Posted On: May 10, 2017

Today, we enabled additional Active Directory (AD) features in AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, that make it easier to migrate more .NET applications to the AWS Cloud. You can now improve the security of .NET applications by using group Managed Service Accounts (gMSA) and Kerberos constrained delegation (KCD) enabled features. With gMSA, you can narrow permissions to your account, thereby reducing risks by not using built-in user accounts with full server control. gMSA makes it easier to manage .NET applications by creating and rotating the account password automatically, and a single account can be used by one or more application servers.

You can now also use KCD to enable your .NET application to use other services and restrict access to the identity of the application’s user. For example, when you give KCD permissions to your .NET application, the .NET application can assume the requesting user’s identity when it accesses your SQL Server database. SQL Server then enforces data access policies based on the original requesting user instead of on the application, which helps improve security policy enforcement.

By using AWS Microsoft AD, you have a highly available, managed AD built on actual Windows Server 2012 R2 in the AWS Cloud. You do not need to deploy and maintain complex AD infrastructure to support your AD-integrated workloads in the AWS Cloud. Currently, Managed AD is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), EU (London), Canada (Central), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) Regions.

For more information about Directory Service, see the Directory Service home page.