Skip to content

AD Federation

Directory Service

General Info
  • Managed Microsoft AD
    • Can join to existing AD with trust relationships
    • Or replace an on-prem AD by using Direct Connect or VPN
  • Can assign IAM roles to AD users for AWS access
  • Works with EC2 (manage them via group policies), RDS SQL server, WorkSpaces, AWS SSO


Solution Description
AWS Directory Service for MS AD (Enterprise Edition)
  • Managed MS AD hosted on AWS
  • Can setup trust relationships with existing AD domains to extend those directories to AWS services
  • Best choice if you have > 5,000 users & need trust between AWS-hosted and on-premises directories
Simple AD
  • MS AD compatible directory powered by Samba 4
  • Least expensive & best choice if < 5,000 users & don't need advanced features
  • User accounts in Simple AD
    • Can also access AWS apps (workspaces, workdocs, workmail)
    • Can use IAM roles to access AWS console
  • Provides daily automated snapshots to enable point-in-time recovery
SupportsDoes NOT support
user accounts, group membershipstrust between Simple AD & other AD domains
domain-joining EC2, group policiesDNS dynamic update
Kerberos-based SSOcommunication over LDAP
Powershell AD cmdlets
AD Connector
  • Proxy service for connecting on-premises AD to AWS without requiring federation infrastructure
    • Forwards sign-in requests to your AD DCs for auth & provides the ability for apps to query the directory for data
    • You continue to manage your AD as usual
    • Best when you want to use your existing on-premises directory with AWS services
    • Best if you need to ALLOW on-premises users to login to AWS with their AD credentials
  • Enables consistent enforcement of existing security policies whether users are accessing resources on-premises or on AWS
  • Users can
    • Use existing corporate credentials to login to AWS apps (workspaces, etc.)
    • Access the AWS console (if proper permissions)
  • Can be used to enable MFA by integrating it with RADIUS-based MFA infrastructure


General Info

Use Cases
  • Manage multi-account access with Organizations
  • SSO to other applications via SAML
  • Control access by mapping users/groups (from the attached directory) to permissions sets & accounts
  • This data is held in SSO, not the directory
  • Directories
    • Native directory: Create users & groups within SSO (default)
    • AWS Directory Service: Managed AD & AD Connector (not simple AD)
    • Only a single directory can be connected
  • Permissions sets
    • Collections of policies implemented as Roles in member accounts
    • Limit of 20 per account
    • Ref 10 AWS managed policies, or use an inline policy
  • Features
    • Free
    • Sign-ins logged to CloudTrail
    • No API: for CLI access, SSO user portal gives you temporary creds for the Roles you have access to

Active Directory Federation with AWS

  • AWS allows federated sign-in to AWS using AD credentials
  • Provides SSO for users
  • ADFS acts as an identity broker between AWS and AD
  • AD users can assume roles in AWS based on group membership in AD
  • 2-way trusts
    • in AWS, ADFS is trusted as the ID provider
    • in ADFS, configure Relying Party Trust with AWS as the Relying Party
  • Functioning
    • Corporate users accesses the corporate ADFS portal sign-in and provides their AD creds
    • ADFS authenticate the user against AD
    • AD return user's information including group membership
    • ADFS sends a SAML token to the user's browser which sends the token to the AWS sign-in endpoint
    • The AWS sign-in endpoint makes an STS AssumeRoleWithSAML request and STS returns temporary credentials
    • User is authenticated and allowed to access the AWS management console

Cloud Directory

  • Generic directory service - not Active Directory
  • Could be used for user/device management
  • Encrypted at rest and in transit