AWS Directory Service
A service providing managed Active Directory and directory integration on AWS, enabling Windows workload authentication infrastructure in the cloud
Overview
AWS Directory Service provides multiple directory options centered on AWS Managed Microsoft AD, which offers a fully managed Microsoft Active Directory (AD), along with Simple AD and AD Connector. It enables Group Policy, Kerberos authentication, and LDAP queries required for Windows-based workloads in the cloud, and by establishing trust relationships with on-premises AD, seamlessly extends existing authentication infrastructure.
Three Directory Options and Selection Criteria
Directory Service offers three options depending on use case. AWS Managed Microsoft AD is a fully managed service where actual Microsoft Active Directory runs as domain controllers spanning two or more Availability Zones. It provides full AD functionality including Group Policy, trust relationships, and schema extensions, making it ideal for integration with AWS services requiring AD authentication such as RDS for SQL Server and Amazon WorkSpaces. Simple AD is a lightweight Samba 4-based directory for small environments needing only basic LDAP authentication and user management. AD Connector is not a directory itself but functions as a proxy to your existing on-premises AD. It forwards authentication requests from AWS services to on-premises AD via VPN or Direct Connect, eliminating the need to replicate user information to the cloud. As selection criteria: choose Managed Microsoft AD when full AD functionality is needed, AD Connector when leveraging existing AD, and Simple AD when only low-cost basic authentication is required.
Managed Microsoft AD Trust Relationships and Hybrid Authentication Design
In enterprise environments, a hybrid configuration establishing trust relationships between an on-premises AD forest and AWS Managed Microsoft AD is common. Setting up a Forest Trust enables on-premises users to access AWS resources with single sign-on, and conversely allows AWS service accounts to reference on-premises resources. Trust relationship communication occurs via Direct Connect or Site-to-Site VPN, requiring security group rules to permit ports needed for Kerberos ticket exchange (TCP/UDP 88, 389, 636, etc.). Related books on Active Directory (Amazon) cover forest trust design patterns and troubleshooting in detail. Managed Microsoft AD also supports multi-Region replication, automatically replicating the primary Region's directory to other Regions to reduce authentication latency for globally distributed workloads. Unlike Azure AD (Microsoft Entra ID), Managed Microsoft AD operates on the same protocol stack as on-premises AD, allowing existing AD management tools and scripts to be used as-is, lowering migration barriers.
AWS Service Integration and Operational Considerations
Managed Microsoft AD integrates with numerous AWS services. Amazon WorkSpaces uses AD for desktop authentication, RDS for SQL Server performs database connections with Windows authentication, and Amazon FSx for Windows File Server manages file share permissions using AD access control lists (ACLs). Windows EC2 instances can join the domain, enabling Group Policy application and domain user logon. SSM (Systems Manager) seamless domain join automatically joins instances to the domain at launch. On the operations side, domain controller OS patching and snapshots are managed automatically by AWS, significantly reducing infrastructure operations burden. However, OU (Organizational Unit) design, Group Policy creation, and user/group management remain the customer's responsibility. Directory size comes in two editions - Standard (up to 30,000 objects) and Enterprise (up to 500,000 objects) - selected based on the combined total of users and computer objects.