Courses

Directory Service

AWS Directory Service allows organizations to use Microsoft Active Directory (AD) or AD-compatible services to manage authentication and authorization for AWS resources. It supports integration with on-premises AD, enabling seamless identity management across AWS and existing enterprise environments.

AWS provides three main directory service options, each suited for different use cases:

  • AWS Managed Microsoft AD – A fully managed, scalable Microsoft Active Directory in AWS.

  • AD Connector – A proxy that connects AWS to an existing on-premises Active Directory for authentication.

  • Simple AD – A lightweight, AD-compatible directory based on Samba (not recommended for production).

AWS Managed Microsoft AD

AWS Managed Microsoft AD is a fully managed Active Directory (AD) hosted within AWS. It supports native AD features, including Group Policy, Kerberos authentication, and LDAP.

Key Features

  • Fully Managed – AWS handles patching, backups, and availability.

  • Supports Group Policy & Kerberos – Functions like a traditional on-prem AD.

  • Highly Available – Runs across multiple AWS Availability Zones (AZs).

  • Works with AWS Applications – Supports Amazon FSx for Windows, Amazon RDS for SQL Server, and AWS IAM Identity Center.

Use Cases

  • Organizations that want a standalone, cloud-based AD.

  • Businesses migrating Windows-based workloads to AWS.

  • Companies needing Active Directory-dependent applications (e.g., FSx for Windows, SQL Server).

Best Practice

Deploy AWS Managed Microsoft AD across multiple AZs for high availability and reliability.

AD Connector

AD Connector is a directory proxy that enables AWS resources to authenticate against an existing on-premises Active Directory without syncing user accounts to AWS.

Key Features

  • Acts as a bridge between AWS and on-prem AD (no need to migrate users).

  • Users authenticate with their existing AD credentials.

  • Allows AWS applications (e.g., Amazon WorkSpaces, AWS IAM Identity Center) to use on-prem AD authentication.

  • Supports MFA via on-prem AD.

Use Cases

  • Businesses that already have an Active Directory and want AWS authentication without migrating users.

  • Organizations that need to extend on-prem AD authentication to AWS services.

  • Companies that require AWS IAM Identity Center to use on-prem AD.

Best Practice

Deploy two AD Connectors in different AWS Availability Zones for high availability.

Simple AD (Not Recommended for Production)

Simple AD is an AWS-hosted, lightweight directory service based on Samba (an open-source implementation of Active Directory).

Key Features

  • Provides basic AD features, including user authentication and group management.

  • LDAP-compatible – Can integrate with applications that use LDAP.

  • Cheaper than AWS Managed Microsoft AD.

Limitations

  • Does NOT support full Active Directory functionality (e.g., Group Policy, Kerberos).

  • Not recommended for production – Limited scalability and feature set.

  • Cannot be used for AWS IAM Identity Center integration.

Use Cases

  • Small-scale workloads that require basic directory services.

  • Non-production environments needing simple LDAP authentication.

Best Practice

  • Use AWS Managed Microsoft AD or AD Connector instead of Simple AD for enterprise workloads.

Directory Services Comparison Chart

Feature

AWS Managed Microsoft AD

AD Connector

Simple AD

Deployment

Fully managed AD in AWS

Proxy to on-prem AD

Lightweight LDAP directory

Authentication

Supports Kerberos, Group Policy, LDAP

Uses on-prem AD for authentication

Basic LDAP authentication

User Sync Required?

No (users exist in AWS AD)

No (uses on-prem AD)

Yes (users must be created in Simple AD)

AWS IAM Identity Center Support?

Yes

Yes

No

Best For

Organizations needing cloud-based AD

Companies extending on-prem AD to AWS

Small-scale, non-production environments

MFA Support

Yes (via AD policies)

Yes (via on-prem AD)

No

Integrating AWS Directory Service with IAM Identity Center

  1. IAM Identity Center integrates with AWS Managed Microsoft AD.

  2. User authentication is handled by AWS Managed AD or on-prem AD (via AD Connector).

  3. IAM Identity Center maps AD groups to AWS Permission Sets, allowing users to access AWS accounts.

Best Practice: Use AWS Managed Microsoft AD if you need a full cloud-based AD. Use AD Connector if you have an existing on-prem AD.

Exam Tips for Directory Services

  • AWS Managed Microsoft AD is a fully managed Active Directory in AWS.

  • AD Connector acts as a proxy to on-prem AD, enabling AWS authentication without migrating users.

  • Simple AD is a lightweight LDAP directory but is NOT recommended for production.

  • AWS IAM Identity Center integrates with AWS Managed Microsoft AD and AD Connector.

  • Deploy AD Connector in multiple AZs for high availability.

  • AWS Managed Microsoft AD supports Kerberos, LDAP, and Group Policy.

PreviousFederated AccessNextManaging Access Across Multiple Accounts

Last updated