Table of contents
1.
Introduction
2.
AWS Managed Microsoft AD
2.1.
Active Directory schema
2.1.1.
Schema elements
2.1.2.
Attributes
2.1.3.
Classes
2.1.4.
Object identifier (OID)
2.1.5.
Schema linked attributes
2.2.
Patching and Maintenance of AWS Directory Service
2.2.1.
Ensuring availability
2.2.2.
Understanding the patching schedule
2.3.
Group Managed Service Accounts
2.4.
Kerberos Constrained Delegation
3.
AWS Directory Service Features
3.1.
Actual Microsoft Active Directory
3.2.
High availability
3.3.
AWS-managed infrastructure
3.4.
Multi-region replication
3.5.
HIPAA and PCI Eligible
3.6.
Trust support
3.7.
Group-based policies
3.8.
Single sign-on (SSO)
4.
Frequently Asked Questions
4.1.
What is the primary benefit of AWS directory services?
4.2.
Does AWS have LDAP?
4.3.
What is AWS SSO?
5.
Conclusion
Last Updated: Mar 27, 2024

AWS Directory Service

Author Sanjana Yadav
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

The AWS Directory Service is an Amazon Web Services product that allows an IT administrator to operate Microsoft Active Directory (AD) in the public cloud, facilitating user and group data setup and providing end-users access to AWS cloud services.

AWS Directory Service offers several options for integrating Microsoft Active Directory (AD) with other AWS services. Administrators use directories to control access to information and resources. They hold information about users, groups, and devices. Customers that wish to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware apps in the cloud can leverage AWS Directory Service's many directory options. Developers that require a directory to handle users, groups, devices, and access have the same options.

Let us now understand this AWS directory service in depth.

AWS Managed Microsoft AD

AWS Directory Service allows you to administer Microsoft Active Directory (AD). Windows Server 2012 R2 powers AWS Directory Service for Microsoft Active Directory, often known as AWS Managed Microsoft AD. 

When you choose and activate this directory type, a highly available pair of domain controllers connected to your virtual private cloud is formed (VPC). The domain controllers are located in several Availability Zones in the Region of your choice. Monitoring and recovery of hosts, data replication, snapshots, and software upgrades are configured and managed automatically.

Using AWS Managed Microsoft AD, you may operate directory-aware workloads on the AWS Cloud, such as Microsoft SharePoint and custom.NET and SQL Server-based apps. You may also establish a trust connection between AWS Managed Microsoft AD in the AWS Cloud and your current on-premises Microsoft Active Directory, granting users and groups access to resources in either domain using single sign-on (SSO).

AWS Directory Service makes it simple to create and manage directories in the AWS Cloud and connect your AWS resources to an existing on-premises Microsoft Active Directory. Once your directory has been built, you may use it for a variety of purposes, including:

  • Administer users and groups.
  • Allow users to access applications and services with a single sign-on.
  • Create and implement group policies.
  • Simplify the deployment and administration of Linux and Microsoft Windows workloads in the cloud.
  • AWS Managed Microsoft AD may be used to implement multi-factor authentication by connecting with your current RADIUS-based MFA infrastructure to offer an extra layer of protection when users access AWS applications.
  • Connect to Amazon EC2 Linux and Windows instances securely.

 

Let us now look at some of the key concepts of the AWS Managed Microsoft AD.

Active Directory schema

A schema is the definition of characteristics and classes in a distributed directory, which is analogous to fields and tables in a database. Schemas are a collection of rules that govern the kind and structure of data that may be added to or stored in a database. One class that is saved in the database is the User class. The user's first name, last name, phone number, and so on are examples of User class characteristics.

Schema elements

The essential pieces used to build object definitions in the schema are attributes, classes, and objects. The following section contains information regarding schema elements that you should be aware of before beginning the process of extending your AWS Managed Microsoft AD schema.

Attributes

Each schema attribute, equivalent to a database field, has various properties that determine the attribute's features. For example, the property LDAPDisplayName is used by LDAP clients to read and write the attribute. All attributes and classes must use the same LDAPDisplayName property. See Characteristics of Attributes for a comprehensive collection of attribute characteristics on the MSDN website. See Defining a New Attribute on the MSDN website for further information on how to create a new attribute.

Classes

Classes are similar to tables in a database in that they must have multiple attributes declared. The class category, for example, is defined by the objectClassCategory. See Characteristics of Object Classes for a comprehensive list of class characteristics. See Defining a New Class for further information on building a new class.

Object identifier (OID)

Each class and attribute must have a unique OID across all your objects. To ensure uniqueness, software suppliers must establish their own OID. When many applications use the same attribute for different reasons, uniqueness prevents conflicts. A root OID can be obtained from an ISO Name Registration Authority to assure uniqueness. You may also receive a basic OID from Microsoft. See Object Identifiers on the MSDN website for further information on OIDs and how to acquire them.

Schema linked attributes

Some attributes are connected via forward and back links between two classes. Groups are the finest illustration. When you look at a group, you can see who the members are; when you look at a user, you can see which groups they belong to. Active Directory generates a forward connection to the group when you add a user to it. The user is then linked back to the group via Active Directory. When establishing a connected attribute, a unique link ID must be generated. See Linked Attributes on the MSDN website for further information.

Patching and Maintenance of AWS Directory Service

AWS Directory Service for Microsoft Active Directory, often known as AWS DS for AWS Managed Microsoft AD, is a managed service of Microsoft Active Directory Domain Services (AD DS). The system's domain controllers (DCs) run Microsoft Windows Server 2012 R2, and AWS adds software to the DCs for service management reasons. AWS patches DCs to offer new capabilities and maintain Microsoft Windows Server software up to date. Your directory is still accessible during the patching procedure.

Ensuring availability

Each directory comprises two DCs, each of which is installed in a distinct Availability Zone. You have the option of adding DCs to improve availability even more. AWS repairs your DCs sequentially, and the DC that AWS is currently patching is inaccessible throughout this period. If one or more of your DCs is momentarily unavailable, AWS delays patching until your directory has at least two working DCs. This allows you to use the other running DCs throughout the patch process, which normally takes 30 to 45 minutes per DC but can vary. 

To guarantee that your applications can contact an operational DC if one or more DCs are unavailable for any reason, including patching, you should use the Windows DC finder service rather than static DC addresses.

Understanding the patching schedule

AWS uses Microsoft updates to keep the Microsoft Windows Server software on your DCs up to date. As Microsoft releases monthly Windows Server rollup patches, AWS takes every effort to test and deliver the rollup to all client DCs within three calendar weeks. Furthermore, AWS evaluates updates released by Microsoft outside of the monthly rollup based on their relevance to DCs and urgency. AWS takes every effort to test and apply security fixes that Microsoft deems as Critical or Important and that are applicable to DCs within five days.

Group Managed Service Accounts

With Windows Server 2012, Microsoft offered a new approach for administrators to manage service accounts known as group Managed Service Accounts (gMSAs). Service administrators no longer had to manually handle password synchronization across service instances when using gMSAs. Instead, an administrator might 

simply build a gMSA in Active Directory and then configure many service instances to use that single gMSA.

To enable users in AWS Managed Microsoft AD to establish gMSAs, add their accounts to the AWS Delegated Managed Service Account Administrators security group. The Admin account is a member of this group by default. Group Managed Service Accounts Overview on the Microsoft TechNet website contains more information about gMSAs.

Kerberos Constrained Delegation

Windows Server has a feature called Kerberos constrained delegation. This feature allows service administrators to set and enforce application trust boundaries by restricting the scope in which application services can act on behalf of a user. This is important for configuring which front-end service accounts can delegate to certain backend services. 

Kerberos restricted delegation also limits your gMSA from connecting to any and all services on behalf of your Active Directory users, preventing unscrupulous developers from abusing the system.

Consider the case of user smith, who connects to an HR application. You want the SQL Server to use the database permissions set by Smith. However, SQL Server initiates the database connection by default using the service account credentials, which apply hr-app-permissions services rather than Smith's set rights. You must enable the HR payroll application to connect to the SQL Server database using Smith's credentials. To do so, activate Kerberos constrained delegation on your AWS Managed Microsoft AD directory for the hr-app-service service account. When smith signs in, Active Directory generates a Kerberos ticket, which Windows employs when Smith seeks to access other network services.

Kerberos delegation allows the hr-app-service account to reuse the smith Kerberos ticket when accessing the database, allowing Smith permissions to be applied when the database connection is opened.

To provide users in AWS Managed Microsoft AD authorization to implement Kerberos constrained delegation and add their accounts to the AWS Delegated Kerberos Delegation Administrators security group. The Admin account is automatically a member of this group. Read the Microsoft TechNet website's Kerberos Constrained Delegation Overview for additional information on Kerberos constrained delegation.

AWS Directory Service Features

AWS Directory Service for Microsoft Active Directory, commonly known as AWS Managed Microsoft Active Directory (AD), allows you to use managed Active Directory (AD) in AWS for your directory-aware applications and AWS resources. AWS Managed Microsoft AD is based on a real Microsoft Active Directory and does not require you to synchronize or duplicate data from your current Active Directory to the cloud. You can use regular AD administration tools and use built-in AD capabilities like Group Policy and single sign-on. With AWS Managed Microsoft AD, you can quickly add Amazon EC2 and Amazon RDS for SQL Server instances to your domain and leverage AWS End User Computing services like Amazon WorkSpaces with AD users and groups.

Some features of the AWS Directory Service are discussed below:

Actual Microsoft Active Directory

AWS Managed Microsoft AD refers to the actual Microsoft Active Directory (AD) running on AWS-managed infrastructure. This allows you to manage your users and devices in AWS Managed Microsoft AD using familiar tools like Active Directory Administrative Center and Active Directory Users and Computers.

High availability

AWS Managed Microsoft AD is implemented in high availability and across several Availability Zones since directories are mission-critical infrastructure. You can also scale up your AWS Managed Microsoft AD directory by installing more domain controllers to boost your managed directory's robustness for even better availability.

AWS-managed infrastructure

AWS Managed Microsoft Active Directory operates on AWS-managed infrastructure, with monitoring that finds and replaces failed domain controllers automatically. Furthermore, data replication and automated daily snapshots are set up for you. There is no software to install, and AWS handles all patching and software upgrades.

Multi-region replication

You may install and utilize a single AWS Managed Microsoft AD directory across several AWS Regions with multi-region replication. This enables worldwide deployment and management of Microsoft Windows and Linux workloads to be easier and more cost-effective. You achieve increased robustness with automatic multi-region replication, while your apps use a local directory for best performance.

HIPAA and PCI Eligible

AWS Managed Microsoft AD may be used to design and execute AD–aware cloud services that must comply with the US Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS). As you run your own HIPAA risk management programs or PCI DSS compliance certification, AWS Managed Microsoft AD decreases the effort needed to create compliant AD infrastructure for your cloud apps.

Trust support

Using AD trust relationships, you can simply combine AWS Managed Microsoft AD with your existing AD. You may use trusts to manage which AD users can access your AWS services by using your current Active Directory.

Group-based policies

Managed by AWS Using native Active Directory Group Policy objects, you may manage people and devices in Microsoft Active Directory (GPOs). Existing tools, such as the Group Policy Management Console(GPMC), may be used to construct GPOs.

Single sign-on (SSO)

The same Kerberos-based authentication is used by AWS Managed Microsoft AD as it is by your existing on-premises AD. By connecting your AWS resources with AWS Managed Microsoft AD, your AD users will be able to sign in to AWS apps and services with a single set of credentials via SSO.

Frequently Asked Questions

What is the primary benefit of AWS directory services?

The main advantage of using AWS Directory Service is that organizations can now extend AD identities and management capabilities to AWS resources. Without the AWS Directory Service, AD and AWS would be isolated from one another and would have to be managed separately.

Does AWS have LDAP?

Yes. In both client and server roles, AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) via Secure Socket Layer (SSL) / Transport Layer Security (TLS), commonly known as LDAPS. AWS Managed Microsoft AD supports LDAPS via ports 636 (SSL) and 389 when functioning as a server (TLS).

What is AWS SSO?

AWS Single Sign-On (AWS SSO) is a cloud solution that gives your users access to AWS resources such as Amazon EC2 instances across various AWS accounts.

Conclusion

In this article, we have extensively discussed the AWS Directory Service. Starting with the AWS Managed Microsoft AD to the features of the AWS Directory Service, we covered the complete AWS Directory Service.

We hope that this blog has helped you enhance your knowledge of Amazon Web Services, and if you would like to learn more about them, check out our article Your Ultimate Job Interview Preparation Guide for Amazon Web Services (AWS)

Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc., you must look at the problemsinterview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Live masterclass