reference deployment

CMMC-Ready Microsoft Active Directory on AWS

Prepare your Active Directory environment for CMMC compliance

This Quick Start is for users who need to deploy a Microsoft Active Directory environment that is ready for compliance with the Cybersecurity Maturity Model Certification (CMMC). CMMC certification is typically required of US Department of Defense contractors.

The Quick Start architecture is designed for organizations running workloads that require more secure, low-latency connectivity to Active Directory Domain Services, Domain Name System, and certificate authority services, while maintaining CMMC compliance. 

The Quick Start template uses several services and resources, including AWS Key Management Service (AWS KMS), Amazon API Gateway, customer-controlled file download sources, and implementation of Defense Information Systems Agency Security Technical Implementation Guides.

Deploying this Quick Start does not guarantee an organization’s compliance with any laws, certifications, policies, or other regulations.

AWS logo

This Quick Start was developed by AWS.

  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • A Remote Desktop Gateway (RD Gateway) in an Auto Scaling group to allow inbound Remote Desktop Protocol (RDP) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in public and private subnets. An RD Gateway is deployed in Availability Zone 2 only if Availability Zone 1 becomes unavailable.*
    • In the private subnets:
      • An offline root certificate authority.
      • Two Active Directory domain controllers.
      • An online subordinate certificate authority.
    • Amazon Simple Storage Service (Amazon S3) Federal Information Processing Standards (FIPS) endpoints for accessing Group Policy Objects (GPOs), logs, certificate revocation lists, and setup files.
    • Lambda functions to check for and import new GPOs.
    • AWS Systems Manager automation to import GPOs and set up both the Active Directory domain controllers and the certificate authority.
    • AWS Secrets Manager to store credentials.
    • An AWS KMS customer master key to use with Amazon Elastic Block Store (Amazon EBS) and AWS Secrets Manager encryption.
    • Encrypted Amazon EBS volumes for the Amazon EC2 instances.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration. 

  •  How to deploy
  • To deploy CMMC-Ready Microsoft Active Directory, follow the instructions in the deployment guide. A standard deployment takes about 1 hour and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Deploy the Quick Start into a new or existing VPC. Choose the Region from the top toolbar before creating the stack. 
    3. Perform post-deployment tasks. 

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2019 and includes the license for the Windows Server operating system. The AMI is updated regularly with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI includes two Microsoft Remote Desktop Services licenses. The Windows Server AMI doesn’t require Client Access Licenses. For details, see Microsoft Licensing on AWS.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create  AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see  What are AWS Cost and Usage Reports?