AWS Directory Service Documentation

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD), enables your directory-aware workloads and AWS resources to use managed AD in AWS. AWS Managed Microsoft AD is built on actual Microsoft AD and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use the standard AD administration tools and take advantage of the built-in AD features. With AWS Managed Microsoft AD, you can join Amazon Elastic Cloud Compute (EC2) and Amazon Managed Relational Database Service (RDS) for SQL Server instances to your domain, and use AWS End User Computing services with AD users and groups.

Actual Microsoft Active Directory

AWS Managed Microsoft AD is actual Microsoft AD running on AWS-managed infrastructure. This enables you to administer your users and devices in AWS Managed Microsoft AD by using the tools you already know, such as Active Directory Administrative Center and Active Directory Users and Computers.

High availability

AWS Managed Microsoft AD is deployed in high availability and across multiple Availability Zones. You can also scale out your AWS Managed Microsoft AD directory by deploying additional domain controllers to increase the resiliency of your managed directory for even higher availability.

AWS-managed infrastructure

AWS Managed Microsoft AD runs on AWS managed infrastructure with monitoring designed to detect and replace domain controllers that fail. In addition, data replication and automated snapshots are configured for you. You do not need to install software, and AWS handles patching and software updates.

Multi-region replication

Multi-region replication enables you to deploy and use a single AWS Managed Microsoft AD directory across multiple AWS Regions. This allows you to deploy and manage your Microsoft Windows and Linux workloads globally. With the automated multi-region replication capability, your applications use a local directory for optimal performance.

Trust support

You can integrate AWS Managed Microsoft AD with your existing AD by using AD trust relationships. Using trusts enables you to use your existing Active Directory to control which AD users can access your AWS resources.

Group-based policies

AWS Managed Microsoft AD allows you to manage users and devices using native Active Directory Group Policy objects (GPOs). You can create GPOs with existing tools, such as the Group Policy Management Console (GPMC).

Single sign-on (SSO)

AWS Managed Microsoft AD is designed to use the same Kerberos-based authentication as your existing on-premises AD. Integrating your AWS resources with AWS Managed Microsoft AD will enable your AD users to sign in with SSO to AWS applications and resources using a single set of credentials.

Seamless domain join

AWS Managed Microsoft AD enables you to use seamless domain join for new and existing Amazon EC2 for Windows Server and Amazon EC2 for Linux instances.

Single directory for all directory-aware workloads

AWS Managed Microsoft AD enables you to use a single directory for your directory-aware workloads in AWS resources such as Amazon EC2 instances, Amazon RDS for SQL Server instances, and AWS End User Computing services, such as Amazon WorkSpaces. Sharing a directory allows your directory-aware workloads to manage Amazon EC2 instances across multiple AWS accounts and Amazon VPCs within a Region.

Federated access to the AWS Management Console

You can grant your on-premises AD users access to sign in to the AWS Management Console and AWS CLI with their existing AD credentials with AWS SSO by selecting AWS Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is using AWS Managed Microsoft AD to enable your users to assume an AWS Identity and Access Management (IAM) role.

Snapshots

AWS Managed Microsoft AD provides built-in automated snapshots. You can also take additional snapshots before critical application updates to make sure you have the most recent data in case you need to roll back a change.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.