Directory Services
Overview
We use user groups, roles, administrators, and administrators to manage access to resources and data stored in AWS. Directories help store information about these user groups, administration roles, devices, users, etc. AWS provides various options of Directory Services to choose from. Some of the options provided by AWS Directory Services are Directory Service for Microsoft Active Directory, AD Connector, Simple AD, and Amazon Cognito. All these directory services are built using Microsoft Active Directory.
What is AWS Directory Service?
AWS Directory Service is a managed service that provides a variety of ways to use Microsoft Active Directory (AD) with other AWS services. This directory type is a highly available pair of domain controllers connected to the virtual private cloud when we choose and deploy it (VPC).
Directories hold information about users, groups, and devices. Administrators use directories to control who has access to what information and resources.
What is Microsoft Active Directory?
Microsoft Azure Directory is a database that stores user accounts, security groups, file shares, etc. Any windows server having AD domain services supports Microsoft Active Directory.
Let's try to understand the working of Microsoft Active Directory using an example.
We have a server containing Domain Controller. This server or operating system contains the authorization details for user John. Now using the John credentials, you can log in to any operating system connected to the Domain Controller. So basically, the Active Directory helps us manage authorizations across a group of devices from a single machine directory.
Features of AWS Directory Service
Here are some of the features of AWS Directory Service. Let's have a look at them.
- AWS Directory Service safely moves the directory-aware applications to AWS, which shortens and improves market time. Operations, availability, maintenance, and on-premises workload management are made simpler by AWS Directory Service.
- Employing preexisting credentials to access AWS services offers frictionless user experiences.
- Through advanced active directory (AD) monitoring, logging, and networking, we can strengthen our security posture and resilience.
How does AWS Directory Service Work?
Using the diagram below, let's understand the working of AWS Directory Services for Microsoft Azure Directory.
- By using the AWS Management Console or API, we can create a Microsoft Azure Directory managed by AWS.
- After this, we can deploy new apps or use existing Active Directory-aware workloads.
- On deploying new or existing apps, the next step is to activate the AWS Ecosystem by integrating various AWS services like EC2, IAM, RDS, etc.
- To ensure data security, authorization groups and user access policy needs to be created. These users and groups help in managing access to the AD-aware AWS resources.
- After setting up the entire thing, the application instance can be connected to the Active Directory with new or existing credentials.
Create a Directory Service
Let's see how to create a directory service. In this demo, we will create an AWS Managed Microsoft AD directory. Follow these steps:
- Login to the AWS console. Search Directory Service in the search bar and click on it.
- We are on the AWS Directory Service console. Click on Set up directory to create a new AWS directory.
- On the next screen, we must choose the directory type from the options. Here, in this case, we will choose AWS Managed Microsoft AD and click on Next.
- Choose the standard edition for the directory.
- Scroll down and provide a directory DNS name. Set the Admin password and click on Next.
- On the next configuration page, we have to choose VPC and subnets for this directory. Click on Next.
- Review the configuration and click on Create directory.
- It will start creating the directory. It will take 20 to 40 minutes to create it. After creating, it will show Available as the status. Click on the directory ID to learn about the details of this directory.
- It will show all the details of this AWS directory.
- Scroll down. We'll see its auto-creates set-up network policies for traffic entering and leaving your domain controllers.
We created the AWS Managed Microsoft AD directory successfully.
AWS Directory Service Options
Under Directory Service, we are given a list of options to choose from. Let's discuss each one of them.
AWS Directory Service for Microsoft Active Directory
- It is also known as AWS Managed Microsoft AD, which is Microsoft Active Directory managed by AWS.
- AWS Managed Microsoft AD helps us to execute the following tasks:
- It helps create and apply users, groups, and group policies.
- Synchronize signing in for applications
- Makes the process of deploying and managing windows and cloud-Linux-based applications easier.
- It is available in two different editions:
- Standard Edition
- This is designed for small businesses of approximately 5000 employees.
- Under this edition, we can create approx 3000 directory objects. Directory objects include users, groups, group policies, etc.
- Enterprise Edition
- This is designed for large businesses and multinational companies.
- It can create approx 500000 directory objects and more depending on need.
- Standard Edition
AD Connector
- It is a proxy service that helps in connecting AWS applications to your on-premises Microsoft Active Directory.
- The AWS services which can be connected under this include AWS EC2 instance, Workspaces, QuickSight, Workdocs, Chimes, Connect, etc.
- It offers many additional services like Multi-Factor Authentication, which provides extra security to the data stored over AWS services.
- It works like an Active Directory. You can add users or groups to the directory and use the authorization credentials for accessing data across multiple devices.
- This is a great help if you have an existing Active directory and want to use the same for your other AWS services. All you need to do in this case is use the AD connector and connect your on-premises AD to your cloud-hosted AWS resources.
- You can learn more about AD Connector here.
Simple AD
- It is a Microsoft AD service that supports all the basic features of AD services like user authorization, group permissions, group policies, etc.
- Simple AD can be used in integration with other AWS services like Workspaces, WorkMail, WorkDocs, etc., to drive more significant results.
- However, there are some limitations to its use. Simple AD does not support multi-factor authentication, role transfer, etc. In addition, it is also not compatible with RDS SQL Server.
- Simple AD service is supported by Samba4, you can learn more about this here.
Amazon Cognito
Amazon Cognito uses Amazon Cognito User Pools, which helps create a user directory, which helps in giving authorization access to any web or mobile applications.
- It is highly scalable and can be used to store millions of users' credentials.
- Using Amazon Cognito helps in creating customized user registration fields.
- You can use it to signup for an application. The credentials get stored, and the same credentials can be used to authorize login actions.
How to Decide Which Directory Service to Choose?
For Cloud Applications
Based on the cloud application you are hosting on the cloud and your respective needs, the following directory services are recommended.
- AWS Directory Service for Microsoft Active Directory: This is helpful if you want your application in the cloud and your application is capable of running on windows server or Linux based cloud servers.
- AD Connector: If you have an existing Directory service, and you simply want to connect your AWS resources (EC2 instances) to the on-premises AD then AD Connector is the right choice for you.
- Simple AD: If you are looking for a cost-effective option or scope of scaling your directory services is look, then Simple AD is the right choice for you.
For Developing SaaS Applications
If you are developing SaaS Applications, then the main need for you is to deal with scalability. In this case, we can use Amazon Cognito, which helps to scale active directories easily. It eases the task of authentication using social media identities.
Comparison of Active Directory Services on AWS
Let's contrast the features and capabilities of AWS's different Active Directory Services choices. Since AWS AD Connector merely serves as a proxy to the existing Active Directory domain, many functions are not immediately applicable.
- Managed Service
- AWS AD Connector and AWS Managed Microsoft AD supports managed services.
- Active Directory on EC2 doesn't support managed services.
- Multi-Region Deployment
- It is not applicable in the case of AWS AD Connector.
- Multi-Region deployment is supported by AWS Managed Microsoft AD in the Enterprise Edition.
- Active Directory on EC2 also supports Multi-Region deployment.
- Share Directory With Multiple Accounts
- AWS AD Connector and Active Directory on EC2 can't share the directory with multiple accounts.
- AWS Managed Microsoft AD can share the directory with multiple accounts.
- Supported by AWS Applications
- All the AWS AD Connector, AWS Managed Microsoft AD, and Active Directory on EC2 supported by AWS applications.
- Supported by RDS
- It is not applicable in AWS AD Connector.
- AWS Managed Microsoft AD supported by RDS.
- RDS does not support active Directory on EC2.
- Supported by FSx for Windows File Server
- AWS Managed Microsoft AD and Active Directory on EC2 supported by FSx for Windows File Server.
- It is not applicable in AWS AD Connector.
- Schema Extensions
- It is not applicable in AWS AD Connector.
- AWS Managed Microsoft AD and Active Directory on EC2-supported schema extensions.
Some more functions are not applicable in AWS AD Connector, but these functions are supported by AWS Managed Microsoft AD and Active Directory on EC2. They are:
- Create trusts with existing Active Directory domains and forests
- Add domain controllers
- Kerberos constrained delegation
- Support Microsoft Enterprise CA
- Group policy
- Active Directory Recycle bin
- PowerShell support
Conclusion
- AWS Directory Service is a managed service that provides a variety of ways to use Microsoft Active Directory (AD) with other AWS services.
- Features of AWS Directory service include AWS-managed infrastructure, Multi-region replication, frictionless user experiences, and strengthening our security posture and resilience.
- AWS Directory Service options are:
- Microsoft Active Directory
- AD Connector
- Simple AD
- Amazon Cognito
- We can choose the directory service for cloud applications and developing SaaS applications.
- Many functions are not immediately applicable to AWS AD Connector.