# Directory Service

AWS Directory Service allows organizations to use Microsoft Active Directory (AD) or AD-compatible services to manage authentication and authorization for AWS resources. It supports integration with on-premises AD, enabling seamless identity management across AWS and existing enterprise environments.

AWS provides **three main directory service options**, each suited for different use cases:

* **AWS Managed Microsoft AD** – A fully managed, scalable Microsoft Active Directory in AWS.
* **AD Connector** – A proxy that connects AWS to an existing on-premises Active Directory for authentication.
* **Simple AD** – A lightweight, AD-compatible directory based on Samba (not recommended for production).

***

### **AWS Managed Microsoft AD**

AWS Managed Microsoft AD is a **fully managed** Active Directory (AD) hosted within AWS. It supports **native AD features**, including **Group Policy, Kerberos authentication, and LDAP**.

### **Key Features**

* **Fully Managed** – AWS handles patching, backups, and availability.
* **Supports Group Policy & Kerberos** – Functions like a traditional on-prem AD.
* **Highly Available** – Runs across multiple **AWS Availability Zones (AZs)**.
* **Works with AWS Applications** – Supports **Amazon FSx for Windows, Amazon RDS for SQL Server, and AWS IAM Identity Center**.

### **Use Cases**

* Organizations that want **a standalone, cloud-based AD**.
* Businesses migrating **Windows-based workloads** to AWS.
* Companies needing **Active Directory-dependent applications** (e.g., FSx for Windows, SQL Server).

### **Best Practice**

Deploy AWS Managed Microsoft AD **across multiple AZs** for high availability and reliability.

***

## **AD Connector**

AD Connector is **a directory proxy** that enables AWS resources to authenticate **against an existing on-premises Active Directory** without syncing user accounts to AWS.

### **Key Features**

* Acts as a bridge between AWS and on-prem AD (no need to migrate users).
* Users authenticate with their existing AD credentials.
* Allows AWS applications (e.g., Amazon WorkSpaces, AWS IAM Identity Center) to use on-prem AD authentication.
* Supports MFA via on-prem AD.

### **Use Cases**

* Businesses that already have an Active Directory and want AWS authentication without migrating users.
* Organizations that need to extend on-prem AD authentication to AWS services.
* Companies that require AWS IAM Identity Center to use on-prem AD.

### **Best Practice**

Deploy **two AD Connectors** in **different AWS Availability Zones** for **high availability**.

***

## **Simple AD (Not Recommended for Production)**

Simple AD is an **AWS-hosted, lightweight directory service** based on **Samba** (an open-source implementation of Active Directory).

### **Key Features**

* Provides basic AD features, including user authentication and group management.
* LDAP-compatible – Can integrate with applications that use LDAP.
* Cheaper than AWS Managed Microsoft AD.

### **Limitations**

* Does NOT support full Active Directory functionality (e.g., Group Policy, Kerberos).
* Not recommended for production – Limited scalability and feature set.
* Cannot be used for AWS IAM Identity Center integration.

### **Use Cases**

* Small-scale workloads that require basic directory services.
* Non-production environments needing simple LDAP authentication.

### **Best Practice**

* Use **AWS Managed Microsoft AD** or **AD Connector** instead of Simple AD for enterprise workloads.

***

### **Directory Services Comparison Chart**

| **Feature**                          | AWS Managed Microsoft AD              | **AD Connector**                      | **Simple AD**                            |
| ------------------------------------ | ------------------------------------- | ------------------------------------- | ---------------------------------------- |
| **Deployment**                       | Fully managed AD in AWS               | Proxy to on-prem AD                   | Lightweight LDAP directory               |
| **Authentication**                   | Supports Kerberos, Group Policy, LDAP | Uses on-prem AD for authentication    | Basic LDAP authentication                |
| **User Sync Required?**              | No (users exist in AWS AD)            | No (uses on-prem AD)                  | Yes (users must be created in Simple AD) |
| **AWS IAM Identity Center Support?** | Yes                                   | Yes                                   | No                                       |
| **Best For**                         | Organizations needing cloud-based AD  | Companies extending on-prem AD to AWS | Small-scale, non-production environments |
| **MFA Support**                      | Yes (via AD policies)                 | Yes (via on-prem AD)                  | No                                       |

***

## **Integrating AWS Directory Service with IAM Identity Center**

1. IAM Identity Center integrates with AWS Managed Microsoft AD.
2. User authentication is handled by AWS Managed AD or on-prem AD (via AD Connector).
3. IAM Identity Center maps AD groups to AWS Permission Sets, allowing users to access AWS accounts.

**Best Practice:** Use AWS Managed Microsoft AD if you need a full cloud-based AD. Use AD Connector if you have an existing on-prem AD.

***

## **Exam Tips for Directory Services**

* AWS Managed Microsoft AD is a fully managed Active Directory in AWS.
* AD Connector acts as a proxy to on-prem AD, enabling AWS authentication without migrating users.
* Simple AD is a lightweight LDAP directory but is NOT recommended for production.
* AWS IAM Identity Center integrates with AWS Managed Microsoft AD and AD Connector.
* Deploy AD Connector in multiple AZs for high availability.
* AWS Managed Microsoft AD supports Kerberos, LDAP, and Group Policy.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.1-design-secure-access-to-aws-resources/directory-service.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.