Security

Active Directory Integration - Extending Your On-Premises Identity Infrastructure to the Cloud with AWS Directory Service

Learn how to integrate Active Directory with the cloud using AWS Directory Service. This article covers how to choose between AWS Managed Microsoft AD, AD Connector, and Simple AD, and how to integrate with WorkSpaces, RDS, and FSx.

約 6 分で読めます

Challenges of Integrating Active Directory with the Cloud

Many organizations run Microsoft Active Directory (AD) on-premises, where it serves as the backbone of IT infrastructure for user authentication, Group Policy, and file server access control. When migrating to the cloud, a key challenge is how to handle applications that depend on AD, such as Windows-based business applications, SQL Server, and file servers. AWS Directory Service offers three directory types to enable AD cloud integration for different use cases. AWS Managed Microsoft AD provides a fully managed Microsoft AD in the cloud and can establish trust relationships with on-premises AD. AD Connector acts as a proxy to on-premises AD without storing any data in the cloud. Simple AD is a lightweight Samba 4-based directory that provides basic LDAP functionality only.

Choosing Between the Three Directory Types

Choose AWS Managed Microsoft AD when you need a standalone AD in the cloud or when trust relationships with on-premises AD are required. It fully supports Group Policy, LDAP, Kerberos, and NTLM authentication, allowing AD-dependent applications to run as-is. It comes in Standard Edition (up to 30,000 objects) and Enterprise Edition (up to 500,000 objects). Domain controllers are automatically made redundant across multiple AZs, and patching and snapshots are managed by AWS. Choose AD Connector when you want to continue using your existing on-premises AD. It acts as a proxy that forwards authentication requests from AWS services (WorkSpaces, IAM Identity Center, etc.) to on-premises AD. Since it does not store user data in the cloud, it is suitable when data sovereignty requirements apply. It comes in Small (up to 500 users, $0.05/hour) and Large (up to 5,000 users, $0.15/hour) sizes. Simple AD is for small-scale environments that only need basic AD features (user management, group management, LDAP authentication). It does not support Group Policy or trust relationships, but it is the lowest-cost option (Small: $0.05/hour).

Integration with AWS Services

The primary value of Directory Service lies in its native integration with AWS services that require AD authentication. Amazon WorkSpaces (virtual desktops) lets users log in with AD accounts and control desktop environments with Group Policy. Amazon FSx for Windows File Server uses AD access control lists (ACLs) for file-level permission management. RDS for SQL Server supports Windows authentication (Kerberos), allowing users to log in to SQL Server with AD accounts. Amazon Connect (contact center) can manage agents using AD users. Integration with IAM Identity Center enables single sign-on access to the AWS Management Console and CLI using AD accounts. You can also join Windows EC2 instances to the domain; using the Systems Manager automatic domain join feature, instances automatically join the AD domain at launch. For a comprehensive understanding of directory services, related books (Amazon) can also be helpful.

Trust Relationships with On-Premises AD

By establishing a forest trust between Managed Microsoft AD and on-premises AD, users on both sides can access resources on the other side. Building a trust relationship requires a VPN connection or Direct Connect between on-premises and the AWS VPC. You can choose one-way trust (access from one side only) or two-way trust (mutual access). From a security perspective, it is recommended to establish trust in the minimum necessary direction. Once a trust relationship is established, on-premises AD users can log in to WorkSpaces on AWS or access FSx file shares. You need to configure DNS conditional forwarders so that name resolution works correctly for each domain. Managed Microsoft AD provides domain controller IP addresses, which you register as conditional forwarders in your on-premises DNS.

Directory Service Pricing

AWS Managed Microsoft AD Standard Edition costs approximately $0.146 per hour (about $105/month), and Enterprise costs approximately $0.292 per hour (about $210/month). AD Connector costs about $36/month for Small and about $72/month for Large. Simple AD costs about $36/month for Small and about $72/month for Large. There are no additional charges for integration with WorkSpaces or RDS.

Summary - Guidelines for Using Directory Service

AWS Directory Service provides three directory types for integrating Active Directory with the cloud. Choose Managed Microsoft AD when you need full AD functionality, AD Connector when you want to keep using your on-premises AD, and Simple AD when you only need basic LDAP. Its primary value is native integration with AWS services that require AD authentication, such as WorkSpaces, FSx, and RDS for SQL Server. When migrating on-premises AD-dependent applications to the cloud, Directory Service significantly reduces migration complexity.

Related Services

AWS Directory ServiceA service that provides managed Active Directory on AWSAWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applicationsAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

SSO and Identity Management - Centralized Authentication with AWS IAM Identity CenterLearn how to implement single sign-on and multi-account access management with AWS IAM Identity Center (formerly AWS SSO). Covers external IdP integration, permission set design, and how it differs from Cognito.Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Zero Trust Network Access - VPN-Free Secure Access with AWS Verified AccessLearn about VPN-less zero trust access with AWS Verified Access. Covers identity provider integration, device trust, policy-based access control, and comparison with traditional VPNs.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid EnvironmentsSet up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.Amazon WorkSpacesA cloud DaaS (Desktop as a Service) that provides fully managed Windows or Linux virtual desktops accessible securely from any deviceAmazon WorkSpacesA managed service providing cloud-based virtual desktops (VDI)Building Cloud Desktops with Amazon WorkSpaces - DaaS Design and Cost OptimizationOptimize costs based on usage patterns with AlwaysOn and AutoStop pricing models. Strengthen security with Active Directory integration, MFA, and IP access controls.