- AWS Directory Service for Microsoft Active Directory
-
Also known as AWS Managed Microsoft AD, AWS Directory Service for Microsoft Active Directory is powered by an actual
Microsoft Windows Server Active Directory (AD), managed by AWS in the
AWS Cloud. It enables you to migrate a broad range of Active Directory–aware applications to the AWS Cloud. AWS Managed Microsoft AD works
with Microsoft SharePoint, Microsoft SQL Server Always On Availability
Groups, and many .NET applications. It also supports AWS managed
applications and services including Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon Relational Database Service for Microsoft SQL
Server (Amazon RDS for SQL Server, Amazon RDS for Oracle, and Amazon RDS for
PostgreSQL).
AWS Managed Microsoft AD is approved for applications in the
AWS Cloud that are subject to U.S. Health Insurance Portability and Accountability Act
(HIPAA) or Payment
Card Industry Data Security Standard (PCI DSS) compliance when
you enable compliance for
your directory.
All compatible applications work with user credentials that you store in
AWS Managed Microsoft AD, or you can connect
to your existing AD infrastructure with a trust and use
credentials from an Active Directory running on-premises or on EC2 Windows.
If you join EC2
instances to your AWS Managed Microsoft AD, your users can access Windows
workloads in the AWS Cloud with the same Windows single sign-on (SSO)
experience as when they access workloads in your on-premises network.
AWS Managed Microsoft AD also supports federated use cases using Active Directory
credentials. Alone, AWS Managed Microsoft AD enables you to sign in to the AWS Management Console. With AWS IAM Identity Center, you can
also obtain short-term credentials for use with the AWS SDK and CLI, and
use preconfigured SAML integrations to sign in to many cloud applications.
By adding Microsoft Entra Connect (formerly known as Azure Active Directory Connect), and optionally Active Directory Federation
Service (AD FS), you can sign in to Microsoft Office 365 and other cloud
applications with credentials stored in AWS Managed Microsoft AD.
The service includes key features that enable you to extend your
schema, manage password policies, and enable secure LDAP
communications through Secure Socket Layer (SSL)/Transport Layer
Security (TLS). You can also enable multi-factor authentication (MFA) for AWS Managed Microsoft AD to
provide an additional layer of security when users access AWS applications
from the Internet. Because Active Directory is an LDAP directory, you can
also use AWS Managed Microsoft AD for Linux Secure Shell (SSH) authentication and for
other LDAP-enabled applications.
AWS provides monitoring, daily snapshots, and recovery as part of the
service—you add
users and groups to AWS Managed Microsoft AD, and administer Group Policy
using familiar Active Directory tools running on a Windows computer joined
to the AWS Managed Microsoft AD domain. You can also scale the directory by deploying
additional domain controllers and help improve application
performance by distributing requests across a larger number of domain
controllers.
AWS Managed Microsoft AD is available in two editions: Standard and Enterprise.
-
Standard Edition: AWS Managed Microsoft AD
(Standard Edition) is optimized to be a primary directory for small
and midsize businesses with up to 5,000 employees. It provides you
enough storage capacity to support up to 30,000* directory objects,
such as users, groups, and computers.
-
Enterprise Edition: AWS Managed Microsoft AD
(Enterprise Edition) is designed to support enterprise organizations
with up to 500,000* directory objects.
* Upper limits are approximations. Your directory may support more or less
directory objects depending on the size of your objects and the behavior and
performance needs of your applications.
When to
use
AWS Managed Microsoft AD is your best choice if you need actual Active Directory
features to support AWS applications or Windows workloads, including
Amazon Relational Database Service for Microsoft SQL Server. It's also best if you want a standalone
Active Directory in the AWS Cloud that supports Office 365 or you need an LDAP directory
to support your Linux applications. For more information, see AWS Managed Microsoft AD.
- AD Connector
-
AD Connector is a proxy service that provides an easy way to connect
compatible AWS applications, such as Amazon WorkSpaces, Amazon QuickSight, and Amazon EC2 for Windows Server
instances, to your existing on-premises Microsoft Active Directory. With
AD Connector , you can simply add one service account to your Active Directory.
AD Connector also eliminates the need of directory synchronization or the
cost and complexity of hosting a federation infrastructure.
When you add users to AWS applications such as Amazon QuickSight, AD Connector
reads your existing Active Directory to create lists of users and groups to
select from. When users log in to the AWS applications, AD Connector
forwards sign-in requests to your on-premises Active Directory domain
controllers for authentication. AD Connector works with many AWS
applications and services including Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon WorkMail. You can also join your
EC2 Windows instances to your on-premises Active Directory
domain through AD Connector using seamless
domain join. AD Connector also allows your users to access the
AWS Management Console and manage AWS resources by logging in with their existing
Active Directory credentials. AD Connector is not compatible with RDS SQL
Server.
You can also use AD Connector to enable multi-factor
authentication (MFA) for your AWS application users by
connecting it to your existing RADIUS-based MFA infrastructure. This
provides an additional layer of security when users access AWS
applications.
With AD Connector, you continue to manage your Active Directory as you
do now. For example, you add new users and groups and update passwords using
standard Active Directory administration tools in your on-premises Active Directory . This helps you consistently enforce your security policies, such
as password expiration, password history, and account lockouts, whether
users are accessing resources on premises or in the AWS Cloud.
When to
use
AD Connector is your best choice when you want to use your existing
on-premises directory with compatible AWS services. For more information,
see AD Connector.
- Simple AD
-
Simple AD is a Microsoft Active Directory–compatible directory from AWS Directory Service that
is powered by Samba 4. Simple AD supports basic Active Directory features
such as user accounts, group memberships, joining a Linux domain or Windows
based EC2 instances, Kerberos-based SSO, and group policies. AWS provides
monitoring, daily snap-shots, and recovery as part of the service.
Simple AD is a standalone directory in the cloud, where you create and
manage user identities and manage access to applications. You can use many
familiar Active Directory–aware applications and tools that require
basic Active Directory features. Simple AD is compatible with the
following AWS applications: Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, and Amazon WorkMail. You can also sign
in to the AWS Management Console with Simple AD user accounts and to manage AWS
resources.
Simple AD does not support multi-factor authentication (MFA), trust
relationships, DNS dynamic update, schema extensions, communication over
LDAPS, PowerShell AD cmdlets, or FSMO role transfer. Simple AD is not
compatible with RDS SQL Server. Customers who require the features of an
actual Microsoft Active Directory, or who envision using their directory
with RDS SQL Server should use AWS Managed Microsoft AD instead. Please verify your
required applications are fully compatible with Samba 4 before using
Simple AD. For more information, see https://www.samba.org.
When to
use
You can use Simple AD as a standalone directory in the cloud to support
Windows workloads that need basic Active Directory features, compatible AWS
applications, or to support Linux workloads that need LDAP service. For more
information, see Simple AD.
- Amazon Cognito
-
Amazon Cognito is a user directory that adds sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools.
When to
use
You can also use Amazon Cognito when you need to create custom registration fields
and store that metadata in your user directory. This fully managed service
scales to support hundreds of millions of users. For more information, see
Amazon Cognito user pools in the Amazon Cognito Developer Guide.