AWS for Industries

FSI Services Spotlight: Featuring AWS Managed Microsoft Active Directory

Welcome back to the Financial Services Industry (FSI) Service Spotlight monthly series. Each month we look at five key considerations that FSI customers should focus on to help streamline cloud service approval for one particular service. Each of the five key considerations includes specific guidance, suggested reference architectures, and technical code that can be used to streamline service approval for the featured service. This guidance should be adapted to suit your specific use case and environment.

This month we’re covering AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), also known as AWS Managed Microsoft Active Directory. AWS Managed Microsoft AD is not an emulation or compatibility layer for Active Directory. The managed service is built on actual Microsoft AD, and it’s a great fit for many of your Active Directory requirements and use cases.

AWS Managed Microsoft AD can be utilized as your primary directory to manage your users, groups, computers, and Group Policy objects in the cloud. Alternatively, it can be utilized as a resource forest using one-way or two-way trusts to enable authentication from your self-managed Active Directory. Combined with cloud native identity services, such as AWS IAM Identity Center and AWS Identity and Access Management (IAM), AWS Managed Microsoft AD enables a secure and seamless authentication experience across your AWS hosted workloads and beyond.

AWS Managed Microsoft AD is available in two editions: Standard and Enterprise.

  • Standard Edition: AWS Managed Microsoft AD (Standard Edition) is optimized to be a primary directory for small and midsize businesses with up to 5,000 employees. It provides you with enough storage capacity to support up to 30,000* directory objects, such as users, groups, and computers.
  • Enterprise Edition: AWS Managed Microsoft AD (Enterprise Edition) is designed to support enterprise organizations with up to 500,000* directory objects.

* These upper limits are approximations. Your directory may support more or fewer directory objects depending on the size of your objects and the behavior and performance needs of your applications.

AWS Managed Microsoft AD Enterprise Edition lets you turn on the multi-region replication feature to automatically configure inter-regional networking connectivity, deploy domain controllers, and replicate all of the Active Directory data across multiple regions. This makes sure that Active-Directory–aware workloads residing in those regions can connect to and use AWS Managed Microsoft AD with low latency and high performance.

Achieving compliance with AWS Managed Microsoft AD

AWS Managed Microsoft AD is an AWS managed service, and third-party auditors regularly assess its security and compliance as part of multiple AWS compliance programs. As part of the AWS shared responsibility model, the AWS Directory Service is in the scope of the following compliance programs. You can obtain corresponding compliance reports under an AWS non-disclosure agreement (NDA) through AWS Artifact. Note that AWS Managed Microsoft AD compliance status doesn’t automatically apply to applications that you run in the AWS Cloud. You must make sure that your use of AWS services complies with the standards.

  • C5
  • CCCS
  • CSA STAR CCM v3.0.1
  • DoD CC SRG (IL2-IL6)
  • ENS High
  • FedRAMP (Moderate and High)
  • FINMA
  • GSMA (Regions:US-East and Europe)
  • HIPAA
  • HITRUST CSF
  • IRAP
  • ISMAP
  • ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 [excludes Simple AD]
  • K-ISMS
  • MTCS (Regions: US-East, US-West, Singapore, Seoul)
  • OSPAR
  • PCI (To enable PCI compliance for your AWS Managed Microsoft AD directory, you must configure fine-grained password policies as specified in the PCI DSS Attestation of Compliance (AOC) and Responsibility Summary document provided by Artifact.)
  • PiTuKri
  • SOC 1,2,3

Your scope of the shared responsibility model when using AWS Directory Services is determined by the sensitivity of your data, your organization’s compliance objectives, and applicable laws and regulations. AWS provides several resources for compliance validation.

Data protection with AWS Managed Microsoft AD

At AWS, we recommend that encryption is applied to complement other access controls that are already in place. To make sure of data confidentiality and integrity, all AWS services, including AWS Managed Microsoft AD, provide the ability to encrypt data at rest and in-transit.

At-Rest Encryption

By default, AWS Managed Microsoft AD stores directory content (including content containing PHI) in encrypted Amazon Elastic Block Store (Amazon EBS) volumes using encryption keys that AWS manages. For more information, see Amazon EBS Encryption.

In-Transit Encryption

There are several types of communications traffic that can occur between Active Directory domain controllers, client workstations, and connected services. For the Lightweight Directory Access Protocol (LDAP), Public Key Infrastructure (PKI) can be implemented to encrypt LDAP traffic using LDAP over SSL.

Lightweight Directory Access Protocol: LDAP is a standard communications protocol that can be used to read and write (all writes must be encrypted) data stored in Active Directory. Applications and services use LDAP to access Active Directory for numerous reasons, including user and group maintenance, directory searches, and authentication. By default, LDAP traffic is unencrypted. Corporate security policies often include a requirement to encrypt all LDAP traffic due to the potentially sensitive information that could be transmitted.

To meet these compliance requirements, you can enable LDAP over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), also known as LDAPS. AWS Managed Microsoft AD supports server-side as well as client-side LDAPS.

Secure Channel: Windows Active Directory uses Secure Channel to encrypt communications between domain controllers and client systems. This is implemented in three distinct scenarios: client computers and domain controllers, between domain controllers of a trusted domain, and between domain controllers in the same domain. There are several different ciphers and protocols that are configured as enabled or disabled for use by the secure channel.

AWS Managed Microsoft AD provides fine-grained directory settings to let you meet your security and compliance requirements easily through the console. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. These changes are automatically deployed to every domain controller in the directory.

Fine-grained directory settings

Isolation of compute environments with AWS Managed Microsoft AD

As a managed service, AWS Managed Microsoft AD domain controllers are deployed across two Availability Zones (AZs) in an AWS managed VPC. The domain controller instances are dedicated to the customer in a single tenant model. An ENI for each domain controller is deployed to the customer specified account and VPC along with an associated Security Group. You can find additional details in the resources that are created in the AWS Directory Service Administration Guide.

A multi-account strategy provides the highest level of resource isolation. AWS recommends that you create a separate account for identity services, such as Active Directory. This lets you more easily limit administrator access to only those people who require it.

You should carefully consider which account will own the directory. If you plan on using Active Directory as your AWS IAM Identity Center identity source, then there are location factors to consider. The directory must reside in the same account as the IAM Identity Center delegated account, if one exists. Otherwise, it must be in the management account.

You can share the AWS Managed Microsoft AD with other accounts in your organization or with other trusted accounts that are outside of your organization. This allows services and workloads to leverage the AWS Managed Microsoft AD without the need to deploy additional resources. Note that routing and network connectivity back to the initially provisioned ENIs is a requirement.

Directory sharing across trusted AWS accounts

Automating audits with APIs with AWS Managed Microsoft Active Directory

AWS Managed Active Directory is integrated with AWS CloudTrail, a service that captures AWS API calls made by or on behalf of AWS Managed Active Directory in your AWS account and delivers the log files to an Amazon Simple Storage Service (Amazon S3) bucket that you specify. CloudTrail captures API calls from the AWS Managed Active Directory console and from code calls to the AWS Managed Active Directory APIs. Using the information collected by CloudTrail, you can determine what request was made to the AWS Managed Active Directory service, the source IP address from which the request was made, who made the request, when it was made, and so on. To learn more about CloudTrail, see the AWS CloudTrail User Guide.

The following example shows a CloudTrail log entry for the CreateDirectory action:

{
  "Records" : [
    {
      "eventVersion" : "1.02",
      "userIdentity" :
      {
        "type" : "IAMUser",
        "principalId" : "<user_id>",
        "arn" : "<user_arn>",
        "accountId" : "<account_id>",
        "accessKeyId" : "<access_key_id>",
        "userName" : "<username>"
      },
      "eventTime" : "<event_time>",
      "eventSource" : "ds.amazonaws.com",
      "eventName" : "CreateDirectory",
      "awsRegion" : "<region>",
      "sourceIPAddress" : "<IP_address>",
      "userAgent" : "<user_agent>",
      "requestParameters" :
      {
        "name" : "<name>",
        "shortName" : "<short_name>",
        "vpcSettings" :
        {
          "vpcId" : "<vpc_id>",
          "subnetIds" : [
            "<subnet_id_1>",
            "<subnet_id_2>"
          ]
        },
        "type" : "<size>",
        "setAsDefault" : <option>,
        "password" : "***OMITTED***"
      },
      "responseElements" :
      {
        "requestId" : "<request_id>",
        "directoryId" : "<directory_id>"
      },
      "requestID" : "<request_id>",
      "eventID" : "<event_id>",
      "eventType" : "AwsApiCall",
      "recipientAccountId" : "<account_id>"
    }
  ]
}

AWS Managed Microsoft AD Windows security event logs

Security event logs from AWS Managed Microsoft AD domain controllers are archived for one year. You can also configure the domain controllers to forward these event logs to Amazon CloudWatch in near real-time. Amazon CloudWatch Logs can also forward these events to other AWS accounts, AWS services, or third-party applications. This makes it easier for you to centrally monitor and configure alerts to detect and respond proactively to unusual activities in near real-time. You can find the steps to enable log forwarding here.

Additionally, you have access to certain Windows event logs remotely using the Event Viewer Microsoft Management Console (MMC).

Members of the AWS Delegated Domain Name System Administrators group have permissions to view:

  • DNS Server
  • Microsoft-Windows-DNSServer/Audit Windows Event Logs

Members of the AWS Delegated Administrators group have permissions to view:

  • Security
  • Microsoft-Windows-SMBServer/Audit

Operational access and security with AWS Managed Microsoft AD

Using identity-based policies (IAM policies), you can attach permissions to IAM users, groups, and roles to create, access, or view AWS Managed Microsoft AD resources.

The following is an example of an identity-based policy that allows a user to create a directory and all other related resources:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action": [
                "ds:Create*",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress"
                  ],
         "Resource":"*"
         ]
      }
   ]
}

It is important to implement IAM policies that follow the principle of least privilege, enforce separation of duties, and only allow those actions for a defined period of time. AWS recommends that you deploy identity services, like Active Directory, into a separate account. An account provides an IAM boundary so that you can limit. This simplifies the process of limiting access to Active Directory and requires that you explicitly allow access when sharing the directory with other accounts.

AWS Managed Microsoft AD uses IAM to provide access to the AWS Directory Service console and API actions. However, you must also consider native Active Directory authentication and authorization that is managed directly through standard Active Directory management tools, such as those provided through Remote Server Administration Tools (RSAT) and PowerShell.

To manage your delegated organization unit in AWS Managed Microsoft AD, you must do so from a domain joined member server with connectivity to the AWS Managed Microsoft AD ENIs. You can install the Active Directory administration tools locally using the console or from a PowerShell prompt using Install-WindowsFeature RSAT ADDS. For more information about how to set up an Amazon Elastic Compute Cloud (Amazon EC2) instance and install the necessary tools, see Deploy an EC2 instance to manage your AWS Managed Microsoft AD.

AWS Managed Microsoft AD provides you with the ability to delegate administrative permissions to groups in your organization. These permissions include managing user accounts, joining computers to the domain, managing group policies and password policies, as well as managing DNS, DHCP, DFS, RAS, CA and other services. See the AWS Directory Service Administration Guide for a full list of permissions that can be delegated.

Summary

In this post, we reviewed AWS Managed Microsoft AD and highlighted key information that can help FSI customers accelerate the approval of the service within these five categories: achieving compliance, data protection, isolation of compute environments, automating audits with APIs, and operational access and security. Although not a one-size-fits-all approach, the guidance can be adapted to meet your organization’s security and compliance requirements and provide a consolidated list of key areas for AWS Managed Microsoft AD.

In the meantime, make sure to visit our AWS FSI post channel, and stay tuned for more FSI news and best practices.

TAGS: ,
Aidan Keane

Aidan Keane

Aidan is a Senior Specialist Solutions Architect, focusing on Microsoft Workloads at AWS. He has worked with cloud technologies for more than 5 years and has over 20 years of technical expertise. Outside of work, he is a sports enthusiast who enjoys golf, biking, and watching Liverpool FC, spending time with family, and traveling to Ireland and South America.

Jeremy Girven

Jeremy Girven

Jeremy is a solutions architect specializing in Microsoft workloads on AWS. He has over 16 years’ experience with Microsoft Active Directory and over 25 years of industry experience. One of his fun projects is using SSM to automate the Active Directory build processes in AWS. To see more, check out the Active Directory AWS Partner Solution (https://aws.amazon.com/solutions/partners/active-directory-ds/).

Rodney Underkoffler

Rodney Underkoffler

Rodney Underkoffler is a Senior Solutions Architect at AWS, focused on guiding enterprise customers on their cloud journey. He has a background in infrastructure, security, and IT business practices. He is passionate about technology and enjoys building and exploring new solutions and methodologies.