Security

Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid Environments

Set up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.

約 3 分で読めます

Overview of Directory Service

Directory Service is a service that provides managed Active Directory on AWS. It offers three options: AWS Managed Microsoft AD, AD Connector, and Simple AD. Managed Microsoft AD provides a fully managed AD with domain controllers deployed across two or more AZs for multi-AZ availability, and it can establish trust relationships with on-premises AD.

Hybrid Integration

By establishing a forest trust between on-premises AD and Managed Microsoft AD, on-premises users can access AWS resources with single sign-on. You connect on-premises to the VPC via VPN or Direct Connect and configure DNS conditional forwarders. AD Connector is a proxy to on-premises AD that does not replicate AD data on AWS. It is used as a directory for WorkSpaces and AWS SSO, forwarding authentication requests to on-premises AD.

Integration with WorkSpaces and RDS

Managed Microsoft AD integrates directly with many AWS services, including WorkSpaces, RDS for SQL Server, FSx for Windows File Server, and QuickSight. It uses AD for WorkSpaces user authentication and centrally manages desktop settings with Group Policy. With RDS for SQL Server Windows authentication, AD users can seamlessly log in to SQL Server. AD Connector functions as a proxy to on-premises AD, delegating authentication without replicating the directory on AWS. Simple AD is a lightweight Samba-based directory suitable for small-scale and development environments. To deepen your understanding of Directory Service, specialized books on Amazon can also be useful.

Directory Service Pricing

Managed Microsoft AD Standard Edition costs approximately $146/month (2 domain controllers), and Enterprise Edition costs approximately $438/month. Additional domain controllers cost approximately $73/month each (Standard). AD Connector comes in Small (approximately $73/month) and Large (approximately $219/month). Simple AD comes in Small (approximately $73/month) and Large (approximately $219/month). Choose the minimum edition for your use case, and add domain controllers based on your availability requirements.

Summary

Directory Service is a service that enables identity management for hybrid environments through managed Active Directory. It integrates directly with WorkSpaces, RDS for SQL Server, and FSx for Windows File Server, and provides seamless authentication through forest trust with on-premises AD. Proxy connectivity to on-premises AD is also available via AD Connector.

Related Services

AWS Directory ServiceA service that provides managed Active Directory on AWSAmazon FSxFully managed file systems for Windows File Server, Lustre, NetApp ONTAP, and OpenZFSAmazon WorkSpacesA managed service providing cloud-based virtual desktops (VDI)

Related Articles

Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.Building Cloud Desktops with Amazon WorkSpaces - DaaS Design and Cost OptimizationOptimize costs based on usage patterns with AlwaysOn and AutoStop pricing models. Strengthen security with Active Directory integration, MFA, and IP access controls.Active Directory Integration - Extending Your On-Premises Identity Infrastructure to the Cloud with AWS Directory ServiceLearn how to integrate Active Directory with the cloud using AWS Directory Service. This article covers how to choose between AWS Managed Microsoft AD, AD Connector, and Simple AD, and how to integrate with WorkSpaces, RDS, and FSx.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Active Directory Integration - Extending Your On-Premises Identity Infrastructure to the Cloud with AWS Directory ServiceLearn how to integrate Active Directory with the cloud using AWS Directory Service. This article covers how to choose between AWS Managed Microsoft AD, AD Connector, and Simple AD, and how to integrate with WorkSpaces, RDS, and FSx.Amazon WorkSpacesA cloud DaaS (Desktop as a Service) that provides fully managed Windows or Linux virtual desktops accessible securely from any deviceBuilding Cloud Desktops with Amazon WorkSpaces - DaaS Design and Cost OptimizationOptimize costs based on usage patterns with AlwaysOn and AutoStop pricing models. Strengthen security with Active Directory integration, MFA, and IP access controls.