# Directory Service

AWS Directory Service allows organizations to use Microsoft Active Directory (AD) or AD-compatible services to manage authentication and authorization for AWS resources. It supports integration with on-premises AD, enabling seamless identity management across AWS and existing enterprise environments.

AWS provides **three main directory service options**, each suited for different use cases:

* **AWS Managed Microsoft AD** – A fully managed, scalable Microsoft Active Directory in AWS.
* **AD Connector** – A proxy that connects AWS to an existing on-premises Active Directory for authentication.
* **Simple AD** – A lightweight, AD-compatible directory based on Samba (not recommended for production).

***

### **AWS Managed Microsoft AD**

AWS Managed Microsoft AD is a **fully managed** Active Directory (AD) hosted within AWS. It supports **native AD features**, including **Group Policy, Kerberos authentication, and LDAP**.

### **Key Features**

* **Fully Managed** – AWS handles patching, backups, and availability.
* **Supports Group Policy & Kerberos** – Functions like a traditional on-prem AD.
* **Highly Available** – Runs across multiple **AWS Availability Zones (AZs)**.
* **Works with AWS Applications** – Supports **Amazon FSx for Windows, Amazon RDS for SQL Server, and AWS IAM Identity Center**.

### **Use Cases**

* Organizations that want **a standalone, cloud-based AD**.
* Businesses migrating **Windows-based workloads** to AWS.
* Companies needing **Active Directory-dependent applications** (e.g., FSx for Windows, SQL Server).

### **Best Practice**

Deploy AWS Managed Microsoft AD **across multiple AZs** for high availability and reliability.

***

## **AD Connector**

AD Connector is **a directory proxy** that enables AWS resources to authenticate **against an existing on-premises Active Directory** without syncing user accounts to AWS.

### **Key Features**

* Acts as a bridge between AWS and on-prem AD (no need to migrate users).
* Users authenticate with their existing AD credentials.
* Allows AWS applications (e.g., Amazon WorkSpaces, AWS IAM Identity Center) to use on-prem AD authentication.
* Supports MFA via on-prem AD.

### **Use Cases**

* Businesses that already have an Active Directory and want AWS authentication without migrating users.
* Organizations that need to extend on-prem AD authentication to AWS services.
* Companies that require AWS IAM Identity Center to use on-prem AD.

### **Best Practice**

Deploy **two AD Connectors** in **different AWS Availability Zones** for **high availability**.

***

## **Simple AD (Not Recommended for Production)**

Simple AD is an **AWS-hosted, lightweight directory service** based on **Samba** (an open-source implementation of Active Directory).

### **Key Features**

* Provides basic AD features, including user authentication and group management.
* LDAP-compatible – Can integrate with applications that use LDAP.
* Cheaper than AWS Managed Microsoft AD.

### **Limitations**

* Does NOT support full Active Directory functionality (e.g., Group Policy, Kerberos).
* Not recommended for production – Limited scalability and feature set.
* Cannot be used for AWS IAM Identity Center integration.

### **Use Cases**

* Small-scale workloads that require basic directory services.
* Non-production environments needing simple LDAP authentication.

### **Best Practice**

* Use **AWS Managed Microsoft AD** or **AD Connector** instead of Simple AD for enterprise workloads.

***

### **Directory Services Comparison Chart**

| **Feature**                          | AWS Managed Microsoft AD              | **AD Connector**                      | **Simple AD**                            |
| ------------------------------------ | ------------------------------------- | ------------------------------------- | ---------------------------------------- |
| **Deployment**                       | Fully managed AD in AWS               | Proxy to on-prem AD                   | Lightweight LDAP directory               |
| **Authentication**                   | Supports Kerberos, Group Policy, LDAP | Uses on-prem AD for authentication    | Basic LDAP authentication                |
| **User Sync Required?**              | No (users exist in AWS AD)            | No (uses on-prem AD)                  | Yes (users must be created in Simple AD) |
| **AWS IAM Identity Center Support?** | Yes                                   | Yes                                   | No                                       |
| **Best For**                         | Organizations needing cloud-based AD  | Companies extending on-prem AD to AWS | Small-scale, non-production environments |
| **MFA Support**                      | Yes (via AD policies)                 | Yes (via on-prem AD)                  | No                                       |

***

## **Integrating AWS Directory Service with IAM Identity Center**

1. IAM Identity Center integrates with AWS Managed Microsoft AD.
2. User authentication is handled by AWS Managed AD or on-prem AD (via AD Connector).
3. IAM Identity Center maps AD groups to AWS Permission Sets, allowing users to access AWS accounts.

**Best Practice:** Use AWS Managed Microsoft AD if you need a full cloud-based AD. Use AD Connector if you have an existing on-prem AD.

***

## **Exam Tips for Directory Services**

* AWS Managed Microsoft AD is a fully managed Active Directory in AWS.
* AD Connector acts as a proxy to on-prem AD, enabling AWS authentication without migrating users.
* Simple AD is a lightweight LDAP directory but is NOT recommended for production.
* AWS IAM Identity Center integrates with AWS Managed Microsoft AD and AD Connector.
* Deploy AD Connector in multiple AZs for high availability.
* AWS Managed Microsoft AD supports Kerberos, LDAP, and Group Policy.