Posted On: Oct 16, 2018
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, now gives you an additional option to implement the principle of least privilege by reducing the scope of access through the Active Directory (AD) trusts between AWS Managed Microsoft AD and your existing Microsoft AD. As an alternative to forest-wide trust, you can now use external trusts to connect to specific child or tree domains in your existing Microsoft AD forest.
By using external trust, only users from the domains you specify may use their existing AD credentials to access applications such as Amazon RDS for SQL Server, Amazon WorkSpaces, and other AD-aware applications that are using AWS Managed Microsoft AD. This also limits read access in your existing Microsoft AD by AWS Managed Microsoft AD when you implement two-way trusts or trusts from your existing Microsoft AD to AWS Managed Microsoft AD.