AWS Directory Service Features

Since directories are mission-critical infrastructure, AWS Managed Microsoft AD is deployed in highly available AWS infrastructure and across multiple Availability Zones. Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted so that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and disaster recovery can be performed using the latest backup.

When you first create your directory, AWS Managed Microsoft AD deploys two domain controllers across multiple Availability Zones, which is required for highly availability purposes. Later, you can deploy additional domain controllers via the AWS Directory Service console by specifying the total number of domain controllers that you want. AWS Managed Microsoft AD distributes the additional domain controllers to the Availability Zones and VPC subnets on which your directory is running.

AWS Managed Microsoft AD runs on AWS managed infrastructure powered by Windows Server 2019. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are configured and managed for you according to the Service Level Agreement (SLA) for AWS Directory Service.

AWS Managed Microsoft AD provides built-in, daily, automated snapshots. You can also take additional snapshots before critical application updates to make sure you have the most recent data in case you need to roll back a change.

Multi-region replication allows you to deploy and use a single AWS Managed Microsoft AD directory across multiple AWS Regions. This makes it more simple and more cost-effective for you to deploy and manage your Microsoft Windows and Linux workloads globally. With the automated multi-region replication capability, you get higher resiliency, while your applications use a local directory for better performance.
 

AWS Managed Microsoft AD integrates tightly with AWS Organizations to allow seamless directory sharing across multiple AWS accounts. You can share a single directory with other trusted AWS accounts within the same organization or share the directory with other AWS accounts that are outside your organization. You can also share your directory when your AWS account is not currently a member of an organization.

AWS Managed Microsoft AD enables you to use seamless domain join for new and existing Amazon EC2 for Windows Server and Amazon EC2 for Linux instances. For new EC2 instances, you can choose which domain to join at launch time by using the AWS Management Console. You can use seamless domain join for existing EC2 instances by using the EC2Config service. Amazon EC2 instances can also join to a single shared directory from any AWS account and any Amazon VPC within a Region.

AWS Managed Microsoft AD allows you to manage users and devices using native Microsoft Active Directory Group Policy Objects (GPOs). You can create GPOs with existing tools, such as the Group Policy Management Console (GPMC).
 

You can extend your AWS Managed Microsoft AD schema by adding new object classes and attributes. You can also use schema extensions to enable support for applications that rely on specific Active Directory object classes and attributes. This can be especially useful in the case where you need to migrate corporate applications that are dependent on AWS Managed Microsoft AD, to the AWS cloud. (Source)

Administrators can manage service accounts using a method called Group Managed Service Accounts (gMSAs). Using gMSAs, service administrators no longer needed to manually manage password synchronization between service instances. Instead, an administrator could simply create a gMSA in Active Directory and then configure multiple service instances to use that single gMSA. To grant permissions so users in AWS Managed Microsoft AD can create a gMSA, you must add their accounts as a member of the AWS Delegated Managed Service Account Administrators security group. By default, the Admin account is a member of this group.

You can integrate AWS Managed Microsoft AD with your existing AD by using AD trust relationships. Using trusts enables you to use your existing Active Directory to control which AD users can access your AWS resources.
 

AWS Managed Microsoft AD uses the same Kerberos-based authentication as your existing on-premises AD. By integrating your AWS resources with AWS Managed Microsoft AD, your AD users can sign in with SSO to AWS applications and resources using a single set of credentials.
 

You can configure fine-grained directory settings for your AWS Managed Microsoft AD to meet your compliance and security requirements without any increase in operational workload. In directory settings, you can update secure channel configuration for protocols and ciphers used in your directory. For example, you have the flexibility to disable individual legacy ciphers, such as RC4 or DES, and protocols, such as SSL 2.0/3.0 and TLS 1.0/1.1. AWS Managed Microsoft AD then deploys the configuration to all domain controllers in your directory, manages domain controller reboots, and maintains this configuration as you scale out or deploy additional AWS Regions. For all available settings, see list of directory security settings.

Server-side LDAPS encrypts LDAP communications between your commercial or homegrown LDAP-aware applications (acting as LDAP clients) and AWS Managed Microsoft AD (acting as an LDAP server). For more information, see Enable server-side LDAPS using AWS Managed Microsoft AD.

Client-side LDAPS encrypts LDAP communications between AWS applications such as WorkSpaces (acting as LDAP clients) and your self-managed Active Directory (acting as LDAP server). For more information, see Enable client-side LDAPS using AWS Managed Microsoft AD.

AWS Managed Microsoft AD and AD Connector integration with AWS Private Certificate Authority (AWS Private CA) Connector for AD allows you to enroll AD domain-joined objects, including users, groups and machines, with certificates issued by AWS Private CA. You can use AWS Private CA as a drop-in replacement for your self-managed enterprise CAs without the need to deploy, patch, or update local agents or proxy servers. You can set up AWS Private CA integration with your directory in just a few clicks or programmatically via API.  

You can use AWS Managed Microsoft AD to build and run AD–aware cloud applications that are subject to the Federal Risk and Authorization Management Program (FedRAMP), U.S. Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI DSS) compliance programs. AWS Managed Microsoft AD reduces the effort required to deploy compliant AD infrastructure for your cloud applications, as you manage your own HIPAA risk management programs, PCI DSS, or FedRAMP compliance certification. See the complete list of compliance programs that AWS Managed AD is eligible.

Using Amazon Simple Notification Service (Amazon SNS), you can receive email or text (SMS) messages when the status of your directory changes. You get notified if your directory goes from an Active status to an Impaired or Inoperable status. You also receive a notification when the directory returns to an Active status.

AWS Directory Service integrates with Amazon CloudWatch to help provide you with important performance metrics for each domain controller in your directory. This means that you can monitor domain controller performance counters, such as CPU and memory utilization. You can also configure alarms and initiate automated actions to respond to periods of high utilization.  

Use either the AWS Directory Service console or APIs to forward domain controller security event logs to Amazon CloudWatch Logs. This helps you to meet your security monitoring, audit, and log retention policy requirements by providing transparency of the security events in your directory. You can also forward security event logs from your directory to Amazon CloudWatch Logs in the Amazon Web Services (AWS) account of your choice, and centrally monitor events using AWS services or third-party applications such as Splunk, an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency.

You can grant your on-premises AD users access to sign in to the AWS Management Console and AWS CLI with their existing AD credentials with AWS Identity Center (successor to AWS SSO) by selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is using AWS Managed Microsoft AD to enable your users to assume an AWS Identity and Access Management (IAM) role.

AWS Managed Microsoft AD enables you to use a single directory for your directory-aware workloads in AWS resources such as Amazon EC2 instances, Amazon RDS for SQL Server instances, and AWS End User Computing services, such as Amazon WorkSpaces. Sharing a directory allows your directory-aware workloads to manage Amazon EC2 instances across multiple AWS accounts and Amazon VPCs within a Region. It also helps avoid the complexity of replicating and synchronizing data across multiple directories.