AWS Directory Service Cheat Sheet

For Microsoft Active Directory

• AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) or other directory structures with AWS services. It allows your directory-aware workloads (like EC2 instances, RDS for SQL Server, and WorkSpaces) to use managed Active Directory in the AWS Cloud.

Concepts

• Managed Infrastructure: AWS creates two Domain Controllers (DCs) in two different subnets (AZs) within your VPC.

  • Note: You do not have root/admin access to the underlying EC2 instances of these DCs. You cannot RDP, SSH, or Telnet into them.

• Delegated Administration: You are provided with a specific “Admin” account (e.g., Admin) that has delegated permissions to a specific Organizational Unit (OU). You do not get “Enterprise Admin” or “Domain Admin” privileges for the entire forest.

• Management Methods:

  • Modern Method (New): Use Directory Service Data to manage users and groups directly via the AWS Console or API without launching an EC2 instance.

  • Traditional Method: Launch a “Management EC2 Instance,” join it to the domain, and install RSAT (Remote Server Administration Tools) to use Active Directory Users and Computers (ADUC) or Group Policy Management.

Active Directory Schema

• • A schema is the definition of attributes and classes that are part of a distributed directory and is similar to fields and tables in a database. Schemas include a set of rules which determine the type and format of data that can be added or included in the database.
  • Attributes, classes and objects are the basic elements that are used to build object definitions in the schema.
    • Each schema attribute, which is similar to a field in a database, has several properties that define the characteristics of the attribute.
    • The classes are analogous to tables in a database and also have several properties to be defined.
    • Each class and attribute must have an Object ID that is unique for all of your objects. Software vendors must obtain their own Object ID to ensure uniqueness.
    • Some attributes are linked between two classes with forward and back links, such as groups. A group shows you the members of the group; while a member shows what groups it belongs to.

Features

• High Availability & Replication:

  • Multi-AZ: Deployed across two AZs by default.

  • Multi-Region (Enterprise Only): You can replicate your directory to multiple AWS Regions. This provides local performance for global applications and automated failover.

• Trust Relationships: Supports One-Way and Two-Way forest trusts.

  • Use Case: Allow on-premises users to log in to the AWS Console or AWS applications using their existing corporate credentials.

• Seamless Domain Join:

  • New EC2 instances (Windows and Linux) can join the domain automatically at launch.

  • Requirement: The EC2 instance must have an IAM Role with the AmazonSSMDirectoryServiceAccess policy.

• Schema Extensions: You can extend the AD schema by uploading an LDIF (LDAP Data Interchange Format) file, allowing support for applications with custom attribute requirements.

• Directory Service Data (New): A programmatic API that allows you to manage directory objects (users, groups) at scale without relying on Windows-native tools.

AWS Managed Microsoft AD

Also known as “AWS Managed AD,” this service runs on actual Windows Server 2019. It is the most feature-rich option.

• Trust Relationships: Supports one-way and two-way forest trusts with your on-premises Active Directory. This allows users to access AWS resources using their on-prem credentials.

• Multi-Region Replication (Enterprise Only): You can deploy a single directory across multiple AWS Regions for high availability and low-latency login.

  • Note: The directory in the primary region is replicated to other regions.

• Group Policy: Manage users and devices using native Active Directory Group Policy Objects (GPOs).

• Seamless Domain Join: Allows EC2 instances to join the domain automatically at launch.

• Application Support: The only directory option that supports Amazon RDS for SQL Server authentication and AWS WorkSpaces (at scale).

Editions

• Standard Edition:

  • Small/Midsize businesses.

  • Supports up to 30,000 directory objects.

  • Does not support multi-region replication.

• Enterprise Edition:

  • Large enterprises.

  • Supports up to 500,000 directory objects.

  • Supports Multi-Region Replication.

Networking & Security

• VPC Deployment: Deploys two Domain Controllers (DCs) into two different subnets in different Availability Zones (AZs) for HA.

• Management: You get a delegated admin account. You do not get “Domain Admin” privileges or direct RDP/SSH access to the Domain Controllers (AWS manages patching/backup).

• Encryption: Data is encrypted at rest and in transit.

AD Connector

AD Connector is a directory gateway (proxy) that redirects directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud

• No Data in Cloud: It does not store user credentials in AWS. It simply proxies the authentication request back to your on-prem DC via VPN or Direct Connect.

• MFA Support: Supports existing Multi-Factor Authentication (MFA) infrastructure.

• Seamless Domain Join: Supported for EC2 instances.

Constraints

• No RDS Support: You cannot use AD Connector to authenticate users for RDS SQL Server.

• Hardware Tenancy: Requires the VPC to have “Default” tenancy (not Dedicated).

Simple AD

Simple AD is a standalone directory powered by Samba 4 (an open-source Active Directory compatible suite). It is the low-cost option.

• Standalone: Good for basic user management, managing Linux instances, or simple Windows workloads.

• Compatibility: Supports basic AD features like User Accounts, Group Memberships, and Kerberos-based SSO.

Critical Limitations 

• No Trusts: Cannot create a trust relationship with on-prem AD.

• No RDS Support: Cannot be used with RDS SQL Server.

• No MFA: Does not support Multi-Factor Authentication.

• No Powershell: Does not support PowerShell AD cmdlets.

Amazon Cloud Directory

A cloud-native directory designed for application developers who need to manage large amounts of hierarchical data (multidimensional data).

• Hierarchies: Unlike standard AD (which is a flat tree), Cloud Directory handles complex data relationships (e.g., an employee reports to a Manager and a Project Lead).

• Schemas: You define the schema (facets and attributes).

• Scale: Scales to hundreds of millions of objects.

Pro Tip: Don’t confuse Cloud Directory (for application data structures) with Cognito User Pools (for mobile/web app user authentication).

Security and Monitoring

• • AWS Managed Microsoft AD is both HIPAA and PCI DSS compliant.
  • Manage users and devices by using native Active Directory Group Policy objects (GPOs).
  • AWS Managed Microsoft AD uses the same Kerberos-based authentication as Active Directory to deliver Single Sign-On (SSO).
  • AWS Managed Microsoft AD supports federation access for users and groups to the AWS Management Console.
  • Amazon EBS volumes used in the directory service are encrypted.

AWS Directory Service Pricing

• • Hourly Billing: You pay an hourly rate for the directory type (Simple AD is cheapest, Managed AD Enterprise is most expensive).

  • Sharing Cost: If you share a Managed AD directory with other AWS accounts (to avoid creating a directory in every account), there is an additional hourly sharing fee per account.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Directory Service Cheat Sheet References:
https://aws.amazon.com/directoryservice/features/?nc=sn&loc=2
https://aws.amazon.com/directoryservice/pricing/?nc=sn&loc=3
https://aws.amazon.com/directoryservice/faqs/?nc=sn&loc=5
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/what_is_cloud_directory.html
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/what_is_cloud_directory.html