AWS Directory Service for MS AD (Enterprise Edition) |
- Managed MS AD hosted on AWS
- Can setup trust relationships with existing AD domains to extend those directories to AWS services
- Best choice if you have > 5,000 users & need trust between AWS-hosted and on-premises directories
|
Simple AD |
- MS AD compatible directory powered by Samba 4
- Least expensive & best choice if < 5,000 users & don't need advanced features
- User accounts in Simple AD
- Can also access AWS apps (workspaces, workdocs, workmail)
- Can use IAM roles to access AWS console
- Provides daily automated snapshots to enable point-in-time recovery
Supports | Does NOT support | user accounts, group memberships | trust between Simple AD & other AD domains | domain-joining EC2, group policies | DNS dynamic update | Kerberos-based SSO | communication over LDAP | | Powershell AD cmdlets | | MFA |
|
AD Connector |
- Proxy service for connecting on-premises AD to AWS without requiring federation infrastructure
- Forwards sign-in requests to your AD DCs for auth & provides the ability for apps to query the directory for data
- You continue to manage your AD as usual
- Best when you want to use your existing on-premises directory with AWS services
- Best if you need to ALLOW on-premises users to login to AWS with their AD credentials
- Enables consistent enforcement of existing security policies whether users are accessing resources on-premises or on AWS
- Users can
- Use existing corporate credentials to login to AWS apps (workspaces, etc.)
- Access the AWS console (if proper permissions)
- Can be used to enable MFA by integrating it with RADIUS-based MFA infrastructure
|