adam121 - Fotolia
For decades, enterprises have maintained central repositories for users and groups. This model has been popular because it allows administrators to centrally manage users and groups. Administrators assign resource permissions to entire teams using group memberships. Platforms like Microsoft's Active Directory and Open LDAP are commonly used to provide this functionality. With AWS Directory Service, admins can spin up a cloud directory service instead of implementing and maintaining one on premises.
Much like other AWS products, admins can easily provision a new cloud directory service. Doing so manually typically requires IT teams to build servers, install software and deploy servers in multiple locations to make the directory service resistant to failures. With the AWS Directory Service, admins create a directory and then multiple server instances are deployed across two availability zones. AWS also takes care of maintenance for patching servers and doing backups through snapshots.
Cloud directory service options
When it comes to provisioning a new cloud directory service on AWS, admins can choose from a Microsoft-based Active Directory implementation, a Samba-based implementation called Simple AD or a directory service proxy called AD Connector.
Microsoft AD is a managed set of Windows servers running Active Directory Domain Services. After an admin creates the directory, he uses the same tools as we would on premises to manage the Active Directory environment. Admins can create users and groups, set up group policies and join existing Elastic Compute Cloud (EC2) instances to the directory.
Simple AD is a Samba 4 Active Directory-compatible server implementation. Admins can still manage users and groups, set up group policies and join servers to the domain. But Simple AD isn't capable of performing other Microsoft-specific functions, such as supporting trust relationships with other domains and forests. Using a Microsoft-based AD implementation is idea for hybrid cloud scenarios because admins can set up a cross-forest trust to connect it to the on-premises AD environment.
The AD Connector is a proxy that allows services in the AWS cloud to talk to on-premises Active Directory domain controllers. Think of the AD Connector as an adapter to an existing AD implementation that could be used when an admin wants to domain-join EC2 instances to the existing domain on premises, but doesn't want to build domain controllers for an existing environment in the cloud. The AD Connector can also tie other resources into on-premises AD, including Amazon WorkSpaces and Amazon WorkDocs.
With each directory service option, admins can enable AWS console federation and single sign-on to allow end users from the directory to sign in to the AWS Management Console. Admins can map AWS Identity and Access Management (IAM) roles to existing directory service users or groups so they can access AWS resources through the web-based console. This helps delegate control of AWS resources to admins signed in to the corporate directory -- without having to use an IAM user account.
Seamlessly joining managed domains
The AWS Directory Service supports seamless domain-join for Windows Server instances in addition to supporting domain-joined machines through the typical manual process. Admins can easily create new EC2 instances without having to configure or bootstrap the servers so that they can join them to the domain.
Admins assign an IAM role to the instance that allows access to the Simple Systems Manager API, and then define the managed directory for the instance. This can be done in the web-based console, Command Line Interface or SDKs. Admins also can manually join Linux instances to managed AD and Simple AD environments.
AWS Active Directory competes with Azure offering
Comparing Simple AD and Active Directory
The security implications of using AWS Directory Service
Dig Deeper on AWS security
Related Q&A from Mike Pfeiffer
We use Amazon CloudWatch to track cloud performance and create notifications for service metrics. How can we automate events to respond to the ... Continue Reading
Runbooks help admins automate certain processes within the Azure cloud. But what capabilities do I gain if I kick-off Azure runbooks through a ... Continue Reading
We choose Amazon RDS for its multitude of database engines and want to build a highly available system. What options does Amazon RDS have for ... Continue Reading