AWS Directory Service
Administration Guide (Version 1.0)

Enable Access to the AWS Management Console with AD Credentials

AWS Directory Service allows you to grant members of your directory access to the AWS Management Console. By default, your directory members do not have access to any AWS resources. You assign IAM roles to your directory members to give them access to the various AWS services and resources. The IAM role defines the services, resources, and level of access that your directory members have.

Before you can grant console access to your directory members, your directory must have an access URL. For more information about how to view directory details and get your access URL, see View Directory Information. For more information about how to create an access URL, see Creating an Access URL.

For more information about how to create and assign IAM roles to your directory members, see Grant Users and Groups Access to AWS Resources.

Related AWS Security Blog Article

Enable AWS Management Console Access

By default, console access is not enabled for any directory. To enable console access for your directory users and groups, perform the following steps:

To enable console access

  1. In the AWS Directory Service console navigation pane, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, select the Application management tab.

  4. In the AWS apps & services section, choose AWS Management Console.

  5. On the Directories page, choose your directory ID.

  6. On the Directory details page, select the AWS apps & services tab.

  7. In the AWS apps & services section, choose AWS Management Console.

  8. In the Enable AWS Management Console dialog box, choose Enable Access. Console access is now enabled for your directory.

    Before users can sign-in to the console with your access URL, you must continue with the next steps to add your users to the role. For general information about assigning users to IAM roles, see Creating a New Role or Assigning Users or Groups to an Existing Role. After the IAM roles have been assigned, users can then access the console using your access URL. For example, if your directory access URL is example-corp.awsapps.com, the URL to access the console is https://example-corp.awsapps.com/console/.

  9. On the AWS Management Console page, choose click here to create new IAM roles. If you already have an existing IAM role that has a trust relationship defined in the policy document, skip to the next step.

  10. Under Add Users and Groups to Roles, choose the link for the existing IAM role that you want to assign users to.

  11. On the Role Detail page, choose Add.

  12. In the Add Users and Groups to Role page, next to Select Forest, choose either the AWS Managed Microsoft AD forest (this forest) or the on-premises forest (trusted forest), whichever contains where the accounts that need access to the AWS Management Console. For more information about how to set up a trusted forest, see Tutorial: Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain.

  13. Next to Search for, choose either User or Group, and then type the name of the user or group. In the list of possible matches, choose the user or group that you want to add.

  14. Choose Add to finish assigning the users and groups to the role.

Note

Access for users in nested groups within your directory are not supported. Members of the parent group have console access, but members of child groups do not.

Disable AWS Management Console Access

To disable console access for your directory users and groups, perform the following steps:

To disable console access

  1. In the AWS Directory Service console navigation pane, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, select the Application management tab.

  4. Under the AWS apps & services section, choose AWS Management Console.

  5. If any IAM roles have been assigned to users or groups in the directory, the Disable Access button in the Manage access to AWS Resources dialog box is unavailable. In this case, you must choose Continue and remove all IAM role assignments for the directory before proceeding, including assignments for users or groups in your directory that have been deleted, which will show as Deleted User or Deleted Group.

    After all IAM role assignments have been removed, repeat the steps above. When the Manage access to AWS Resources dialog box is displayed, choose Disable Access.

Set Login Session Length

By default, users have 1 hour to use their session after successfully signing in to the console before they are logged out. After that, users must sign in again to start the next 1 hour session before being logged off again. You can use the following procedure to change the length of time to up to 12 hours per session.

To set login session length

  1. In the AWS Directory Service console navigation pane, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, select the Application management tab.

  4. Under the AWS apps & services section, choose AWS Management Console.

  5. In the Manage Access to AWS Resource dialog box, choose Continue.

  6. In the Assign users and groups to IAM roles page, under Set login session length, edit the numbered value, and then choose Save.