How can I grant access to the AWS Management Console for on-premises Active Directory users?

Last updated: 2019-11-20

I want to grant access to the AWS Management Console using my Active Directory domain credentials. How can I do this? 

Short Description

You can manage Amazon Web Services (AWS) resources with Identity and Access Management (IAM) role-based access to the AWS Management Console. You can do this using either AD Connector or AWS Directory Service for Microsoft Active Directory. The IAM role defines the services, resources, and level of access that your Active Directory users have.

Resolution

First, choose to use either AD Connector or AWS Managed Microsoft AD:

  • Create a VPN connection and configure an AD Connector between your on-premises domain with the following minimum port requirements:
    TCP/UDP 53 for DNS
    TCP/UDP 88 for Kerberos authentication
    TCP/UDP 389 for LDAP authentication
    For more information, see AD Connector Prerequisites.
  • Or, use an existing trust relationship between your on-premises domain and AWS Managed Microsoft AD with the following minimum port requirements:
    TCP/UDP 53 for DNS
    TCP/UDP 88 for Kerberos authentication
    TCP/UDP 389 for LDAP authentication
    TCP 445 for SMB
    For more information, see Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain.

Then, to set up the authentication, follow these steps:

  1. Create an access URL for the directory.
  2. Enable AWS Management Console access for your AD Connector or AWS Managed Microsoft AD.
  3. Create an IAM role that grants access to the AWS Management Console for services that you want your Active Directory users to have access to.
    Note: Be sure that the IAM role has a trust relationship with AWS Directory Service.
  4. Assign Active Directory users or groups to the IAM role.
  5. Verify that users can access the AWS Management Console. Open the directory access URL in a private browsing session and sign in with a user account that is assigned to the IAM role. Then, check the AWS service consoles to confirm that you are permitted or denied access to services as specified by the IAM role.

Did this article help you?

Anything we could improve?


Need more help?