How can I grant access to the AWS Management Console for on-premises Active Directory users?

Short description

Manage Amazon Web Services (AWS) resources with AWS Identity and Access Management (IAM) role-based access to the AWS Management Console. Use either AD Connector or AWS Directory Service for Microsoft Active Directory. The IAM role defines the services, resources, and level of access that your Active Directory users have.

Resolution

Choose either AD Connector or AWS Managed Microsoft AD

Create a VPN connection and configure an AD Connector between your on-premises domain with the following minimum port requirements:
TCP/UDP 53 for DNS
TCP/UDP 88 for Kerberos authentication
TCP/UDP 389 for LDAP authentication
For more information, see AD Connector prerequisites.

- or -

Use an existing trust relationship between your on-premises domain and AWS Managed Microsoft AD with the following minimum port requirements:
TCP/UDP 53 for DNS
TCP/UDP 88 for Kerberos authentication
TCP/UDP 389 for LDAP authentication
TCP 445 for SMB
For more information, see Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain.

Set up authentication

1. Create an access URL for the directory.
2. Activate AWS Management Console access for your AD Connector or AWS Managed Microsoft AD.
3. Create an IAM role that grants access to the AWS Management Console for services that you want your Active Directory users to have access to.
   Note: Be sure that the IAM role has a trust relationship with AWS Directory Service.
4. Assign Active Directory users or groups to the IAM role.
5. Verify that users can access the AWS Management Console. Open the directory access URL in a private browsing session and sign in with a user account that's assigned to the IAM role. Then, check the AWS service consoles to confirm that you're permitted or denied access to services as specified by the IAM role.

Related information

Creating a role to delegate permissions to an IAM user