Day 34: Aws Directory service
3 min readDec 2, 2023
ππ’π«ππππ¨π«π² πππ«π―π’πππ¬:
πAWS Managed Microsoft AD > Create your own AD in AWS, manage users locally, supports MFA. Establish βtrustβ connections with your on- premises AD
πAD Connector > Directory Gateway (proxy) to redirect to on- premises AD, supports MFA.Users are managed on the on-premises AD
πSimple AD > AD-compatible managed directory on AWS. Cannot be joined with on-premises AD
ππ¨π§ππ«π¨π₯ ππ¨π°ππ«:
πEasy way to set up and govern a secure and compliant multi-account AWS environment based on best practices, uses AWS Organizations to create accounts
πPreventive Guardrail β using SCP
πDetective Guardrail β using AWS Config (e.g., identify untagged resources)
Directory Services:
AWS Managed Microsoft AD:
Overview:
- AWS Managed Microsoft AD is a fully managed, highly available Microsoft Active Directory service.
- It allows you to create your own Active Directory in AWS, manage users locally, and supports multi-factor authentication (MFA).
- Establishes βtrustβ connections with your on-premises Active Directory, enabling seamless integration.
Key Features:
- User Management: Allows you to manage users locally in AWS.
- MFA Support: Provides multi-factor authentication for enhanced security.
- Trust Connections: Establishes trust connections with your on-premises AD, enabling users to access resources seamlessly across both environments.
AD Connector:
Overview:
- AD Connector is a service that serves as a directory gateway (proxy) to redirect authentication requests to your on-premises Active Directory.
- It supports MFA, and users are managed on the on-premises AD.
- It facilitates the integration of on-premises AD with AWS services without the need to replicate user information to the AWS Cloud.
Key Features:
- Proxy Service: Acts as a proxy to redirect authentication requests to the on-premises AD.
- MFA Support: Supports multi-factor authentication for added security.
- On-Premises User Management: Users are managed on the on-premises AD, avoiding the need for additional user management in AWS.
Simple AD:
- Overview:
- Simple AD is an AD-compatible managed directory service on AWS.
- It is a lightweight and cost-effective solution but comes with some limitations, such as the inability to join with on-premises AD.
- It is suitable for scenarios where a full-fledged Microsoft AD is not required.
Key Features:
- AD Compatibility: Provides an AD-compatible managed directory on AWS.
- Limitations: Cannot be joined with an on-premises AD, making it suitable for standalone use cases.
- Cost-Effective: Offers a more cost-effective solution compared to a fully managed Microsoft AD.
Control Tower:
Overview:
- AWS Control Tower is a service that simplifies the setup and governance of a secure and compliant multi-account AWS environment.
- It leverages AWS Organizations to create and manage accounts, applying best practices for security and compliance.
Guardrails:
- Control Tower uses the concept of guardrails to enforce policies and best practices across the AWS environment.
- Preventive Guardrails: These guardrails use Service Control Policies (SCPs) to prevent non-compliance. For example, preventing the creation of insecure S3 buckets.
- Detective Guardrails: These guardrails use AWS Config to detect non-compliance after resource creation. For example, identifying untagged resources.
Key Features:
- Account Creation and Management: Simplifies the creation and management of AWS accounts using AWS Organizations.
- Preventive and Detective Measures: Uses preventive guardrails to avoid policy violations and detective guardrails to identify and rectify non-compliance.
- Centralized Governance: Provides a centralized approach to managing and governing a multi-account AWS environment.
AWS Config:
Overview:
- AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
- It helps with compliance monitoring, identifying resource changes, and tracking resource relationships.
Use Cases:
- Detective Guardrails: AWS Config can be used to implement detective guardrails in AWS Control Tower, identifying non-compliance issues such as untagged resources.
- Configuration Auditing: Allows you to audit and assess the configuration of resources over time.
- Resource Relationship Mapping: Helps in understanding relationships between AWS resources.
