AWS Active Directory
This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.
Managed Microsoft Active Directory
- Also known as AWS Directory Service
- Allows you to administer all of your users and devices
- Allows your directory aware AWS resources to use managed active directory in AWS
- Easily migrate on-premise workloads as it is built on actual Microsoft AD, so does not require any replication of existing directory to the cloud.
- Allows you to use features like Group Policy and Single-Sign-On
- Highly available as directories are deployed across multiple Availability Zones and failovers are detected automatically.
- A common use case would be to extend your on-premise using AD Trust with AWS Managed Microsoft AD so that both your on-premises and cloud directories remain separated, but it allows your users access AWS as needed.
Simple Active Directory
- Standalone managed directory powered by Sambda 4 Active Directory
- Enables a subset of the features Managed Mircosoft AD offers for example: managing user accounts, group permissions, connecting to EC2 instances stc.
- Comes in small (up to 500 users) or large (up to 5000 users)
- Easier to manage EC2 and deploy windows applications to the cloud
- Takes daily automated snapshots, so can enable point in time recovery.
- Can be used for Linux workloads that need LDAP
- However, some features it does not support include multi-factor authentication, trusts with on-premises or group managed service accounts.
Active Directory Connector
- A directory gateway for directing requests to your on-premise, without caching information in the cloud.
- Allows on premise users to log into AWS
- Can use multiple AD Connectors to spread the load to match performance needs
- Cannot be used across different AWS accounts
- Hierarchical data store fully managed by AWS
- Can have multiple hierarchies with hundreds/millions of objects
- Some common use cases include: directories for organisational charts, course catalogs, and device registries.
- Integrated with CloudTrail and resource tagging
- Enables user sign-up and sign-in to web/mobile applications
- Can scale to millions of users
- Works with social identity providers like Apple, Facebook, Google etc.
- Cognito user pools are secure directories for users and are fully managed
- Services that are compatible with Active Directory are: Managed Microsoft AD, AD Connector and Simple AD.
- Services that are not compatible with Active Directory are: Cloud Directory and Cognito user pools.