Service → Set up directory.

2.     Choose AWS Managed Microsoft AD.

3.     Select:

o   Directory size (Standard/Enterprise)

o   VPC + Subnets (2 AZs minimum)

4.     AWS provisions domain controllers.

Sample domain: twtechapp.com

Step 2: Configure Trusts (if hybrid with on-prem AD)

If  using on-prem AD:

•  Establish a two-way forest trust between on-prem AD and AWS Managed AD.
•  Configure DNS forwarding so both forests resolve each other’s domains.

Step 3: Enable IAM Identity Center

    1.     Go to IAM Identity Center → Settings → Identity Source.
2.     Choose Active Directory.
3.     Select your AWS Managed Microsoft AD directory.

NB:

IAM Identity Center automatically detects and connects to the directory.

Step 4: Assign Users and Groups

     1.     Go to IAM Identity Center → Users and Groups.
2.     Choose Groups from AD (e.g., AWS-Admins, Developers).
3.     Assign Permission Sets to groups for each AWS account.

NB:

 Behind the scenes:

• Each permission set maps to an IAM Role in the target account via AWS CloudFormation StackSets.

Step 5: Test Login

     1. Go to the AWS access portal URL provided by IAM Identity Center.
2. Log in using your AD credentials (Kerberos / LDAP).
3. Choose an AWS account → temporary credentials are issued via STS.

Scenario 2: Using On-Prem AD with AD Connector

Step 1: Deploy AD Connector

1. Go to AWS Directory Service → Set up directory → AD Connector.

2. Enter:

o   On-prem AD DNS names

o   Service account credentials (with read permissions)

o   VPC/Subnet info (must have network path to on-prem AD)

NB:

•  AD Connector doesn’t replicate data.
•  AD Connector acts as a proxy for authentication.

Step 2: Verify Network Connectivity (Ensure):

•  VPC can reach on-prem AD via VPN or Direct Connect.
•  Required ports are open:
• TCP/UDP 389 (LDAP)
• TCP/UDP 88 (Kerberos)
• TCP 445 (SMB)
•  TCP 3268–3269 (Global Catalog)

Step 3: Configure IAM Identity Center to Use AD Connector

Same steps as before:

• In IAM Identity Center → Identity Source → Select AD.
• twtech Chooses AD Connector directory.

NB:

• IAM Identity Center will read users/groups via the connector.

Step 4: Assign Access

• Assign AD groups or users to AWS accounts and apps using permission sets.

Step 5: User Login Flow Authentication Flow (AD Connector):

 # User-Login-Flow

 Security Considerations Table:

Layer	Mechanism	Notes
Authentication	Kerberos / LDAP	Managed by AD or AD Connector
Authorization	Permission Sets → IAM Roles	Managed by IAM Identity Center
Federation	SAML 2.0 internally	Between Identity Center & AWS Accounts
Credentials	Temporary via STS	Short-lived, least privilege
Encryption	TLS for network, KMS for secrets	Default for all AWS Directory comms

 Hybrid Sample for On-Prem AD + AWS Managed AD + IAM Identity Center

     1.     On-prem AD (users, groups)
2.     AWS Managed AD (trusted domain)
3.     IAM Identity Center connected to AWS Managed AD
4.     Trust allows users from on-prem to SSO into AWS

 Hybrid Sample Flow:

User (On-Prem) → Kerberos → On-Prem DC ↔ Trust ↔ AWS Managed AD

   ↓

IAM Identity Center (Federation)

   ↓

STS → Temporary IAM Role → AWS Account Access

 Best Practices

•  Use forest trusts instead of one-way if hybrid AD is used.
•  Keep AD DNS and time sync healthy (Kerberos depends on it).
•  Use AD groups for AWS permission assignments — not individuals.
•  Enforce MFA via Conditional Access or AD policies.
•  Monitor via AWS CloudTrail and Directory Service Logs.