Skip to main content

AWS Directory Service

Overview

AWS Directory Service provides a seamless path for organizations to migrate their Active Directory-dependent workloads to the cloud. By delivering a fully managed, native Windows Server-based Active Directory, the service empowers IT teams to leverage their existing AD skills and applications, while benefiting from enhanced security, reliability, and scalability. Businesses can easily integrate their AD environment with cloud-hosted services like Amazon RDS, FSx, and EC2, enabling a consistent AD management experience across environments. 

The service's robust security features, including end-to-end encryption and compliance with industry standards, safeguard sensitive data. Furthermore, with multi-region deployments and autonomous management, AWS Directory Service ensures your critical directory services remain highly available, even in the face of disruptions. Whether you're an IT decision-maker, architect, or CIO, AWS Directory Service streamlines your cloud transformation journey, allowing you to modernize your AD infrastructure and empower your workforce through secure, scalable identity management. 

Page topics

Availability, scalability, and resilience

Open all
Since directories are mission-critical infrastructure, AWS Managed Microsoft AD is deployed in highly available AWS infrastructure and across multiple Availability Zones. Domain controllers are  deployed across two Availability Zones  in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted so that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and disaster recovery can be performed using the latest backup.
When you first create your directory, AWS Managed Microsoft AD deploys two domain controllers across multiple Availability Zones, which is required for highly availability purposes. Later, you can  deploy additional domain controllers  via the AWS Directory Service console by specifying the total number of domain controllers that you want. AWS Managed Microsoft AD distributes the additional domain controllers to the Availability Zones and VPC subnets on which your directory is running.
AWS Managed Microsoft AD  runs on AWS managed infrastructure powered by Windows Server 2019. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are configured and managed for you according to the  Service Level Agreement (SLA)  for AWS Directory Service.
AWS Managed Microsoft AD provides built-in, daily, automated snapshots. You can also take  additional snapshots  before critical application updates to make sure you have the most recent data in case you need to roll back a change.

Global workload management

Open all
Multi-region replication  allows you to deploy and use a single AWS Managed Microsoft AD directory across multiple AWS Regions. This makes it more simple and more cost-effective for you to deploy and manage your Microsoft Windows and Linux workloads globally. With the automated multi-region replication capability, you get higher resiliency, while your applications use a local directory for better performance.
AWS Managed Microsoft AD integrates tightly with AWS Organizations to allow seamless  directory sharing  across multiple AWS accounts. You can share a single directory with other trusted AWS accounts within the same organization or share the directory with other AWS accounts that are outside your organization. You can also share your directory when your AWS account is not currently a member of an organization.

Native Windows 2019 AD features

Open all
AWS Managed Microsoft AD enables you to use  seamless domain join  for new and existing Amazon EC2 for Windows Server and Amazon EC2 for Linux instances. For new EC2 instances, you can choose which domain to join at launch time by using the AWS Management Console. You can use seamless domain join for existing EC2 instances by using the EC2Config service. Amazon EC2 instances can also join to a single shared directory from any AWS account and any Amazon VPC within a Region.
AWS Managed Microsoft AD allows you to  manage users and devices  using native Microsoft Active Directory Group Policy Objects (GPOs). You can create GPOs with existing tools, such as the Group Policy Management Console (GPMC).
You can extend your AWS Managed Microsoft AD schema by adding new object classes and attributes. You can also use  schema extensions  to enable support for applications that rely on specific Active Directory object classes and attributes. This can be especially useful in the case where you need to migrate corporate applications that are dependent on AWS Managed Microsoft AD, to the AWS cloud. (Source)
Administrators can manage service accounts using a method called  Group Managed Service Accounts ( gMSAs) . Using gMSAs, service administrators no longer needed to manually manage password synchronization between service instances. Instead, an administrator could simply create a gMSA in Active Directory and then configure multiple service instances to use that single gMSA. To grant permissions so users in AWS Managed Microsoft AD can create a gMSA, you must add their accounts as a member of the AWS Delegated Managed Service Account Administrators security group. By default, the Admin account is a member of this group.
You can integrate AWS Managed Microsoft AD with your existing AD by using AD trust relationships. Using  trusts  enables you to use your existing Active Directory to control which AD users can access your AWS resources.
AWS Managed Microsoft AD uses the same Kerberos-based authentication as your existing on-premises AD. By integrating your AWS resources with AWS Managed Microsoft AD, your AD users can sign in with  SSO to AWS applications  and resources using a single set of credentials.

Security and compliance

Open all
You can configure fine-grained directory settings for your AWS Managed Microsoft AD to meet your compliance and security requirements without any increase in operational workload. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. AWS Managed Microsoft AD then deploys the configuration to all domain controllers in your directory, manages domain controller reboots, and maintains this configuration as you scale out or deploy additional AWS Regions. For all available settings, see  list of directory security settings.
Server-side LDAPS encrypts LDAP communications between your commercial or homegrown LDAP-aware applications (acting as LDAP clients) and AWS Managed Microsoft AD (acting as an LDAP server). For more information, see  Enable server-side LDAPS using AWS Managed Microsoft AD.
Client-side LDAPS encrypts LDAP communications between AWS applications such as WorkSpaces (acting as LDAP clients) and your self-managed Active Directory (acting as LDAP server). For more information, see  Enable client-side LDAPS using AWS Managed Microsoft AD .
AWS Managed Microsoft AD  and  AD Connector  integration with  AWS Private Certificate Authority  (AWS Private CA) Connector for AD allows you to enroll AD domain-joined objects, including users, groups and machines, with certificates issued by AWS Private CA. You can use AWS Private CA as a drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers. You can set up AWS Private CA integration with your directory in just a few clicks or programmatically via API.
You can use AWS Managed Microsoft AD to build and run AD–aware cloud applications that are subject to the Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS)  compliance programs . AWS Managed Microsoft AD reduces the effort required to deploy compliant AD infrastructure for your cloud applications, as you manage your own HIPAA risk management programs, PCI DSS, or FedRAMP compliance certification. See the complete list of  compliance programs  that AWS Managed AD is eligible.

Monitoring, logging, and observability

Open all
Using  Amazon Simple Notification Service (Amazon SNS) , you can receive email or text (SMS) messages when the status of your directory changes. You get notified if your directory goes from an Active status to an  Impaired or Inoperable status . You also receive a notification when the directory returns to an Active status.
AWS Directory Service integrates with Amazon CloudWatch to help provide you with  important performance metrics  for each domain controller in your directory. This means that you can monitor domain controller performance counters, such as CPU and memory utilization. You can also configure alarms and initiate automated actions to respond to periods of high utilization. 
Use either the AWS Directory Service console or APIs to forward domain controller security event logs to  Amazon CloudWatch Logs . This helps you to meet your security monitoring, audit, and log retention policy requirements by providing transparency of the security events in your directory. You can also forward security event logs from your directory to Amazon CloudWatch Logs in the Amazon Web Services (AWS) account of your choice, and centrally monitor events using AWS services or third-party applications such as  Splunk , an  AWS Partner Network (APN) Advanced Technology Partner  with the AWS Security Competency.

AD Dependent Workloads Migration and AWS application integration

Open all

AWS Managed Microsoft AD (Hybrid Edition) enables you to extend your existing AD domain into AWS, creating a unified directory experience across your AD environments. This solution enables smooth integration between your on-premises and cloud resources, ensuring consistent identity management throughout your infrastructure.

For organizations seeking dedicated cloud directory service, our Standard and Enterprise editions create a new AD domain in AWS with the ability to establish secure trust relationships with your existing AD infrastructure. This provides you with the flexibility to maintain separate directory services while ensuring seamless interaction between environments. While AD Connector offers a proxy service that connects AWS services to your existing AD without storing directory data in the cloud. This is a lightweight, cost-effective solution that helps you leverage your existing AD investments while taking advantage of AWS services.
You can grant your on-premises AD users access to sign in to the AWS Management Console and AWS CLI with their existing AD credentials with AWS Identity Center (successor to AWS SSO) by selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is using AWS Managed Microsoft AD to enable your users to assume an  AWS Identity and Access Management  (IAM) role.
AWS Managed Microsoft AD enables you to use a single directory for your directory-aware workloads in AWS resources such as  Amazon EC2  instances,  Amazon RDS for SQL Server  instances, and  AWS End User Computing  services, such as  Amazon WorkSpaces . Sharing a directory allows your directory-aware workloads to manage Amazon EC2 instances across multiple AWS accounts and Amazon VPCs within a Region. It also helps avoid the complexity of replicating and synchronizing data across multiple directories.