Q: What is AWS Directory Service?

AWS Directory Service is a managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources. As a managed offering, AWS Directory Service is designed to reduce management tasks, thereby allowing you to focus more of your time and resources on your business. There is no need to build out your own complex, highly-available directory topology because each directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail. In addition, data replication and automated daily snapshots are configured for you. There is no software to install and AWS handles all of the patching and software updates.

Q: What can I do with AWS Directory Service?

AWS Directory Service makes it easy for you to setup and run directories in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, join Amazon EC2 instances to a domain, as well as simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads. AWS Directory Service enables your end users to use their existing corporate credentials when accessing AWS applications, such as Amazon WorkSpaces, Amazon WorkDocs and Amazon WorkMail, as well as directory-aware Microsoft workloads, including custom .NET and SQL Server-based applications. Finally, you can use your existing corporate credentials to administer AWS resources via AWS Identity and Access Management (IAM) role-based access to the AWS Management Console, so you do not need to build out more identity federation infrastructure.

Q: How do I create a directory?

You can use the AWS Management Console or the API to create a directory. All you need to provide is some basic information such as a fully qualified domain name (FQDN) for your directory, Administrator account name and password, and the VPC you want the directory to be attached to.

Q: Can I join an existing Amazon EC2 instance to an AWS Directory Service directory?

Yes, you can use the AWS Management Console or the API to add existing EC2 instances running Linux or Windows to a AWS Microsoft AD.

Q: Are APIs supported for AWS Directory Service?

Public APIs are supported for creating and managing directories. You can now programmatically manage directories using public APIs. The APIs are available via the AWS CLI and SDK. Learn more about the APIs in the AWS Directory Service documentation.

Q: Does AWS Directory Service support CloudTrail logging?

Yes. Actions performed via the AWS Directory Service APIs or management console will be included in your CloudTrail audit logs.

Q: Can I receive notifications when the status of my directory changes?

Yes. You can configure Amazon Simple Notification Service (SNS) to receive email and text messages when the status of your AWS Directory Service changes. Amazon SNS uses topics to collect and distribute messages to subscribers. When AWS Directory Service detects a change in your directory’s status, it will publish a message to the associated topic, which is then sent to topic subscribers. Visit the documentation to learn more.

Q: How much does AWS Directory Service cost?

See the pricing page for more information.

Q. Can I tag my directory?

Yes. AWS Directory Service supports cost allocation tagging. Tags make it easier for you to allocate costs and optimize spending by categorizing and grouping AWS resources. For example, you can use tags to group resources by administrator, application name, cost center, or a specific project.

Q. In which AWS regions is AWS Directory Service available?

Refer to Regional Products and Services for details of AWS Directory Service availability by region

Q: How do I create a AWS Microsoft AD directory?

You can launch the AWS Directory Service console from the AWS Management Console to create a AWS Microsoft AD directory. Alternatively, you can use the AWS SDK or AWS CLI.

Q: How are AWS Microsoft AD directories deployed?

AWS Microsoft AD directories are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

Q: Can I configure the storage, CPU, or memory parameters of my AWS Microsoft AD directory?

No. This functionality is not supported at this time.

Q: How do I manage users and groups for AWS Microsoft AD?

You can use your existing Active Directory tools—running on Windows computers that are joined to the AWS Microsoft AD domain—to manage users and groups in AWS Microsoft AD directories. No special tools, policies, or behavior changes are required.

Q. How are my administrative permissions different between AWS Microsoft AD and running Active Directory in my own Amazon EC2 Windows instances?

In order to deliver a managed-service experience, AWS Microsoft AD must disallow operations by customers that would interfere with managing the service. Therefore, AWS does not provide Windows PowerShell access to directory instances, and it restricts access to directory objects, roles, and groups that require elevated privileges. AWS Microsoft AD does not allow direct host access to domain controllers via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection. When you create an AWS Microsoft AD directory, you are assigned an organizational unit (OU) and an administrative account with delegated administrative rights for the OU. You can create user accounts, groups, and policies within the OU by using standard Remote Server Administration Tools such as Active Directory Users and Groups.

Q: Can I use Microsoft Network Policy Server (NPS) with AWS Microsoft AD?

Yes. The administrative account created for you when AWS Microsoft AD is set up has delegated management rights over the Remote Access Service (RAS) and Internet Authentication Service (IAS) security group. This enables you to register NPS with AWS Microsoft AD and manage network access policies for accounts in your domain.

Q: Does AWS Microsoft AD support schema extensions?

Yes. AWS Microsoft AD supports schema extensions that you submit to the service in the form of a LDAP Data Interchange Format (LDIF) file. You may extend but not modify the core Active Directory schema.

Q: Which applications are compatible with AWS Microsoft AD?

The following applications are compatible with AWS Microsoft AD:

  • Amazon Chime
  • Amazon Connect
  • Amazon EC2
  • Amazon RDS for SQL Server
  • Amazon QuickSight
  • Amazon WorkDocs
  • Amazon WorkMail
  • Amazon WorkSpaces
  • AWS Management Console
  • Active Directory Federation Services (AD FS)
  • Application Server (.NET)
  • Azure Active Directory (AD) Connect
  • Enterprise Certificate Authority
  • Remote Desktop Licensing Manager
  • SharePoint Server
  • SQL Server  

Note that not all configurations of these applications may be supported.

Q: Can I migrate my existing, on-premises Microsoft Active Directory to AWS Microsoft AD?

AWS does not provide any migration tools to migrate a self-managed Active Directory to AWS Microsoft AD. You must establish a strategy for performing migration including password resets, and implement the plans using Remote Server Administration Tools.

Q: Can I configure conditional forwarders and trusts in the Directory Service console?

Yes. You can configure conditional forwarders and trusts for AWS Microsoft AD using the Directory Service console as well as the API.

Q: Can I add additional domain controllers manually to my AWS Microsoft AD?

Yes. You can add additional domain controllers to your managed domain using the AWS Directory Service console or API. Note that promoting Amazon EC2 instances to domain controllers manually is not supported.

Q: Can I use Microsoft Office 365 with user accounts managed in AWS Microsoft AD?

Yes. You can synchronize identities from AWS Microsoft AD to Azure AD using Azure AD Connect and use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with AWS Microsoft AD to authenticate Office 365 users. For step-by-step instructions, see How to Enable Your Users to Access Office 365 with AWS Microsoft Active Directory Credentials.  

Q: Can I use Security Assertion Markup Language (SAML) 2.0–based authentication with cloud applications using AWS Microsoft AD?

Yes. You can use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with your AWS Microsoft AD managed domain to authenticate users to cloud applications that support SAML.

Q: Can I encrypt communication between my applications and AWS Microsoft AD using LDAPS?

Yes. AWS Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) on port 636, and LDAP over Transport Layer Security (TLS) on port 389, also known as LDAPS. You enable both types of LDAPS communication by installing a certificate on your AWS Microsoft AD domain controllers from a Microsoft Certificate Authority (CA). To learn more, see How to Enable LDAPS for Your AWS Microsoft AD Directory.

Q: How many users, groups, computers, and total objects does AWS Microsoft AD support?

AWS Microsoft AD (Standard Edition) includes 1 GB of directory object storage. This capacity can support up to 5,000 users or 30,000 directory objects, including users, groups, and computers. AWS Microsoft AD (Enterprise Edition) includes 17 GB of directory object storage, which can support up to 100,000 users or 500,000 objects.

Q: Can I use AWS Microsoft AD as a primary directory?

Yes. You can use it as a primary directory to manage users, groups, computers, and Group Policy objects (GPOs) in the cloud. You can manage access and provide single sign-on (SSO) to AWS applications and services, and to third-party directory-aware applications running on Amazon EC2 instances in the AWS Cloud. In addition, you can use Azure AD Connect and AD FS to support SSO to cloud applications, including Office 365.

Q: Can I use AWS Microsoft AD as a resource forest?

Yes. You can use AWS Microsoft AD as a resource forest that contains primarily computers and groups with trust relationships to your on-premises directory. This enables your users to access AWS applications and resources with their on-premises AD credentials.

Q: What is seamless domain join?

Seamless domain join is a feature that allows you to join your Amazon EC2 for Windows Server instances seamlessly to a domain, at the time of launch and from the AWS Management Console. You can join instances to AWS Microsoft AD that you launch in the AWS Cloud.

Q: How do I join an instance seamlessly to a domain?

When you create and launch an EC2 for Windows instance from the AWS Management Console, you have the option to select which domain your instance will join. To learn more, see the documentation.

Q: Can I join existing EC2 for Windows Server instances seamlessly to a domain?

You cannot use the seamless domain join feature from the AWS Management Console for existing EC2 for Windows Server instances, but you can join existing instances to a domain using the EC2 API or by using PowerShell on the instance. To learn more, see the documentation.

Q: How does AWS Directory Service enable single sign-on (SSO) to the AWS Management Console?

AWS Directory Service allows you to assign IAM roles to AWS Microsoft AD or Simple AD users and groups in the AWS cloud, as well as an existing, on-premises Microsoft Active Directory users and groups using AD Connector. These roles will control users’ access to AWS services based on IAM policies assigned to the roles. AWS Directory Service will provide a customer-specific URL for the AWS Management Console which users can use to sign in with their existing corporate credentials. See our documentation for more information on this feature.

Q: Can I use AWS Microsoft AD for AWS Cloud workloads that are subject to compliance standards?

Yes. AWS Microsoft AD has implemented the controls necessary to enable you to meet the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements and is included as an in-scope service in the Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance and Responsibility Summary.  

Q: How can I access compliance and security reports?

To access a comprehensive list of documents relevant to compliance and security in the AWS Cloud, see AWS Artifact

Q: What is the AWS Shared Responsibility Model?

Security, including HIPAA and PCI DSS compliance, is a shared responsibility between AWS and you. For example, it is your responsibility to configure your AWS Microsoft AD password policies to meet PCI DSS requirements when using AWS Microsoft AD. To learn more about the actions you may need to take to meet HIPAA and PCI DSS compliance requirements, see the compliance documentation for AWS Microsoft AD, read the Architecting for HIPPA Security and Compliance on Amazon Web Services whitepaper, and see the AWS Cloud ComplianceHIPAA Compliance, and PCI DSS Compliance.


For questions about AD Connector or Simple AD, please see AWS Directory Service, Other Directory Options.