AWS Security Blog

CloudBerry Active Directory Bridge for Authenticating non-AWS AD Users to S3

One of the benefits of AWS is the highly available, durable, and practically unlimited cloud-based storage you can get with Amazon Simple Storage Services (Amazon S3).  Over two trillion objects are already stored in S3 and customers are always finding more creative uses for S3.  One of the more commonly requested use cases is how to make S3 available to end users.  Do you use the AWS Management Console to access S3 buckets?  Do you build a custom application to do so instead?  Most customers want their users to access S3 buckets the same way the users interact with local file folders.

A number of third parties offer solutions that can help customers provision access to AWS services.  For example, CloudBerry Lab has a solution, CloudBerry Explorer, that allows mapping a Windows drive to an S3 bucket.  Historically this solution required that an AWS administrator create an IAM user for each Windows user.  While this works well with a small number of users, if you have 10’s of thousands of users, you need to keep track of that many long-term access keys. 

Luckily, your AWS account supports identity federation, which allows non-AWS users who are authenticated by an external identity system to access resources in your AWS account. AWS identity federation offers a sample application that makes it easy to set up a proxy for Windows Active Directory authentication.  This proxy server exchanges short term security credentials for users authenticated by Active Directory.

CloudBerry AD Bridge does something similar to AWS’s proxy application but for S3 specifically.  CloudBerry Lab combined CloudBerry Explorerwith a broker, or proxy server, that takes advantage of identity federation.  The Cloudberry AD Bridge is designed so that you don’t need to maintain AWS access keys for your end users.  End users simply log into their Windows machines, are authenticated by Windows Active Directory (AD), and then are connected with the CloudBerry AD Bridge, which provides them with temporary AWS security credentials that can be used to access S3 buckets.  By integrating with the AWS Security Token Service (STS), the AD Bridge retrieves temporary security credentials and provides them to each of the desktop clients.  Now all of your Windows users can have a personal folder stored in an S3 bucket – with its eleven 9’s of durability.

The bridge works in conjunction with CloudBerry Drive by authenticating and authorizing Windows users via AWS temporary security credentials for the CloudBerry Drive client running on their Windows machines.  AD domain administrators can use Amazon’s IAM features to set rights and restrictions for end users to access, upload, and modify objects in an S3 bucket.

The diagram below shows how it works. (1) CloudBerry Drive can be configured to auto-discover the bridge.  (2) The bridge authenticates the user against Windows AD. (3) Once authenticated, the bridge makes a request for temporary security credentials from STS. (4) STS provides temporary security credentials in the form of an Access Key ID, Secret Access Key, and a Session Token to the bridge. (5) The bridge provides those credentials to CloudBerry Drive.  (6) Finally, the user is able to access the S3 bucket as if it was a local Windows drive.

Diagram showing how the process works

Both CloudBerry Drive and CloudBerry AD Bridge are in beta, so there are currently a few manual steps to run as part of the install. But once installed, end users should be able to directly access S3 objects like any other file system.

Conclusion

Using solutions like the CloudBerry AD Bridge and CloudBerry Drive client can help customers take advantage of identity federation.  End users can reap the benefits of S3 buckets without you having to also manage IAM Users.  To learn more about the CloudBerry AD Bridge and Explorer, please visit their website.

– Ben