AWS Directory Service Cheat Sheet

For Microsoft Active Directory

• AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) or other directory structures with AWS services. It allows your directory-aware workloads (like EC2 instances, RDS for SQL Server, and WorkSpaces) to use managed Active Directory in the AWS Cloud.

Concepts

• Managed Infrastructure: AWS creates two Domain Controllers (DCs) in two different subnets (AZs) within your VPC.
  • Note: You do not have root/admin access to the underlying EC2 instances of these DCs. You cannot RDP, SSH, or Telnet into them.
• Delegated Administration: You are provided with a specific “Admin” account (e.g., Admin) that has delegated permissions to a specific Organizational Unit (OU). You do not get “Enterprise Admin” or “Domain Admin” privileges for the entire forest.
• Management Methods:
  • Modern Method (New): Use Directory Service Data to manage users and groups directly via the AWS Console or API without launching an EC2 instance.
  • Traditional Method: Launch a “Management EC2 Instance,” join it to the domain, and install RSAT (Remote Server Administration Tools) to use Active Directory Users and Computers (ADUC) or Group Policy Management.

Active Directory Schema

• • A schema is the definition of attributes and classes that are part of a distributed directory and is similar to fields and tables in a database. Schemas include a set of rules which determine the type and format of data that can be added or included in the database.
  • Attributes, classes and objects are the basic elements that are used to build object definitions in the schema.
    • Each schema attribute, which is similar to a field in a database, has several properties that define the characteristics of the attribute.
    • The classes are analogous to tables in a database and also have several properties to be defined.
    • Each class and attribute must have an Object ID that is unique for all of your objects. Software vendors must obtain their own Object ID to ensure uniqueness.
    • Some attributes are linked between two classes with forward and back links, such as groups. A group shows you the members of the group; while a member shows what groups it belongs to.

Features

• High Availability & Replication:
  • Multi-AZ: Deployed across two AZs by default.
  • Multi-Region (Enterprise Only): You can replicate your directory to multiple AWS Regions. This provides local performance for global applications and automated failover.
• Trust Relationships: Supports One-Way and Two-Way forest trusts.
  • Use Case: Allow on-premises users to log in to the AWS Console or AWS applications using their existing corporate credentials.
• Seamless Domain Join:
  • New EC2 instances (Windows and Linux) can join the domain automatically at launch.
  • Requirement: The EC2 instance must have an IAM Role with the AmazonSSMDirectoryServiceAccess policy.
• Schema Extensions: You can extend the AD schema by uploading an LDIF (LDAP Data Interchange Format) file, allowing support for applications with custom attribute requirements.
• Directory Service Data (New): A programmatic API that allows you to manage directory objects (users, groups) at scale without relying on Windows-native tools.

AWS Managed Microsoft AD

Also known as “AWS Managed AD,” this service runs on actual Windows Server 2019. It is the most feature-rich option.

• Trust Relationships: Supports one-way and two-way forest trusts with your on-premises Active Directory. This allows users to access AWS resources using their on-prem credentials.
• Multi-Region Replication (Enterprise Only): You can deploy a single directory across multiple AWS Regions for high availability and low-latency login.
  • Note: The directory in the primary region is replicated to other regions.
• Group Policy: Manage users and devices using native Active Directory Group Policy Objects (GPOs).
• Seamless Domain Join: Allows EC2 instances to join the domain automatically at launch.
• Application Support: The only directory option that supports Amazon RDS for SQL Server authentication and AWS WorkSpaces (at scale).
• Hybrid Edition
  • AWS Managed Microsoft AD (Hybrid Edition) integrates self managed Active Directory with AWS Managed Microsoft AD
  • Creates a unified identity environment across on premises infrastructure and AWS
  • Designed for hybrid enterprise identity architectures
• Certificate Based Authentication Settings
  • Supports additional certificate based authentication security settings
  • Enhances identity protection for AWS Managed Microsoft AD environments

Editions

• Standard Edition:
  • Small/Midsize businesses.
  • Supports up to 30,000 directory objects.
  • Does not support multi-region replication.
• Enterprise Edition:
  • Large enterprises.
  • Supports up to 500,000 directory objects.
  • Supports Multi-Region Replication.

Networking & Security

• VPC Deployment: Deploys two Domain Controllers (DCs) into two different subnets in different Availability Zones (AZs) for HA.
• Management: You get a delegated admin account. You do not get “Domain Admin” privileges or direct RDP/SSH access to the Domain Controllers (AWS manages patching/backup).
• Encryption: Data is encrypted at rest and in transit.
• Dual Stack Network Support
  • AWS Directory Service supports upgrading directories from IPv4 only to dual stack IPv4 and IPv6
  • Applies to AWS Managed Microsoft AD, AD Connector, and Simple AD
  • Enables IPv6 connectivity and expanded address space within VPCs
• AWS PrivateLink Support
  • AWS Directory Service supports private connectivity using AWS PrivateLink
  • Allows access to directory endpoints without traversing the public internet
  • Improves security posture for VPC to service communication
• VPC Endpoint Configuration Constraints
  • Certain VPC endpoints should not be configured for Simple AD
  • Certain VPC endpoints should not be configured for AD Connector
  • Misconfiguration may prevent directory operations from functioning correctly

• Service Linked Role
  • AWS Directory Service uses a service linked role named AWSServiceRoleForDirectoryService
  • The associated managed policy allows AWS to monitor and manage customer managed domain controllers
  • Reduces the need for manual IAM role configuration

AD Connector

AD Connector is a directory gateway (proxy) that redirects directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud

• No Data in Cloud: It does not store user credentials in AWS. It simply proxies the authentication request back to your on-prem DC via VPN or Direct Connect.

• MFA Support: Supports existing Multi-Factor Authentication (MFA) infrastructure.

• Seamless Domain Join: Supported for EC2 instances.

Constraints

• No RDS Support: You cannot use AD Connector to authenticate users for RDS SQL Server.

• Hardware Tenancy: Requires the VPC to have “Default” tenancy (not Dedicated).

Simple AD

Simple AD is a standalone directory powered by Samba 4 (an open-source Active Directory compatible suite). It is the low-cost option.

• Standalone: Good for basic user management, managing Linux instances, or simple Windows workloads.

• Compatibility: Supports basic AD features like User Accounts, Group Memberships, and Kerberos-based SSO.

Critical Limitations 

• No Trusts: Cannot create a trust relationship with on-prem AD.
• No RDS Support: Cannot be used with RDS SQL Server.
• No MFA: Does not support Multi-Factor Authentication.
• No Powershell: Does not support PowerShell AD cmdlets.

Amazon Cloud Directory

A cloud-native directory designed for application developers who need to manage large amounts of hierarchical data (multidimensional data).

• Hierarchies: Unlike standard AD (which is a flat tree), Cloud Directory handles complex data relationships (e.g., an employee reports to a Manager and a Project Lead).
• Schemas: You define the schema (facets and attributes).
• Scale: Scales to hundreds of millions of objects.

Pro Tip: Don’t confuse Cloud Directory (for application data structures) with Cognito User Pools (for mobile/web app user authentication).

Security and Monitoring

• AWS Managed Microsoft AD is both HIPAA and PCI DSS compliant.
• Manage users and devices by using native Active Directory Group Policy objects (GPOs).
• AWS Managed Microsoft AD uses the same Kerberos-based authentication as Active Directory to deliver Single Sign-On (SSO).
• AWS Managed Microsoft AD supports federation access for users and groups to the AWS Management Console.
• Amazon EBS volumes used in the directory service are encrypted.
• Enhanced Logging Coverage
  • Separate logging support for AWS Directory Service control plane events
  • Dedicated logging for Directory Service Data operations
  • Improves audit visibility for identity and directory object changes

AWS Directory Service Pricing

• • Hourly Billing: You pay an hourly rate for the directory type (Simple AD is cheapest, Managed AD Enterprise is most expensive).

  • Sharing Cost: If you share a Managed AD directory with other AWS accounts (to avoid creating a directory in every account), there is an additional hourly sharing fee per account.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Directory Service Cheat Sheet References:
https://aws.amazon.com/directoryservice/features/?nc=sn&loc=2
https://aws.amazon.com/directoryservice/pricing/?nc=sn&loc=3
https://aws.amazon.com/directoryservice/faqs/?nc=sn&loc=5
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/what_is_cloud_directory.html
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
https://docs.aws.amazon.com/clouddirectory/latest/developerguide/what_is_cloud_directory.html