AWS Directory Service - AWS GovCloud (US)

AWS Directory Service

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to your domain, and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.

How AWS Directory Service Differs for AWS GovCloud (US)

The following list details the differences for using this service in AWS GovCloud (US) Regions compared to other AWS Regions:

  • Only AWS Managed Microsoft AD and AD Connector directory types are supported by AWS Directory Service.

  • The following directory types are not supported:

    • Simple AD

    • Amazon Cloud Directory

  • The following AWS apps and services are not currently supported by AWS Directory Service:

    • RDS for SQL Server

    • Amazon WorkDocs

    • Amazon WorkMail

    • Amazon QuickSight

    • Amazon Chime

    • Amazon Connect

    • AWS Management Console

    • AWS Single Sign-On

  • Only signature version 4 signing is supported.

  • You can use the AWS Command Line Interface (AWS CLI) to interact with AWS Directory Service and other AWS services through the command line. For more information, see AWS CLI documentation.

    Note

    If you are using the Amazon Linux AMI, the AWS CLI is already installed and configured.

  • To connect to AWS Directory Service by using the command line or APIs, use the following endpoints:

    • https://ds-fips.us-gov-west-1.amazonaws.com

    • https://ds.us-gov-west-1.amazonaws.com

    • https://ds-fips.us-gov-east-1.amazonaws.com

    • https://ds.us-gov-east-1.amazonaws.com

Documentation for AWS Directory Service

AWS Directory Service documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • AWS Directory Service passwords are protected as ITAR-regulated data.

  • All data stored and processed in AWS Directory Service directories can contain ITAR-regulated data.

AWS Directory Service metadata is not permitted to contain ITAR-regulated data. This metadata includes all configuration data that you enter when creating and maintaining your AWS Directory Service directory except passwords.

Do not enter ITAR-regulated data in the following console fields:

  • Directory aliases

  • Directory description

  • Directory DNS name

  • Netbios name

  • Manual snapshot name

  • Resource tags

  • Description of schema extensions