AWS Directory Services

Microsoft Active Directory (AD)

Overview

• Microsoft Active Directory (AD) is available on Windows Server with Active Directory Domain Services (AD DS) enabled.

• Functions as a centralized database for directory objects such as:
• User Accounts
• Computers
• Printers
• File Shares
• Security Groups

Key Features

• Centralized security management:
• Create, modify, and delete user accounts
• Assign permissions and enforce policies

• Supports authentication, authorization, and directory lookups for network resources.

Structure

• Objects are organized into trees.

• Multiple trees form a forest.

• Authentication and access control are managed by a Domain Controller.

AWS Directory Services – Options

AWS Managed Microsoft AD

• Fully managed Microsoft Active Directory in AWS.

• Supports Multi-Factor Authentication (MFA).

• Allows local user management in AWS.

• Can establish trust relationships with on-premises AD.

AD Connector

• Directory gateway (proxy) to on-premises AD.

• Forwards authentication requests to self-managed AD.

• Supports MFA.

• No directory data stored in AWS.

Simple AD

• AD-compatible, lightweight directory hosted in AWS.

• Suitable for small environments.

• Supports MFA.

• No trust relationship possible with on-prem AD.

AWS Directory Services – Feature Comparison

IAM Identity Center – Active Directory Integration

Integration Options

1. AWS Managed Microsoft AD

• Directly integrates with IAM Identity Center.

• Works out-of-the-box for AWS workloads.

• Simplifies identity and access management entirely within AWS.

2. Self-Managed Active Directory (On-Premises)

• Two integration approaches:
• Two-Way Trust
• Create a trust between self-managed AD and AWS Managed Microsoft AD.
• IAM Identity Center connects via AWS Managed AD.
• AD Connector
• Acts as a proxy to redirect authentication requests to the on-prem AD.
• No AD data stored in AWS.