Directory Service
AWS Directory Service allows organizations to use Microsoft Active Directory (AD) or AD-compatible services to manage authentication and authorization for AWS resources. It supports integration with on-premises AD, enabling seamless identity management across AWS and existing enterprise environments.
AWS provides three main directory service options, each suited for different use cases:
AWS Managed Microsoft AD – A fully managed, scalable Microsoft Active Directory in AWS.
AD Connector – A proxy that connects AWS to an existing on-premises Active Directory for authentication.
Simple AD – A lightweight, AD-compatible directory based on Samba (not recommended for production).
AWS Managed Microsoft AD
AWS Managed Microsoft AD is a fully managed Active Directory (AD) hosted within AWS. It supports native AD features, including Group Policy, Kerberos authentication, and LDAP.
Key Features
Fully Managed – AWS handles patching, backups, and availability.
Supports Group Policy & Kerberos – Functions like a traditional on-prem AD.
Highly Available – Runs across multiple AWS Availability Zones (AZs).
Works with AWS Applications – Supports Amazon FSx for Windows, Amazon RDS for SQL Server, and AWS IAM Identity Center.
Use Cases
Organizations that want a standalone, cloud-based AD.
Businesses migrating Windows-based workloads to AWS.
Companies needing Active Directory-dependent applications (e.g., FSx for Windows, SQL Server).
Best Practice
Deploy AWS Managed Microsoft AD across multiple AZs for high availability and reliability.
AD Connector
AD Connector is a directory proxy that enables AWS resources to authenticate against an existing on-premises Active Directory without syncing user accounts to AWS.
Key Features
Acts as a bridge between AWS and on-prem AD (no need to migrate users).
Users authenticate with their existing AD credentials.
Allows AWS applications (e.g., Amazon WorkSpaces, AWS IAM Identity Center) to use on-prem AD authentication.
Supports MFA via on-prem AD.
Use Cases
Businesses that already have an Active Directory and want AWS authentication without migrating users.
Organizations that need to extend on-prem AD authentication to AWS services.
Companies that require AWS IAM Identity Center to use on-prem AD.
Best Practice
Deploy two AD Connectors in different AWS Availability Zones for high availability.
Simple AD (Not Recommended for Production)
Simple AD is an AWS-hosted, lightweight directory service based on Samba (an open-source implementation of Active Directory).
Key Features
Provides basic AD features, including user authentication and group management.
LDAP-compatible – Can integrate with applications that use LDAP.
Cheaper than AWS Managed Microsoft AD.
Limitations
Does NOT support full Active Directory functionality (e.g., Group Policy, Kerberos).
Not recommended for production – Limited scalability and feature set.
Cannot be used for AWS IAM Identity Center integration.
Use Cases
Small-scale workloads that require basic directory services.
Non-production environments needing simple LDAP authentication.
Best Practice
Use AWS Managed Microsoft AD or AD Connector instead of Simple AD for enterprise workloads.
Directory Services Comparison Chart
Feature
AWS Managed Microsoft AD
AD Connector
Simple AD
Deployment
Fully managed AD in AWS
Proxy to on-prem AD
Lightweight LDAP directory
Authentication
Supports Kerberos, Group Policy, LDAP
Uses on-prem AD for authentication
Basic LDAP authentication
User Sync Required?
No (users exist in AWS AD)
No (uses on-prem AD)
Yes (users must be created in Simple AD)
AWS IAM Identity Center Support?
Yes
Yes
No
Best For
Organizations needing cloud-based AD
Companies extending on-prem AD to AWS
Small-scale, non-production environments
MFA Support
Yes (via AD policies)
Yes (via on-prem AD)
No
Integrating AWS Directory Service with IAM Identity Center
IAM Identity Center integrates with AWS Managed Microsoft AD.
User authentication is handled by AWS Managed AD or on-prem AD (via AD Connector).
IAM Identity Center maps AD groups to AWS Permission Sets, allowing users to access AWS accounts.
Best Practice: Use AWS Managed Microsoft AD if you need a full cloud-based AD. Use AD Connector if you have an existing on-prem AD.
Exam Tips for Directory Services
AWS Managed Microsoft AD is a fully managed Active Directory in AWS.
AD Connector acts as a proxy to on-prem AD, enabling AWS authentication without migrating users.
Simple AD is a lightweight LDAP directory but is NOT recommended for production.
AWS IAM Identity Center integrates with AWS Managed Microsoft AD and AD Connector.
Deploy AD Connector in multiple AZs for high availability.
AWS Managed Microsoft AD supports Kerberos, LDAP, and Group Policy.
Last updated