Directory services options in AWS
AWS provides a comprehensive set of services and tools for deploying Microsoft Windows workloads on its reliable and secure cloud infrastructure. AWS Active Directory Connector (AD Connector) and AWS Managed Microsoft AD are fully managed services that allow you to connect AWS applications to an existing Active Directory or host a new Active Directory in the cloud. Together, with the ability to deploy self-managed Active Directory in Amazon EC2 instances, these services cover all cloud and hybrid scenarios for enterprise identity services.
AD Connector
AD Connector can be used in the following scenarios:
-
Sign in to AWS applications, such as Amazon Chime, Amazon WorkDocs, Amazon WorkMail, or Amazon WorkSpaces using corporate credentials. (See the list of compatible applications on the AWS Documentation site.)
-
Enable Access to the AWS Management Console with AD Credentials. For large enterprises, AWS recommends using AWS Single Sign-On
. -
Enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure.
-
Join Windows EC2 instances to your on-premises Active Directory.
Note: Amazon RDS for SQL Server and Amazon FSx for Windows File Server are not compatible with AD Connector. Amazon RDS for SQL Server compatible with AWS Managed Microsoft AD only. Amazon FSx for Windows File Server can be deployed with AWS Managed Microsoft AD or self-managed Active Directory.
AWS Managed Microsoft Active Directory
AWS Directory Service lets you run Microsoft Active Directory as a managed service. By default, each AWS Managed Microsoft AD has a minimum of two domain controllers, each deployed in a separate Availability Zone (AZ) for resiliency and fault tolerance. All domain controllers are exclusively yours with nothing shared with any other AWS customer. AWS provides operational management to monitor, update, backup, and recover domain controller instances. You administer users, groups, computer and group policies using standard Active Directory tools from a Windows computer joined to the AWS Managed Microsoft AD domain.
AWS Managed Microsoft AD preserves the Windows single sign-on (SSO) experience for users who access AD DS integrated applications in a hybrid IT environment. With AD DS trust support, your users can sign in once on-premises and access Windows workloads running on-premises and in the cloud. You can optionally expand the scale of the directory by adding domain controllers, thereby enabling you to distribute requests to meet your performance requirements. You can also share the directory with any account and VPC. Multi-Region replication can be used to automatically replicate your AWS Managed Microsoft AD directory data across multiple Regions so you can improve performance for users and applications in disperse geographic locations. AWS Managed Microsoft AD uses native AD replication to replicate your directory’s data securely to the new Region. Multi-Region replication is only supported for the Enterprise Edition of AWS Managed Microsoft AD.
AWS Managed Microsoft AD enables you to forward all domain
controller’s Windows Security event log to Amazon CloudWatch,
giving you the ability to monitor your use of the directory and
any administrative intervention performed in the course of AWS
operating the service. It is also approved for applications in the
AWS Cloud that are subject to compliance by the
U.S.
Health Insurance Portability and Accountability Act
AWS Managed Microsoft AD enables you to extend your schema and perform LDAP write operations. These features, combined with advanced security features, such as Kerberos Constrained Delegation and Group Managed Service Account, provide the greatest degree of compatibility for Active Directory aware applications, like Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and many .NET applications. Because Active Directory is an LDAP directory, you can also use AWS Managed Microsoft AD for Linux Secure Shell (SSH) authentication and other LDAP-enabled applications. The full list of supported AWS applications is available on the AWS Documentation site.
AWS Managed Microsoft AD runs actual Windows Server 2012 R2 Active Directory Domain Services and operates at the 2012 R2 functional level. AWS Managed Microsoft AD is available in two editions: Standard and Enterprise. These editions have different storage capacity; Enterprise Edition also has multi-region features.
All new AWS Directory Service for Microsoft AD (AWS Managed Microsoft AD) directories run on Windows Server 2019. For current customers with existing directories, you can simply update with just a few clicks or programmatically via API. With this feature, you can initiate updates for existing directories when it’s most convenient, avoiding peak business hours, for example. Additionally, starting in March 2023, AWS will begin automatically updating any AWS Managed Microsoft AD directories to Windows Server 2019.
| Edition | Storage capacity | Approximate number of objects that can be stored* | Approximate number of users in domain* |
|---|---|---|---|
| Standard | 1 GB | ~30,000 | Up to ~5,000 users |
| Enterprise | 17 GB | ~500,000 | Over 5,000 users |
* The number of objects varies based on type of objects, schema extensions, number of attributes, and data stored in attributes.
Note
AWS Domain Administrators have full administrative access to all domains hosted on AWS. See your agreement with AWS and the AWS Data Privacy FAQ for more information about how AWS handles content that you store on AWS systems, including directory information. You do not have Domain or Enterprise Admin permissions and rely on delegated groups for administration.
AWS Managed Microsoft AD can be used for following scenarios: managing access to AWS Management Console and cloud services, joining EC2 Windows instances to Active Directory, deploying Amazon RDS databases with Windows authentication, using FSx for Windows File Services, and signing in to productivity tools like Amazon Chime and Amazon WorkSpaces. For more information on this solution, see Design consideration for AWS Managed Microsoft Active Directory in this document.
Active Directory on EC2
If you prefer to extend your Active Directory to AWS and manage it yourself for flexibility or other reasons, you have the option of running Active Directory on EC2. For more information, see Design considerations for running Active Directory on EC2 instances in this document.
Comparison of Active Directory Services on AWS
The following table compares the features and functions between various Directory Services options available on AWS. Many features are not applicable directly to AWS AD Connector, because it is acting only as a proxy to the existing Active Directory domain.
| Function | AWS AD Connector | AWS Managed Microsoft AD | Active Directory on EC2 |
|---|---|---|---|
| Managed service | yes | yes | no |
| Multi-Region deployment | n/a | yes, Enterprise Edition | yes |
| Share directory with multiple accounts | no | yes | no |
| Supported by AWS applications (Amazon Chime, Amazon WorkSpaces, AWS Single Sign-On & etc.) | yes | yes | yes (through federation or AD Connector) |
| Supported by RDS (SQL Server, Oracle, MySQL, PostgreSQL, and MariaDB) | n/a | yes | no |
| Supported by FSx for Windows File Server | n/a | yes | yes |
| Creating users and groups | yes | yes | yes |
| Joining computers to the domain | yes | yes | yes |
| Create trusts with existing Active Directory domains and forests | n/a | yes | yes |
| Seamless domain join for Windows and Linux EC2 instances | yes | yes | yes, with AWS AD Connector |
| Schema extensions | n/a | yes | yes |
| Add domain controllers | n/a | yes | yes |
| Group Managed Service Accounts | n/a | yes | Depends on the Windows Server version |
| Kerberos constrained delegation | n/a | yes | yes |
| Support Microsoft Enterprise CA | n/a | yes | yes |
| Multi-Factor Authentication | yes, through RADIUS | yes, through RADIUS | yes, with AD Connector |
| Group policy | n/a | yes | yes |
| Active Directory Recycle bin | n/a | yes | yes |
| PowerShell support | n/a | yes | yes |
