Posted On: Feb 14, 2020

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) and AD Connector now communicate more securely with self-managed Active Directory when using the Lightweight Directory Access Protocol (LDAP). With support for client-side LDAP signing and client-side secure LDAP (LDAPS), customers using AWS Directory Service-enabled applications like Amazon WorkSpaces and AWS Single Sign-On can now better protect their organization’s identity data and meet security requirements.

Client-side LDAP signing provides built-in LDAP security that protects data integrity — data received at the destination is exactly what was sent at the origin. With LDAP signing support, AWS Directory Service customers meet the current recommendations described in Microsoft Security Advisory ADV190023 with no additional client-side configuration.

Client-side LDAPS provides additional LDAP security for customers using certificate infrastructure. LDAPS provides data integrity and confidentiality — data is only readable by the intended recipient. To enable client-side LDAPS, administrators register a certificate authority (CA) certificate with AWS Managed Microsoft AD or AD Connector using the AWS Directory Service Console or AWS Directory Service API.

Client-side LDAP signing and client-side LDAPS support are available today in all regions where AWS Directory Service is offered. To learn more, see how to enable client-side LDAPS in this blog post.