Connector for AD Prerequisites - AWS Private Certificate Authority

Connector for AD Prerequisites

The following are required for Connector for AD.

To create a Connector for AD, you need to set up an AWS Private Certificate Authority (CA) and directory. You then need to share the private CA and directory with the Connector for AD service. You also need to correctly set security groups and IAM policies to create a connector.

AWS Private CA

Set up a AWS Private CA for issuing certificates to your directory objects. For more information, see Private CA administration.

The AWS Private CA must be in the Active state to create a Connector for AD. The private CA's subject name must include a common name. Connector creation will fail if you try to create a connector using a private CA without a common name.

Active Directory

In addition to an AWS Private CA, you need an Active Directory in a virtual private cloud (VPC). Connector for AD supports the following directory types offered by AWS Directory Service:

  • AWS Managed Microsoft Active Directory: With AWS Directory Service you can run Microsoft Active Directory (AD) as a managed service. AWS Directory Service for Microsoft Active Directory also referred to as AWS Managed Microsoft AD, is powered by Windows Server 2019. With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft Sharepoint and custom .Net and SQL Server-based applications.

  • Active Directory Connector: AD Connector is a directory gateway that can redirect directory requests to your on-premises Microsoft Active Directory, without caching any information in the cloud. AD Connector supports connecting to a domain hosted on Amazon EC2


Enrolling domain controllers is not supported when using the Connector for AD with AWS Managed Microsoft AD.

Service Account

When using the Directory Service AD Connector, you need to delegate additional permissions to the service account. Set access-control list (ACL) on the service account to allow the ability:

  • Add and remove a Service Principal Name (SPN) to itself

  • Create and update certification authorities in the following containers:

    #containers CN=Public Key Services,CN=Services,CN=Configuration CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration
  • Create and update a NTAuthCertificates Certification Authority (CA) object. Note: if the NTAuthCertificates CA object exists then you must delegate permissions for it. If the object does not exist then you must delegate the ability to create child objects on the Public Key Services container.

    #objects CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration

If you are using AWS Managed Microsoft AD then the additional permissions will be delegated automatically when you authorize the Connector for AD service with your directory. You can skip this prerequisite step.

You can use this PowerShell script to delegate the additional permissions. It will create the NTAuthCertifiates certification authority object. Replace "myconnectoraccount" with the service account name.

$AccountName = 'myconnectoraccount' # DO NOT modify anything below this comment. # Getting Active Directory information. Import-Module -Name 'ActiveDirectory' $RootDSE = Get-ADRootDSE # Getting AD Connector service account Information $AccountProperties = Get-ADUser -Identity $AccountName $AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value [System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID $AccountAclPath = $AccountProperties.DistinguishedName # Getting ACL settings for AD Connector service account. $AccountAcl = Get-ACL -Path "AD:\$AccountAclPath" # Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself $AccountAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGuid, 'None' $AccountAcl.AddAccessRule($AccountAccessRule) Set-ACL -AclObject $AccountAcl -Path "AD:\$AccountAclPath" # Add ACLs allowing AD Connector service account the ability to create certification authorities [System.GUID]$CertificationAuthorityGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'certificationAuthority' } -Properties 'schemaIDGUID').schemaIDGUID $CAAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty,CreateChild,DeleteChild', 'Allow', $CertificationAuthorityGuid, 'None' $PKSDN = "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $PKSACL = Get-ACL -Path "AD:\$PKSDN" $PKSACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $PKSACL -Path "AD:\$PKSDN" $AIADN = "CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $AIAACL = Get-ACL -Path "AD:\$AIADN" $AIAACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $AIAACL -Path "AD:\$AIADN" $CertificationAuthoritiesDN = "CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" $CertificationAuthoritiesACL = Get-ACL -Path "AD:\$CertificationAuthoritiesDN" $CertificationAuthoritiesACL.AddAccessRule($CAAccessRule) Set-ACL -AclObject $CertificationAuthoritiesACL -Path "AD:\$CertificationAuthoritiesDN" $NTAuthCertificatesDN = "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" If (-Not (Test-Path -Path "AD:\$NTAuthCertificatesDN")) { New-ADObject -Name 'NTAuthCertificates' -Type 'certificationAuthority' -OtherAttributes @{certificateRevocationList=[byte[]]'00';authorityRevocationList=[byte[]]'00';cACertificate=[byte[]]'00'} -Path "CN=Public Key Services,CN=Services,CN=Configuration,$($RootDSE.rootDomainNamingContext)" } $NTAuthCertificatesACL = Get-ACL -Path "AD:\$NTAuthCertificatesDN" $NullGuid = [System.GUID]'00000000-0000-0000-0000-000000000000' $NTAuthAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'ReadProperty,WriteProperty', 'Allow', $NullGuid, 'None' $NTAuthCertificatesACL.AddAccessRule($NTAuthAccessRule) Set-ACL -AclObject $NTAuthCertificatesACL -Path "AD:\$NTAuthCertificatesDN"

IAM Policy

To create a connector for AD, you need an IAM policy that allows you to create connector resources, share your private CA with the Connector for AD service, and authorize the Connector for AD service with your directory.

This is an example a user managed policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "pca-connector-ad:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm-pca:PutPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": "acm-pca:IssueCertificate", "Resource": "*", "Condition": { "StringLike": { "acm-pca:TemplateArn": "arn:aws:acm-pca:::template/BlankEndEntityCertificate_ApiPassthrough/V*" }, "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } }, { "Effect": "Allow", "Action": [ "ds:AuthorizeApplication", "ds:DescribeDirectories", "ds:ListTagsForResource", "ds:UnauthorizeApplication", "ds:UpdateAuthorizedApplication" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateVpcEndpoint", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:DeleteVpcEndpoints" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ec2:DeleteTags", "ec2:CreateTags" ], "Resource": "arn:*:ec2:*:*:vpc-endpoint/*" } ] }

Connector for AD requires additional AWS RAM permissions, for both console and command line use.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ram:CreateResourceShare", "Resource": "*", "Condition": { "StringEqualsIfExists": { "ram:Principal": "", "ram:RequestedResourceType": "acm-pca:CertificateAuthority" } } }, { "Effect": "Allow", "Action": [ "ram:GetResourcePolicies", "ram:GetResourceShareAssociations", "ram:GetResourceShares", "ram:ListPrincipals", "ram:ListResources", "ram:ListResourceSharePermissions", "ram:ListResourceTypes" ], "Resource": "*" } ] }

Share AWS Private CA with Connector for AD

You will need to share your AWS Private CA with the connectors service by using AWS Resource Access Manager service principal sharing.

When you create a connector in the AWS console, the resource share is automatically created for you.

When you create a resource share using the AWS CLI, you will use the AWS RAM create-resource-share command.

The following command creates a resource share:

$ aws ram create-resource-share \ --region us-east-1 \ --name MyPcaConnectorAdResourceShare \ --permission-arns arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority \ --resource-arns arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --principals \ --sources account

The service principal that calls CreateConnector has certificate issuance permissions on the PCA. To prevent service principals that use Connector for AD from having general access to your AWS Private CA resources, restrict their permissions using CalledVia.

Authorize Connector for AD with your directory

You authorize the Connector for AD service with your directory so the connector can communicate with your directory. To authorize the Connector for AD service, you create a directory registration. For more information on creating a directory registration, see Managing directory registrations

Security groups

Communication between your VPC and the Connector for AD connector is through AWS PrivateLink, which requires a security group(s) with inbound rules that open port 443 TCP and UDP on your VPC. You will be asked for this security group when you create a connector. You can specify the source as custom and select your VPC's CIDR block. You can choose to restrict this further (i.e. IP, CIDR, and security group ID).